Ubiquitous cyber systems and their supporting infrastructure impact productivity and quality of life immensely. Their penetration in our daily life increases the need for their enhanced resilience and for means to secure and protect them. One major threat is the software monoculture. Latest research work illustrated the danger of software monoculture and introduced diversity to reduce the attack surface. In this paper, we propose a biologically-inspired defense system, ChameleonSoft, that employs multidimensional software diversity to, in effect, induce spatiotemporal software behavior encryption and a moving target defense. The key principles are decoupling functional roles and runtime role players; devising intrinsically-resilient composable online programmable building blocks; separating logic, state and physical resources; and employing functionally-equivalent, behaviorally-different code variants. Given, our construction, ChameleonSoft is also equipped with an autonomic failure recovery mechanism for enhanced resilience. Nodes employing ChameleonSoft autonomously and cooperatively change their recovery and encryption policy both proactively and reactively according to the continual change in context and environment. In order to test the applicability of the proposed approach, we present a prototype of the ChameleonSoft Behavior Encryption (CBE) and recovery mechanisms. Further, using analysis and simulation, we study the performance and security aspects of the proposed system. This study aims to evaluate the provisioned level of security by measuring the level of induced confusion and diffusion to quantify the strength of the CBE mechanism. Further, we compute the computational cost of security provisioning and enhancing system resilience. A brief attack scenario is also included to illustrate the complexity of attacking ChameleonSoft.
Engineering secure software remains a significant challenge for today's software organizations as they struggle to understand the implications of security o the system and develop systems that guarantee specified software security properties. Despite many software engineering advances, current methods for deriving a design from a set of requirements that guarantee the retention of the intended security properties remains difficult and often unachievable. If security requirements are formalized and transformed into design using formal methods, the result would reduce the potential for security vulnerabilities through better clarity, completeness, and consistency. To this end, we outline a requirements-driven security engineering approach for deriving design specifications from security requirements that guarantee security properties specified in requirements are retained. We build on the goal-oriented KAOS (Knowledge Acquisition in autOmated Specifications) framework to formally construct a complete, consistent, and clear security requirements model. The resulting model is then transformed to the B language to derive security design specifications. Using B enables us to further implement the design while preserving requirements relevant security properties. Using the B refinement mechanism, we generate design specifications and ultimately implementation. The approach treats security-specific elements in a systematic and constructive way while considering security early in the development lifecycle with assurance of completeness, consistency and clarity throughout the development. Moreover, our approach allows for requirement traceability at the various phases of development that helps security evaluators to have more confidence in the target of evaluation. General TermsDesign, security, and verification KeywordsGoal-oriented security requirements engineering, formal methods, design specifications, threat models, attack analysis
Cost effective development of secure software is a key goal for many software organizations as they seek to manage the risks of misbehaving software. Employing Formal Methods (FMs) in the Model-Based Software Engineering (MBSE) paradigm that systematically produces software systems through modeling, simulation, reuse and automation provides a reasonable approach for developing highly secure software in a productive manner. MBSE approaches introduce some complexities at the beginning of the lifecycle, but save substantial time in production and delivery by identifying and resolving defects/errors early and reducing rework. On the other hand, the expertise needed for FMs and the concomitant costs often inhibit their wide employment in securing large and complex software systems. In this paper, we report our experience with Formal Analysis and Design for Engineering Security (FADES) an approach we introduced two years ago at this venue. Through systematic and automated transformation from semiformal requirements specifications to formal design, FADES facilitates embedding FMs into the development lifecycle of secure software systems. We outline the case studies and validation of FADES feasibility for the design and implementation of secure software systems. Promising experience with FADES was a necessary precursor to our work on generalizing FADES and our proposal to direct FADES toward being an MBSE approach. We discuss how the formality, transformation, reuse and automation in FADES may further enhance the MBSE-based production and delivery of secure software.
Over the past few years, agile methods have recorded impressive results in the software engineering field basically in terms of business value and time to market. Similarly, software usability has been the major success factor for interactive systems. Agile usability engineering has been motivated as a booming solution to develop better usability in a cost-effective manner. eXtreme Scenario Based Design (XSBD) is one of the effective agile usability approaches. However, XSBD does not provide explicit metrics to quantify the software usability. In this paper, we propose the Quantified eXtreme Scenario Based Design (QXSBD) approach, which complements XSBD with a set of usability metrics collected from the agile architecture-centric approach and the Quality in Use Integrated Model (QUIM). Further, QXSBD specifies the subset of usability metrics that need to be assessed at the major milestones in agile process. This integration employs the Usability Critical Parameters Workshop (UCPW) to provide engineering practices defining the usability requirements and design goals. We demonstrate the QXSBD, process through customer request project case study. The obtained results have shown that usability issues have been reduced by about 30%. Noticeable end user satisfaction has been achieved while maintaining the project total cost.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.