Trust Trade-off Analysis for Security Requirements Engineering
A paper by Eric S.K. Yu and Golnaz Elahi (2008)
Analyzed by Jens van Langen
Student number: 4203879
Utrecht University
April 10th, 2014
Notice of Originality
I declare that this paper is my own work and that information derived from published or
unpublished work of others has been acknowledged in the text and has been explicitly referred to
in the list of references. All citations are in the text between quotation marks (“ ”). I am fully
aware that violation of these rules can have severe consequences for my study at Utrecht
University.
Signed:
Name:
Date:
Place:
Analyzing: Trust Trade-off Analysis for Security Requirements Engineering
Reference paper: Golnaz Elahi & Eric S. K. Yu (2008), Trust Trade-off Analysis for Security
Requirements Engineering, (RE 2009), 243-248
Introduction
In their paper Elahi and Yu (2008) introduce a seven-step-method for analyzing trade-offs that
trust relationships bring. The goal of this method is to make these trust trade-offs in such a way
that it satisfies the requirements of several different stakeholders. The first six steps in this sevenstep-method are existing techniques the authors have adopted. Therefore, the main contribution
of their paper is the last step.
The seven steps according to the method are:
1.
2.
3.
4.
5.
6.
7.
Identify Actors and Actors’ Dependencies.
Model and Refine Actors’ Goals.
Discover and Model Trust Relationships in the Dependency Chain.
Recording Trust Rationale.
Replace the Trustee Party with a Corresponding Malicious Party.
Model and Analyze Vulnerabilities.
Analyze the Trust Trade-offs.
In step one the main actors, which can be users or (sub-) systems, and their dependencies are
identified and expressed using i* Strategic Dependency (SD) models (Yu, 1995). i* is a graphical
modeling framework, with a prescribed notation, used for requirements engineering. In step two
of the method the SD models are extended to i* Strategic Rationale (SR) models (Yu, 1995),
where goals are identified and refined to discover new dependency relationships among them.
Step three is where trust, distrust and delegation of execution relationships between entities are
modeled (Giorgini, Massacci, & Zannone, 2005). Step four involves getting rationale from
stakeholders about the trust and distrust relationships. Essential rationales can be shown as an i*
“belief” element in the SD and SR model.
In step five the trusted parties are substituted with attackers. Therefore security extensions are
adopted to alter the i* SD and SR models (Elahi & Yu, 2007). The purpose is to analyze how
permissions and capabilities, which are given to the trustee, can have a negative impact the
stakeholder’s goals. In step six the SD and SR models are extended with the notation proposed
by Elahi, Yu and Zannone (2009) to analyze vulnerabilities that dependees pose to the system.
Step seven involves the usage of goal model evaluation techniques by Chung, Nixon, Yu and
Mylopoulos (1999) and Horkoff and Yu (2009) to graphically demonstrate the pros and cons of
each alternative. Due to the difficulty of interpreting the results, Elahi and Yu propose a trust
trade-off table. This table is used to systematically compare the impact alternative solutions have
on the goals of the actors.
The method by Elahi and Yu (2008) can be applied to the domain of security requirements
engineering. The downside of this method is that the optimization only works for a single
stakeholder (Elahi & Yu, 2008). The authors, Golnaz Elahi and Eric Yu, have both studied at the
University of Toronto. Golnaz Elahi wrote the paper, which is analyzed here, under supervision
of Eric Yu as a Ph.D. thesis. She is now employed at Deloitte as a IT security consultant. Eric Yu
has also written a Ph.D. thesis where he introduced the -now famous- i* modeling framework
(Yu, 1995). Currently he is a professor at the University of Toronto.
Example
The method by Elahi and Yu (2008) is best explained by giving an example. The goal of this
example is to make a decision on what kind of server to use to provide webpages to a browser.
The following elaborates on the alternative of using a webserver.
Step one in every situation is: identify the actors and their dependencies. In this case the actors
are the webserver and the browser. The webserver depends on a request from the browser before
any action is taken. The browser depends on the server returning the requested webpage. The
method opts to depict this information as an i* Strategic Dependency model. Step two is to model
and refine the actors’ goals. In this example the webserver’s goal is to provide webpages to
clients. This goal can be refined by using softgoals, resources and tasks as seen in figure 1.
Step three involves discovering and modeling the trust relationships. The two actors in our
example are connected to each other via a request and an answer relationship. Using the notation
by Giorgini, Massacci and Zannone (2005), trust, distrust and delegation of execution modifiers
can be applied to the relationships. Step four seeks to add rationales about the relationships as i*
“belief” elements to the model as seen in figure 1. The template used to make SR models can be
found in Appendix A.
Figure 1: i* SR model for the example webserver and browser
Step five is to replace the party trusted depended upon by a corresponding attacker and analyze
how the trusted permissions can be abused by the attacker. This can be done by brainstorming. In
the example the webserver can be substituted for a malicious server sending out wrong webpages
or not answering requests. All vulnerabilities are modeled in the i* SR model using the notation
from Elahi, Yu and Zannone (2010) in step six of the method.
The final step, step seven, is to analyze all alternatives which have been elaborated using the
preceding steps. Arguably the browser can also be replaced in the example, since the server trusts
upon the browser to send a webpage request. The webpage request initiated by the browser can
contain malicious code to crash the server or, perhaps even worse, be used to steal confidential
data. The formulated alternatives and (soft)goals are mapped into a trust trade-off table. Each cell
contains an indication of some sort to display the relative effects of the alternative on the
(soft)goal.
Process Deliverable Diagram
The analyzed method can be depicted using a Process Deliverable Diagram (PDD). This metamodeling technique has been created by Weerd and Brinkkemper (2008). The seven activities of
the method are on the left side of the PDD shown in figure 2. On the right side of the PDD are
the deliverables that are produced by executing the (sub-)activities.
Figure 2: Process Deliverable Diagram for the analyzed method
Concepts
On the right side of the PDD are the deliverables. These deliverables are also called concepts. A
description of the concepts used can be found in the table below (table 1).
Concept
ACTOR
ALTERNATIVE
ATTACK
ATTACKER
DEPENDENCY
NETWORK
GOAL
I* LINK
I* STRATEGIC
DEPENDENCY
MODEL
I* STRATEGIC
RATIONALE
MODEL
MALICIOUS I*
STRATEGIC
RATIONALE
MODEL
COUNTERPART
RELATIONSHIP
RESOURCE
SOFT GOAL
SOLUTION
TASK
TOP GOAL
Description
An ACTOR is a user of the system. For instance an ACTOR can be a
human, sub-system, software agent or service provider (Elahi & Yu,
2008).
This is a possible solution to the security trade-off question in the
form of a TRUST I* STRATEGIC RATIONALE MODEL.
An ATTACK is a way to exploit a VULNERABILITY (Elahi & Yu,
2008).
An ATTACKER replaces a dependee party in the MALICIOUS I*
STRATEGIC RATIONALE MODEL COUNTERPART (Elahi &
Yu, 2008).
The DEPENDENCY NETWORK connects two ACTORS to each
other so GOALS can be achieved, TASKS can be performed and
RESOURCES can be furnished (Yu, 1995). This DEPENDENCY
NETWORK can be expressed as an I* STRATEGIC DEPENDENCY
MODEL.
A GOAL is a condition or state of affairs in the world that the
stakeholders would like to achieve. The goal can be achieved by any
alternative (Regev & Wegmann, 2005)
Links are used to model the positive impacts on satisfaction of
(soft)goals (Elahi & Yu, 2008)
The I* STRATEGIC DEPENDENCY MODEL provides an
intentional description of a process in terms of a network of
dependency relationships among ACTORS (Yu, 1995).
The I* STRATEGIC RATIONALE MODEL provides an intentional
description of processes in terms of process elements and the
rationales behind them (Yu, 1995).
This is the malicious counterpart to the I* STRATEGIC
RATIONALE MODEL. Here the dependee actors are replaced by a
corresponding malicious counterpart, also known as an ATTACKER
(Elahi & Yu, 2008).
This implies a connection of trust, distrust or delegation between two
ACTORS. A RELATIONSHIP also represents either a permission or
execution (Elahi & Yu, 2008). A RELATIONSHIP has a type: trust,
distrust or delegation, a trusted: execution or permission, and a
rationale: a statement explaining the relationship.
A RESOURCE is the finished product of some deliberation-action
process (Yu, 1995).
A SOFT GOAL is a condition the ACTOR would like to achieve, but
unlike a TOP GOAL it is not defined sharply and therefore it is
subject to interpretation (Yu, 1995).
The SOLUTION implies the ALTERNATIVE which best satisfies the
risks and benefits of the dependencies (Elahi & Yu, 2008)
A TASK specifies a particular way of doing something (Yu, 1995).
A TOP GOAL is a condition the ACTOR would like to achieve. The
criteria to achieve this are clearly defined (Yu, 1995)
A generic I* STRATEGIC RATIONALE MODEL extended with the
security notation introduced by Elahi and Yu (2007). A template to
create this model can be found in Appendix A.
TRUST I*
STRATEGIC
RATIONALE
MODEL
TRUST TRADEOFF TABLE
VULNERABILITY
A TRUST TRADE-OFF TABLE is a table in which costs and
benefits of ALTERNATIVES can be listed and compared (Elahi &
Yu, 2008).
A VULNERABILITY is a weakness which can be exploited by an
ATTACKER (Elahi & Yu, 2008).
Table 1: A description of the concepts used in the PDD
Activities
On the left side of the PDD are the activities. A description of the activities used can be found in
the table below (table 2).
Activity
Find an
alternative to
meet the
requirements
Identify Actors
and Actors’
Dependencies
Sub-activity
Description
An ALTERNATIVE needs to be found that meets the
requirements of the stakeholders, which is represented
by the GOALS.
Identify the
main actors
The stakeholders and requirements analysts identify the
main ACTORS involved in the system (Elahi & Yu,
2008).
Model the main actors in a DEPENDENCY
NETWORK. This can then be expressed as an I*
STRATEGIC DEPENDCY MODEL (Elahi & Yu,
2008).
Using the I* STRATEGIC DEPENDENCY MODEL
to detect the TOP and SOFT GOALS for the ACTORS
(Elahi & Yu, 2008).
The top and soft goals can be refined into finer-grained
(SOFT) GOALS, TASKS and RESOURCES. The I*
LINKS are used to model the benefits of the
dependencies (Elahi & Yu, 2008).
The I* STRATEGIC DEPENDENCY MODELS can
be extended to the I* STRATEGIC RATIONALE
MODELS according to the steps defined by Yu (1995).
Identify what kind of trust RELATIONSHIPS there are
between the ACTORS (Elahi & Yu, 2008).
Model the
main actors
Model and
Refine Actors’
Goals
Discover and
Model Trust
Relationships in
the Dependency
Chain
Detect top
goals and soft
goals
Refine top
goals and soft
goals
Extend the i*
SD models to
i* SR models
Identify the
(dis)trust
relationships
Model the
relationships
Record the
Trust Rationale
Replace the
Trustee Party
with a Malicious
Substitute a
dependee with
an attacker
Extend the I* STRATEGIC DEPENDENCY MODEL
by modeling the dis(trust) RELATIONSHIPS to form
the TRUST I* STRATEGIC DEPENDENCY MODEL
(Elahi & Yu, 2008).
The rationale from stakeholders for (dis)trusting a party
should be recorded and added to the RELATIONSHIPS
(Elahi & Yu, 2008).
One of the dependee parties should be replaced with an
ATTACKER (Elahi & Yu, 2008).
Party
Model and
Analyze
Vulnerabilities
Analyze the
Trust Trade-offs
Analyze how
permissions
can be abused
Analyze and
add
vulnerabilities
to the model
Detect
potential
attacks
Create a trust
trade-off table
Decide which
alternative to
use
When replaced by an ATTACKER one should analyze
how granted capabilities and permissions can be abused
(Elahi & Yu, 2008).
The VULNERABILITIES that the dependee parties
bring to the system should be added to the model using
the notation by Elahi, Yu and Zannone (2010).
Brainstorming should take place to detect potential
ATTACKS (Elahi & Yu, 2008).
A TRUST TRADE-OFF TABLE should be created
according to the method described by Elahi and Yu
(2008).
From the TRUST TRADE-OFF TABLE the
SOLUTION should be picked which best meets the
requirements of the stakeholders (Elahi & Yu, 2008).
Table 2: A description of the activities used in the PDD
Related literature
The method that is elaborated upon in the analyzed paper, originated from the method that Liu,
Yu and Mylopoulos (2003) proposed in their paper about security and privacy requirements
analysis. Step five in the method by Elahi and Yu (2008) shows resemblance to the method by
Liu et al. (2003). They also replaced the trusted party with an attacker to analyze the effects of
vulnerabilities in relation to the goals. Moreover, the evaluation techniques proposed in step
seven of the method are based on the paper by Horkhoff and Yu (2009) as well as Chung et al.
(1999).
Common development methodologies for requirements engineering (RE) have all adopted goaloriented and agent-oriented concepts. Giorgini, Massacci and Zannone (2005) review several of
these software development methodologies and try to improve on them. They name i* and
Tropos as the most prominent methods for RE. In their paper Regev and Wegmann (2005) also
name Goal-oriented Requirements Language (GRL), Knowledge Acquisition in automated
specification (KAOS), Cooperative Requirements Engineering with Scenarios (CREWS) and
Goal-Based Requirements Analysis Method (GBRAM) as goal-oriented requirements
engineering (GORE) methods and as alternatives.
Also noteworthy is the method used by Elahi and Yu (2008) to identify the most beneficial tradeoff. This method is based on the even swaps method, which has been introduced by Hammond,
Keeney and Raiffa (1998) as a rational way to make trade-offs for multi-criteria decisions. The
even swaps method makes you to think about the value of one property in terms of another. This
makes comparrison easy and trade-offs more tangible.
Before engineering the method introduced in their paper, Elahi and Yu (2007) analyzed other
existing trust trade-off methods. This can be viewed as preceding work to the analyzed paper.
Elahi and Yu (2008) criticize the useability of the method in its current state, because it has not
been tested extensively. Therefore no case studies have been found where this method has been
applied. Only Elahi and Yu (2011) cite their paper for the modified even swaps method
mentioned in step seven of the method.
References
Elahi, G., & Yu, E. (2007). A Goal Oriented Approach for Modeling and Analyzing Security
Trade-Offs. In C. Parent, V. C. Storey, K.-D. Schewe, & B. Thalheim (Eds.),
Proceedings of the 26th International Conference on Conceptual Modeling, Auckland,
New Zealand, 375-390.
Elahi, G., & Yu, E. (2008). Trust Trade-off Analysis for Security Requirements Engineering.
Proceedings of the 17th IEEE International Conference on Requirements Engineering,
Atlanta, Georgia, USA, 243-248.
Elahi, G., & Yu, E. (2011). Requirements Trade-offs Analysis in the Absence of Quantitative
Measures: A Heuristic Method. Proceedings of the 2011 ACM Symposium on Applied
Computing, TaiChung, Taiwan, 651-658.
Elahi, G., Yu, E., & Zannone, N. (2010). A Vulnerability-Centric Requirements Engineering
Framework: Analyzing Security Attacks, Countermeasures, and Requirements Based on
Vulnerabilities. Journal of Requirements Engineering , 15(1), 41-62.
Giorgini, P., Massacci, F., & Zannone, N. (2005). Security and Trust Requirements Engineering.
In A. Aldini, R. Gorrieri, & F. Martinelli (Eds.). Foundations of Security Analysis and
Design III (pp. 237-272). Bertinoro, Italy: Springer Berlin Heidelberg.
Hammond, J. S., Keeney, R. L., & Raiffa, H. (1998). Even Swaps: A Rational Method for
Making Trade-offs. Harvard Business Review, 76(2), 137-152.
Horkhoff, J., & Yu, E. (2009). A Qualitative, Interactive Evaluation Procedure for Goal- and
Agent-Oriented Models. Proceedings of the 21st International Conference on Advanced
Information Systems Engineering (CAiSE´09), Amsterdam, The Netherlands, 151-161.
Liu, L., Yu, E., & Mylopoulos, J. (2003). Security and Privacy Requirements Analysis within a
Social Setting. Proceedings of the 11th IEEE International Conference on Requirements
Engineering, Monterey, California, USA, 151-161.
Regev, G., & Wegmann, A. (2005). Where do goals come from: the underlying principles of
goal-oriented requirements engineering. Proceedings of the 13th IEEE International
Conference on Requirements Engineering, Paris, France, 353-362.
Weerd, I. van de & Brinkkemper, S. (2008). Meta-modeling for situational analysis and design
methods. In M.R. Syed & S.N. Syed (Eds.), Handbook of Research on Modern Systems
Analysis and Design Technologies and Applications (pp. 38-58). Hershey: Idea Group
Publishing.
Yu, E. (1995). Modeling Strategic Relationships for Process Reengineering. Unpublished
doctoral dissertation, University of Toronto, Ontario, Canada.
Appendix A - Strategic Rationale template