| Recently, more and more attention has been paid to use active defense in software security, it runs through the whole software development lifecycle and can radically solve the security problem in the software system. The idea of active defense in software is as follows:when analyzing software requirements, security threats could be analyzed and found in fact, then Security requirements should be defined to copy with these threats, security requirements could be viewed as security contracts to guide following software architecture design, so, security requirements become essential part in the software design activities, which can also be used for security assurance in the phases of implementation and testing.Eliciting security requirements is one of major and difficult tasks during the security assurance. However, there is a gap from textual requiremenets description to deriving security contracts, the problems lie in:1) It is hard to straightway acquire software security problem and security requirement from requirements.2) Usually it is hard to predict security problems for software system and it is not easy for software analysts to find out security leaks quickly and effectively.3) When security requirements are defined to solve security problem, it is difficult to illustrate that security requirements are valid to solve security problem.4) How to accurately and strictly define security contracts.In order to deal with all problems mentioned above, following work has been done in these theses:1. Action concerns based requirements modeling method is firstly proposed, this method can analyze and model requirements from functional aspect of software system, then produce lots of different concerns, each one can represent individual functional aspect. Security requirements can be acquired from action concerns.This method could be performed by follow steps:①A combining top-down and bottom-up method is used to elicit action behaviors from requirement document, action behaviors elicited should represent functionality of software.②Action concerns can be build through classifying and combining action behaviors, each concern should represent a individual functional aspect of software. ③CSP language is used to model action concerns.2. With the security knowledge database of the ECMA, a security requirements elicitation method is given which bases on the idea of using common criteria to acquire security requirements, this method is able to acquire threat, security objectives and security requirements from action concern automatically. In order to automatically elicit threats from operation flow of action concern, this paper brings a concept of four tuples of security property, security problem can be considered with this concept, based on the concept, a threat pattern rules are researched. Once a four tuples of security property has been defined, threats can be automatically acquired by the threat pattern rules. Then, security objectives and security requirements could be elicited by ECMA's security knowledge database. Threat, security objective, and security requirements defined in the database are international common criteria, so, this suggests that security requirements elicited by our method is valid, however, there could be produced a lot of invalid security requirements, which can not solve the real security problems in software, so, this paper respectively gives elaboration methods for threats, security objectives and security requirements, so the security contract elicitation method proposed in this paper can utmost satisfy security needs for software system.3. In this paper, the threats tangled and scattered in the concerns are also considered.Owing to the aspect oriented software requirement engineering ideology, a method based on petri net is proposed,this method can accurately and strictly define security contracts.The above work is preferably able to elicit security contract from requirement documents. A case study has been done by applying our method to an on-line business software system. First, action concerns were built, then threats elicitation process were given, and security requirements which were automatically searched by the database were listed, lastly, a security contract based on a concrete situation were generated, this indicates that our method is effective and feasible. A prototype tool has been developed in C# to support our method, the main functions of the tool are: automatically identifying action concerns, automatically acquiring threat, searching security requirements, building security contracts, and so on.This tool can quickly and effectively generate security contract from requirements. |
PDF Full Text Request