JoWUA

Volume 5 - Issue 1

Supporting Common Criteria Security Analysis with Problem Frames

Kristian Beckers paluno University of Duisburg-Essen, Germany
kristian.beckers@uni-due.de
Maritta Heisel paluno University of Duisburg-Essen, Germany
maritta.heisel@uni-due.de
Denis Hatebur Institute for Technical Systems GmbH, Germany
d.hatebur@itesys.de

DOI: 10.22667/JOWUA.2014.03.31.037

Keywords: common criteria, problem frames, security standards, document generation, security requirements engineering

Abstract

Security standards, e.g., the Common Criteria (ISO 15408), are applied by software vendors to establish a level of confidence that the security functionality of their products and their applied assurance measures are sufficient. To get a Common Criteria certification, a comprehensible set of documents is necessary, including a detailed threat analysis and security objective elicitation. We focus on improving the Common Criteria threat analysis and the derivation of security objectives in our work. Our method is based upon an attacker model, which considers different attacker types, e.g., software attackers, that threaten only specific parts of a system. We provide tool support for checking the consistency and the completeness of the specified software systems using OCL expressions. For example, we check if all types of attackers have been considered for a specific domain, we check for all software domains that either a software attacker is considered or an assumption is documented that excludes software attackers, and we check if all threats are addressed by security objectives. Moreover, we can generate tables and texts from our UML models to satisfy the Common Criteria documentation demands. For instance, we can generate Common Criteria specific cross-table, which maps every security objective and assumption to a specific threat. The consistency checks are integrated in our structured method for threat analysis that considers the Common Criteria’s (CC) demands for documentation of the system in its environment and the reasoning that all threats are discovered and addressed. With our support tool UML4PF (that extends a UML tool and contains e.g., a UML profile and an OCL validator), we support security reasoning, validation of models, and we are able to generate Common Criteria-compliant documentation using model-to-text transformations. Our threat analysis method can also be used for threat analysis without the common criteria, because it uses a specific part of the UML profile that can be adapted to other demands with little effort. For example, it could be adapted for other security standards like ISO 27001. We illustrate our approach with the development of a smart metering gateway system.

Date

March 2014

Page Number

37-63