Moving from Requirements to Design Confronting Security Issues

Requirements case study

The requirements used as input to the tools, should be in use/misuse case format.
In the case study that we have examined the requirements used as input were the following:

UC1-1.	User enters login name and password to the System.
UC1-2.	User logs in to the System.
UC2-1.	User views the product catalog.
UC2-2.	User selects the product from the product catalog.
UC2-3.	System shows product details to the User.
UC3-1.	User selects products from the product catalog and specifies product quantities.
UC3-2.	The System adds the selected products to shopping line items.
UC3-3.	The System adds the shopping line items to the shopping cart.
UC3-4.	User enters personal information.
UC3-5.	System produces an order line item for the new order.
UC3-6.	System shows order information to the User.
UC3-4a	User personal information is invalid.
UC3-4a1	System asks the User to reenter personal information.
UC4-1.	User enters product name, product details and product price to the System.
UC4-2.	The System adds new product to the product catalog.
UC4-1a	Product price is not a number.
UC4-1a1	System asks the User to reenter product name, product details and product price.
UC5-1.	User selects product from product catalog.
UC5-2.	System removes the selected product from product catalog.
UC6-1.	User enters login name.
UC6-2.	System forms order SQLstatement for the given login name.
UC6-3.	System executes order SQLstatement.
UC6-1a	User name does not exist.
UC6-1a1	System asks the User to reenter login name.
UC7-1.	User logs out.
MUC1-1.	The attacker obtains access to the System host computer.
MUC1-2.	The attacker eavesdrops sent messages to the System.
MUC1-3.	The attacker analyzes messages possibly containing sensitive data.
MUC1-4.	The attacker collects sensitive data.
MUC1-5.	The attacker uses sensitive data.
MUC1-6.	The attacker obtains illegal rights to the System.
MUC2-1.	The attacker exploits poor or non-existing authentication mechanism.
MUC2-2.	The attacker obtains illegal access to the System.
MUC3-1.	The attacker obtains access to the logs.
MUC3-2.	The attacker modifies the logs.
MUC4-1.	The attacker identifies a database related input field.
MUC4-2.	The attacker forces the System to create a malicious SQLStatement.
MUC4-3.	The attacker modifies the database.
MUC5-1.	The attacker identifies an input field shown in another form.
MUC5-2.	The attacker enters malicious script code to the input field.
MUC5-3.	The System executes the malicious script code.
MUC6-1.	The attacker identifies a redirection link with user defined input parameters.
MUC6-2.	The attacker chooses input parameters properly.
MUC6-3.	The attacker modifies the HTTP headers.

The above requirements can be also downloaded as a text file.
(Tabs should be included between use/misuse case step IDs and the corresponding sentences.)

Parse Tree Construction

Three different natural language parsers are used for the syntactic analysis of requirements:

Collins' parser
Dan Bikel's parser
Charniak's parser

The above parsers along with execution scripts developed by Jaroslav Drazan can be downloaded as a zip file (138 MB).
The used third party tools (parsers, lematizer, tokenizer,...) can be used only for non commercial use, see attached licences.

Usage Instructions:

Warning: This step runs only on Unix/Linux machines! The zip file should be extracted at ~/wrk/natlang (where ~/ is the user's home directory).
Each parser is executed from the directories bin, bin2, bin3 using the command:
run-all.sh <use-cases.txt>
where
bin corresponds to Collin's parser
bin2 corresponds to Dan Bikel's parser
bin3 corresponds to Charniak parser
<use-cases.txt> corresponds to the text file containing the requirements.

The parse trees are exported at
bin/<use-cases>-original-collins.txt
bin2/<use-cases>-db-collins.txt
bin3/<use-cases>-charniak.txt
text files respectively.

The output files for our case study are the following:

Note that you got to have java and jar installed for these scripts to run.

UML Class Diagram generation from parse trees

Jaroslav Drazan and Vladimir Mencl have developed a tool that produces pro-cases from parse trees.
Pro-cases are a form from which system sequence diagrams can be directly derived.
We have extended the aforementioned tool in order to produce a detailed class diagram in XMI for UML 1.4 (OMG) format.

This extension can be downloaded as a jar file. (The source code is included in the jar file)
The data directory including the parse trees for our case study, as well as the necessary configuration files can be downloaded as a zip file.

Usage Instructions:

java -jar RequirementsToDesign.jar <path-to-configuration-files/model-configuration-file>
For example:
java -jar RequirementsToDesign.jar data/ecommerce-model.xml

The XMI output file containing the UML class diagram for our case study can be downloaded here.

Computing Risk and Object-Oriented Function Points for a given Class Diagram

After extracting an XMI output file it is possible to compute the combined risk and object oriented function points for the corresponding system using the tool found here as a zip file.

Usage Instructions:

When using the tool in windows run classpath.bat, else set the classpath to contain jdom.jar and jgrapht-0.6.0.jar (example for bash: classpath=.:jdom.jar:jgrapht-0.6.0.jar and then export classpath)
Execute the tool from the base directory with:
java src.MainProcess <attack-index-file> <class-diagram-xmi-file>
where <attack-index-file> an index for files where likelihood-exposure-consequences for attacks are described
<class-diagram-xmi-file> the xmi file from the previous step.

XMI files produced when gradually including misuse cases in the process can be downloaded as a zip file.

Finding the Minimum System in Terms of Effort given the Maximum Acceptable Risk

We have developed a tool that takes as input a full system taking into account all possible attacks and a maximum acceptable risk value (one value from the following: absolutely-low, very-low, low, fairly-low, medium, fairly-high, high, very-high, absolutely-high) and produces the minimum system in terms of effort satisfying this constraint.

The tool that solves the optimization problem described above can be downloaded as a zip file.

Usage Instructions:

When using the tool in windows run classpath.bat, else set the classpath to contain jdom.jar and jgrapht-0.6.0.jar
Execute the tool from the base directory with:
java src.Main <attack-index-file> <full-class-diagram-xmi-file> <risk-level> <output-class-diagram-xmi-file>
where <attack-index-file> an index for files where likelihood-exposure-consequences for attacks are described,
<full-class-diagram-xmi-file> the xmi file of full system,
<risk-level> the maximum acceptable risk level (valid values: absolutely-low, very-low, low, fairly-low, medium, fairly-high, high, very-high, absolutely-high)
<output-class-diagram-xmi-file> the xmi file of the system resulting from the optimization process.