| As system of systems (SoS) software development becomes commonplace, the complexity of certifying system security rises. Certification processes generally perform post-implementation testing. For SoS implementations, testing efforts cannot be magnified sufficiently to address certification concerns when independent component systems are integrated, distributed, and may evolve dynamically. Thus, it is essential to push security certification toward a design perspective, where noncompliance with security requirements is manifested as conflicts among policy models of interacting components. The main challenge is creating a uniform model of software component security policies that exposes properties most likely to be incompatible across SoS interactions. Security policies are expressed in various formats and levels of granularity. Certification criteria are often text-based checklists. Thus, they lack a common representation. To address the modeling needs, we define a framework for expressing a Security Certification Model (SCM). It starts with Component Policy Profile (CCP), a UML profile that separates relevant policy information across eight distinct concerns, called Descriptors. The profile is targeted toward software components in a SoS architecture, each of which has local security policies. We instantiate the profile for multiple security policies to individual SCMs, exploiting specific terminology from policy statements and certification requirements. We illustrate how the SCM framework can be used to determine SoS non-compliance with predefined certification criteria with help of three distinct examples. To illustrate the tool usage of the SCM framework, the CPP is modeled using Enterprise Architect Tool and the example SCMs are developed with the help of CPP instantiation. |
