Università degli Studi di
Trento
How to
capture, model, and verify
the knowledge of legal, security, and privacy experts:
a pattern-based approach
L. Compagna, P. El Khoury
F. Massacci, N. Zannone
R. Thomas
Security Research
SAP
Dept. Informatics and TLC
Univ of Trento
Dept. of Law
Univ. of Leuven
www.massacci.org
www.tropos-project.org
www.serenity-project.org
Università degli Studi di
Trento
Outline
• What is the Problem?
– Address Regulatory Compliance Demands
– Organizational Patterns
• Which is the Solution?
– Graphical requirements Engineer Methodology
• Smart Items For Health Care
– An Example of a Pattern
• Conclusion & Future Work
Università degli Studi di
Trento
What’s the Problem?
• Emerging trends in Security Enginering
– Security solutions can longer be best effort
– Must show verifiable evidence with ….
• Regulatory Compliance
– SOX/Basel II/EU Privacy Directive
• Industry Compliance
– ISO 17799, ITIL Security Management..
• Usage of SOA Mandatory
– WS-Security, WS-Trust, WS-Federations
• Audit/Certification
– CC formal models, verification of the model
Università degli Studi di
Trento
What’s the Solution?
• Security & Privacy Patterns for Organisation
– Security patterns are security best practices presented in
template format
– Validated by Experts
– Patterns can provide implementations
• From rule of procedures to running code
• Concept widely used in Software Patterns
– Large repositories are available
– Model-Based Transformatioon available for different
languages
Università degli Studi di
Trento
So what is the problem?
Ask a toad what beauty is, the to kalon? He
will answer you that it is his toad wife with
two great round eyes issuing from her little
head, a wide, flat mouth, a yellow belly, a
brown back. . . . Interrogate the devil; he will
tell you that beauty is a pair of horns, four
claws and a tail.
Voltaire, Philosophical Dictionary (1764)
Università degli Studi di
Trento
To Design a Security Pattern
• Ask a lawyer
17(4)1 For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection
and the requirements relating to the measures referred to in paragraph 17(1) shall be in writing or in
another equivalent form.
• Ask a computer engineer
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
FLuQTa/LqDIZ5F2JSaMRHSRuaiQ=
</DigestValue>
</SignedInfo>
• Ask a formal methods expert
Fail_NonRepudiation(A,B,S) :- del_exec(A,B,S), not entrust_exec(A,B,S)
entrust_exec (A,B,S) :- trust(A,B,S).
entrust_exec (A,B,S) :- prove_fulfillment(A, B, S, TP)
prove_fulfillment(A, B,S, TP) :- provides(B, PoF), proof_of_fulfillment(PoF, S),
entrust_exec(TP, B, PoF), entrust_exec(A, TP, PoF)
Università degli Studi di
Trento
Lingua Franca…
• Software Patterns work because they essentially are
by toads only
– The difference between C++, Java, C#, Eiffel, Perl, Python
etc is negligible compared to the ones just made
• Security Patterns needs integration of different
“languages”
• Idea: a picture is worth a thousand words
– Provided you are able to get the picture from the words and
the words back from the picture
Università degli Studi di
Trento
Bob feels
giddy
Smart Items For Health Care
smart e-health
T-shirt terminal
ERC
MERC
Faintness alert
(1)
Request for
medicine
delivery (4)
Send e-prescription (3)
Deliver the
medicine
(7)
Request
(2)
Steps:
2. Bob feels giddy and sends via his e-health
terminal a request for assistance to MERC.
3. MERC receives the request and, since Bob’s
doctor is in vacation, redirects it to Charlie.
4. Charlie analyses Bob’s medical data and
history and sends to Bob an e-prescription.
Request
(5)
Charlie’s ehealth
terminal
5. Bob requests MERC for a medicine delivery.
6. MERC selects Alison to execute this task,
sends a message to her to which she
promptly acknowledge receiving then back
the data for accomplishing this activity.
7. Alison goes to the pharmacy and after a
successful credentials exchange, she gets
the medicine from the pharmacist.
Pharmacist's
computer
Get
medicine
(6)
Alison
e-health
terminal
8. Alison delivers the medicine to Bob.
Notes: this
Charlie
Bob
as
the
the
credentials
request
last
feels
others
retrieves
step
weak
would
involves
Alison
exchange
and
Bob’s
have
instead
isan
equipped
medical
been
exchange
iswith
between
ofsent
driving
data
with
toofand
Bob’s
Alison’s
an
to
electronic
e-health
the
history
doctor,
pharmacy
e-health
credential
by
terminal
but
using
terminal
he
to get
his
is
that
between
ine-health
the
she
vacation
and
medicine,
uses
the
Bob
terminal
pharmacist’s
and
to
and
communicate
he
thus
Alison.
prefers
to e-health
aquery
doctor
Their
computer.
toERC.
be
with
discovery
e-health
supported
the
The
Besides
others
eThis
request
is
completed
Bob’s
medical
data
automatically
retrieved
by
his
terminal
by
prescription
by
health
the
terminals
process
the
validity
ERC
actors.
of
for
isused
the
In
sent
this
the
e-prescription,
from
task.
data
In
this
the
Charlie’s
she
purpose.
group
receives
Alison
of
e-health
doctors
from
authorization
terminal
ERC
able to
there’ll
to
substitute
toBob’s
get
be,the
e-health
properly
Bob’s
medicine
doctor,
terminal.
protected,
in behalf
Charlie
the
ofe-prescription
isBob
theneeds
first totoanswer.
done
be checked.
for
means
ofisare
aactivated.
query
toat
his
smart
T-shirt
Bob.
Università degli Studi di
Trento
Goal-Based Req. Engineering
• Graphical Requirement Language SI*
– Agents, Roles, Relations among them
– Execution, Delegation of Permissions
• Legal text
– (semi) automatic extraction of graphical model from Natural Language
description
• Logical Formulae
– Experts provide general axioms and property descriptions
– Instances added automatically from graphical model
• Executable Business Process
– (Semi) automatic BPEL generation from graphical model
Università degli Studi di
Trento
Pattern Design and Validation
Semantics Template
Lawyer describes
patterns
NL2SI* transformation
Security Engineer
Modifies Patterns
Graphical SI* Model
Graphical
CAiSE Tool
Formal Logic
Automated
Reasoning Tool
Axioms and Rules
Software Engineer
Refine Patterns
BPEL Editing Tool
BPEL Skeleton
SI* Interpretation
of Logical Result
Università degli Studi di
Trento
Non repudiation requirement presented in SI*
The Employer (MERC) shall have evidence that the
Executor (Alison) cannot repudiate her commitment.
MERC
Request
Delivery of
medicine
to Bob
Alison
e-health
terminal
Università degli Studi di
Trento
What is an organizative security pattern?
Security Requirements
NOT fulfilled
Initial organizational structure
• Agents
• Resources
• Tasks
• Relations: delegation, trust…
Fulfilled
Security
Pattern
Revised organizational structure
• Add/Remove Agents
• Add/Remove Resources
• Add/Remove Tasks
• Add/Remove Relations
Context
Solution
SI* MODELS
12
Università degli Studi di
Trento
Non repudiation pattern
[Context and Requirement]
Non repudiation pattern
[Context, Requirement and Solution]
Context: The Employer requests the
achievement of a commitment and
delegates its execution to the
Executor.
Requirement: the former has no
warranties that the latter takes the
responsibility of achieving the
commitment
Solution: The Employer refines the commitment into two sub parts.
3. Check the evidence about
responsibilities taken by the Executor.
4. Represents the actual desire of fulfilling
the commitment.
Università degli Studi di
Trento
Conclusion & Future Work
• System designers are usually neither security nor
legal experts
– Graphical RE notation useful common ground
• Idea: a picture is worth a thousand words
– Provided you are able to get the picture from the words and
the words back from the picture
• Future Work
– Improving model construction from NL
– Reasoning capability only detect failed properties, should
also suggest what is missing to satusfy them
– Apply to other domains
• Ack
– Supported by the EU through the EU-IST-IP SERENITY