Unifying security and software Product family models to enhance information confidentiality

统一安全和软件产品系列模型以增强信息机密性

• 批准号: RGPIN-2014-06115
• 负责人: Khedri, Ridha
• 金额: $ 1.46万
• 依托单位: McMaster University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2015
• 资助国家: 加拿大
• 起止时间: 2015-01-01 至 2016-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=588821
• 关键词: Unifying; security; software; Product; family

Security and, in particular, information confidentiality are becoming more and more valuable to governments, military, corporations, financial institutions, hospitals, and private businesses as they amass a great deal of confidential information about their employees, customers, products, research and financial status. So far, security-modeling work has been largely independent of system requirements and product family modeling. It is a common practice to model system requirements first and then security is added as an afterthought. Usually the security part of a system is overlaid on the subsystem of the main functionality. It is the long-term objective of this research program to unify feature modeling and other early requirements models with confidentiality models to gain a unified view of the product family and its confidentiality requirements. The aim is to obtain models that can evolve with the changes in the software family environments, which would enable us generate and propagate the needed changes to the security prevention and detection mechanisms. Consequently, we systematically and quickly strengthen the responses of the products of a software family to emerging threats. The proposed research will take the following complementary research directions: 1) Investigate models that capture the domain and security knowledge in preventing indirect unauthorized information leakage through cover channel communication. This direction will involve a formal representation of an ontology that is suitable for an algebraic specification of software systems. 2) Expand our early-established results on product family to equip feature models with a representation of the context and the environment in which each feature of the family is expected to evolve. This context and each feature environment are captured by the domain and security ontology. 3) Explore dynamic instantiation of confidentiality policy and the mechanisms for enhancing information confidentiality. From a set of confidentiality rules given by the security risk management officers, a more thorough and complete set of rules are generated (calculated) taking into account the security knowledge and domain knowledge of the product family. The proposed research would enable us to have software systems that can on the fly update their confidentiality policy and mechanisms with each change in the environment. The security and software domain ontology will capture changes in the system's environment and then a new set of confidentiality rules will formally be calculated and included in the system. I aim at adopting an algebraic approach to formally model and unify security and product families models. The proposed methodology, due to its algebraic flavor, brings a calculational way to generate confidentiality rules and verification of the properties of the unified model. Moreover, it brings rigor in modeling and fosters a disciplined approach to software engineering to handle security aspects. The proposed calculational processes would be easily automated using computer algebra systems and theorem provers. The proposed research represents a rigorous approach to enhance information confidentially in an ever-changing world. The obtained results would bring major contributions to information security and affect research in other areas that use ontologies such as business intelligence and eHealth.

安全性，特别是信息保密性对于政府、军队、公司、金融机构、医院和私营企业来说变得越来越有价值，因为它们积累了大量关于其员工、客户、产品、研究和财务状况的机密信息。到目前为止，安全建模工作在很大程度上独立于系统需求和产品族建模。 通常的做法是先对系统需求建模，然后再添加安全性。 通常，系统的安全部分覆盖在主要功能的子系统上。本研究计划的长期目标是将特征建模和其他早期需求模型与机密性模型统一起来，以获得产品族及其机密性需求的统一视图。 我们的目标是获得可以随着软件族环境的变化而发展的模型，这将使我们能够生成和传播所需的安全预防和检测机制的变化。因此，我们系统地、快速地加强软件系列产品对新出现的威胁的响应。 本研究将采取以下补充性研究方向：1）研究在防止通过覆盖信道通信的间接未经授权的信息泄漏中捕获域和安全知识的模型。 这个方向将涉及一个本体的形式化表示，适合于软件系统的代数规范。2)扩展我们早期建立的产品族的结果，装备的背景和环境中，每个功能的家庭预计将演变的特征模型的表示。 该上下文和每个特征环境由域和安全本体捕获。3)探讨机密性策略的动态实例化和增强信息机密性的机制。 从安全风险管理人员给出的一组保密规则中，考虑到产品系列的安全知识和领域知识，生成（计算）一组更全面、更完整的规则。 拟议的研究将使我们能够拥有能够随着环境的每次变化动态更新其保密政策和机制的软件系统。 安全和软件领域本体将捕获系统环境中的变化，然后正式计算一组新的机密性规则并将其包含在系统中。 我的目标是采用代数方法来正式建模和统一的安全和产品系列模型。 所提出的方法，由于其代数风味，带来了计算的方式来生成的机密性规则和验证的统一模型的属性。 此外，它带来了建模的严格性，并促进了软件工程的纪律方法来处理安全问题。 使用计算机代数系统和定理证明器，拟议的计算过程将很容易自动化。 拟议的研究代表了一种严格的方法，以提高信息的保密性，在不断变化的世界。 所获得的结果将为信息安全做出重大贡献，并影响使用本体论的其他领域的研究，如商业智能和电子健康。