A policy-based framework for engineering security, privacy, and trustworthiness requirements

Posted on:2012-05-22

Degree:Ph.D

Type:Thesis

University:The University of Texas at Dallas

Candidate:Oladimeji, Ebenezer Akin

Full Text:PDF

GTID:2468390011958779

Subject:Computer Science

Abstract/Summary:

Security, privacy, and trustworthiness are among the most important quality attributes of software-based systems that determine their overall success. The mechanisms that implement these requirements often make use of low-level rules to constrain runtime behavior. Ideally, these low-level rules should derive from enterprise-level constraints imposed by corporate policies, industry standards, best-practices, laws and regulations. Alternatively, they can derive from real threats to the system. Quite often however, implemented rules (or mechanisms) can neither be systematically traced to the enterprise-level constraints that necessitate them, nor to the real threats and vulnerabilities that they are intended to mitigate. As a result, low-level rules are often implemented in an ad-hoc manner, which gives room for potentials policy errors such as conflicts and inconsistencies. Moreover, there is lack of established techniques or tools for ensuring this kind of traceability. In this thesis, we present SePTRA, a policy-based framework for eliciting, specifying, and analyzing security, privacy, and trustworthiness requirements for software-based systems. Specifically, the framework enables the construction of a strategic policy configuration from goal, threat and other domain models of a given software system, in a traceable manner that is also consistency preserving. This configuration consists of a domain description and a collection of strategic, tactical and operational policies. The framework also defines a taxonomy of policy errors, and a process for systematically refining abstract policies into more formal models that in turn enable the prevention and detection of these errors. Another benefit is that the visual artifacts produced while using the framework can be used to communicate about security, privacy, and trustworthiness, among analysts and developers during the early phases of software development. A prototype tool support has been developed to demonstrate the feasibility of the approach. This tool enforces traceability and consistency constraints that enables the prevention of some classes of policy errors in a given policy configuration. The utility of the approach is also illustrated by applying it in three experimental studies drawn from different application domains.

Keywords/Search Tags:

Privacy, Trustworthiness, Security, Framework, Policy

Related items

1	Research On Policy Framework And Some Of Its Key Technologies For Network Security Management
2	Privacy and trustworthiness management in moving object environments
3	Security Policy Specification And Analysis Method For Privacy Information Flows In Web Service Compositions
4	Research On The Influence Mechanism Of User's Privacy Risk Memory And Privacy Policy On Self-disclosure
5	Research On Guaranteeing The Trustworthiness Of Data Sources In IoT
6	An Ontology-Based Security Policy Description Framework For Web Services
7	GeoPrivacy Preservation And Data Trust-worthiness In Participatory Sensing
8	California's Next Generation Health Information Exchange (HIE): A Privacy and Security Policy Framework for Exchange of Structured Cancer Data
9	EHR security and privacy: Encountering honest-but-curious attacks through selective multi-level access control policy
10	Research On Domestic Mobile Internet Privacy Protection Risk And Privacy Security Reconstruction Path