An approach to security requirements engineering for a high assurance system

被引：4

作者：

Irvine C.E. ^{[1
]}

Levin T. ^{[1
,2
]}

Wilson J.D. ^{[1
]}

Shifflett D. ^{[1
]}

Pereira B. ^{[1
]}

机构：

[1] Department of Computer Science, Naval Postgraduate School, Monterey, CA

[2] Department of Computer Science, Naval Postgraduate School, Monterey

来源：

Requirements Engineering | 2002年 / 7卷 / 4期

关键词：

Assurance; Engineering; Requirements; Security; Specification; Threat;

D O I：

10.1007/s007660200015

中图分类号：

学科分类号：

摘要：

Requirements specifications for high-assurance secure systems are rare in the open literature. This paper examines the development of a requirements document for a multilevel secure system that must meet stringent assurance and evaluation requirements. The system is designed to be secure, yet combines popular commercial components with specialised high-assurance ones. Functional and non-functional requirements pertinent to security are discussed. A multidimensional threat model is presented. The threat model accounts for the developmental and operational phases of system evolution and for each phase accounts for both physical and non-physical threats. We describe our team-based method for developing a requirements document and relate that process to techniques in requirements engineering. The system requirements document presented provides a calibration point for future security requirements engineering techniques intended to meet both functional and assurance goals. © 2002 Springer-Verlag London Limited.

引用

页码：192 / 206

页数：14

共 44 条

[11]

Department of Defense Trusted Computer System Evaluation Criteria, (1985)

[12]

Irvine C.E., Anderson J.P., Robb D., Hackerson J., High assurance multilevel services for off-the-shelf workstation applications, Proceedings of the 20th National Information Systems Security Conference, pp. 421-431, (1998)

[13]

Downey J.P., Robb D.A., Design of a High Assurance Multilevel Mail Server (HAMMS), (1997)

[14]

Bryer-Joyner S., Heller S., Secure Local Area Network Services for a High-assurance Multilevel Network, (1999)

[15]

Balmer S., Framework for a High-assurance Security Extension to Commercial Network Clients, (1999)

[16]

Saltzer J.H., Schroeder M.D., The protection of information in computer systems, Proc IEEE, 63, 9, pp. 1278-1308, (1975)

[17]

Eads B., Developing a High Assurance Multilevel Mail Server, (1999)

[18]

Bersack E., Implementation of a HTTP (Web) Server on a High Assurance Multilevel Secure Platform, (2000)

[19]

Brown E., SMTP on a High Assurance Multilevel Server, (2000)

[20]

Final Evaluation Report of HFSI XTS-200, (1992)

← 1 2 3 4 5 →