SecureTropos
Tropos and SecureTropos
The Secure Tropos Tool (ST­Tool)
Tropos proposes a software development methodology founded ST­Tool is a graphical environment which allows the on concepts used to model early requirements. In particular, the proposal adopts Eric Yu's i* modelling framework, which offers the notions of actor, goal and (actor) dependency, and uses these as a foundation to model early and late requirements, architectural and detailed design. The methodology complements proposals for agent­oriented programming platforms. Tropos is derived from the Greek τροποσ, which means "way of doing things"; also τροπη, which means "turn" or "change".
SecureTropos is an agent­oriented software development methodology, tailored to describe both the organization and the system with respect to both functional and security requirements. The key intuition is that in modeling security and trust, we need to distinguish between the actors that manipulate resources, accomplish goals or execute tasks, and actors that own the resources or the goals.
SecureTropos extends the Tropos methodology and has the concepts of actor, goal, task, resource and social relationships
for defining the obligations of actors to each others.
Requirements model and its refinement is accomplished by:
Actor modelling, Permission Trust modelling, Execution Trust modelling, Execution Delegation modelling, Permission Delegation modelling, and Goal refinement.
Tropos models involve two different levels of analysis: social and individual. In the social level we analyze roles and positions of the organization, whereas in individual level the focus is on single agents.
creation of formally consistent security requirements systems.
It essentially supplies a visual editor to design the system models, performs integrity analysis according to an agent­oriented requirements engineering methodology and exchanges informations with other automatic verification tools in order to detect security lacks.
ST­Tool is mainly composed of two parts: the ST­Tool kernel and external solvers. The ST­Tool kernel has an architecture comprised of three major parts: the graphical layout, the data manager, and the formalization mechanism.
The data manager maintains a consistent representation of the Tropos model; the graphical layout lets the user to visually interact with the model; the formalization mechanism supervises the analysis process.
Security
violations
ST­Tool
IDB
IDB
IDB
GUI
Model
EDB
DB domain
Solver
The formal framework allows for the automatic verification of security and trust requirements by using a suitable delegation logic that can be mechanized within ASP.
Integrating ST­Tool and TAOM4E
TAOM4E platform
TAOM4E model
EMF
Workbench
GEF
Workspace
Platform run­time
and solved by a deductive system. The EDB contains a set of all the rows (i.e. entities like actors, services and relations) that constitute the model. An IDB contains the axioms of the domain, that is, general rules effectively used to deduce facts. A second IDB is the properties database. It provides the security policies that the user wants to ensure; they are expressed by defining a set of violations rules.
Compliance to the Italian data protection law
Casestudy
The Tool for Agent­Oriented modeling for Eclipse (TAOM4E) is a visual modeler supporting the Tropos methodology. It has been developed as an extension (plug­in) of the Eclipse Platform in order to ensure highly extendibility and standard compliance. The tool enables the specification of Tropos models that are compliant with a meta­model specified following the OMG’s MDA standard for interoperability, that is the Meta Object Facility (MOF) which allows to specify, build and manage technology neutral meta­models.
TAOM4E
System verification is based on the idea of considering the model as a database, allowing it to be translated into an Answer Set Programming (ASP) specifications set, Alice is the CIO of the faculty
Taom4E architecture follows the MVC paradigm and has been devised as an extension of two existing plug­ins:
●
The Eclipse Modeling Framework (EMF): which offers a modeling framework for building applications based on a structured data model;
●
The Graphical Editing Framework (GEF): which allows developers to create graphical editor around existing models.
As a CIO, Alice delegates the Database security operator
ST­Tool has been used to model a comprehensive case study on the compliance to the Italian security and privacy legislation of public administrations such as universities, local governments and health care authorities. In summary, the law requires administrations to set up sophisticated security and privacy policies that, for what security is concerned, are fairly close to the complexity of the ISO­17999 standard for security management. Dealing with privacy introduces additional complications such as data ownership, trust and consent. In order to compare the different solvers, we have tested them on a pool of benchmarks based on the case study.
Taom4e is mainly composed of:
●
model (M): implementing the Tropos meta­model exploiting EMF’s functionality;
●
platform (VC): covering the visual modeling activity required to build and manage a Tropos model.
ST­Tool provide functionality not managed by Taom4e (security­aware models and analysis capability), but given a common meta­model
layer it is possible to envision a scenario in which the functionality of the former could be reused by the latter via a shared code approach. The capability of ST­Tool could become an extension of the Taom4e one.
security­aware
models
Full methodology
compliance
analysis
capabilities
Eclipse
integration
TAOM4E
meta­model
Tropos
methodology
Department of Computer Science and Telecommunications ­ University of Trento, Italy
For further information:
http://www.troposproject.org
Center for Scientific and Technological Research ITC­IRST ­ Povo (Trento) – Italy
Acknowledgements: This work has been partly supported by the IST programme of the EU Commission, under the IST­FET 2001­37004 WASP project, by the FIRB programme of MIUR under the RBNE0195K5 ASTRO Project, and by the FU programme of PAT under the MOSTRO Project.