Security Use Cases

Topics: Definition Goals Objectives Examples Guidelines References

Example Use Cases: Access Control Immunity Integrity Intrusion Detection Nonrepudiation Privacy Physical Protection Security Auditing

Definitions

A security use case is a specialized use case the scope of which is restricted to security issues.

Goals

The typical goals of a security use case is to:

Specify security requirements related to the security threat (i.e., essential use case).
Document the use of a security architectural mechanism (i.e., architectural use case).
Thereby:
- Prevent a security threat from occurring.
- Mitigate the impact of the security threat if it occurs.

Note that whereas typical use cases are used to specify system support for users, security use cases are used to specify system defenses against misuser threats.

Objectives

To achieve these goals, the typical objectives of a security use case are to:

Clarify and analyze security threats, which may also be done via misuse cases.
Analyze and specify related that prevent these threats from occuring or mitigate their impact if they do occur.
Capture top-level security patterns.
Clarify the relationships between the threats (misuse cases) and the security requirements (use cases).
Clarify the behavior of security mechanisms.
Help make security design trade-offs.
Provide input to developing the security tests.

Examples

The following are examples of highly general and reusable security use cases:

Use Case — Access Control:
Use Case — Immunity:
- Use Case Path – Virus Protection
Use Case — Integrity:
- Use Case Path – Data Integrity
- Use Case Path – System Data Protected
- Use Case Path – System Data Corrupted
- Use Case Path – System Message Integrity
- Use Case Path – User Message Integrity
- Use Case Path – Denial Of Service (DOS) Attack
Use Case — Intrusion Detection
Use Case — Nonrepudiation
Use Case — Privacy:
Use Case — Physical Protection
Use Case — Security Auditing

Use Case — Access Control

The following example access control use case specifies highly general and reusable access control requirements.

This use case is defined in terms of the following use case path specifications:

Use Case Path – Attempted Spoofing using Valid User Identity
Use Case Path – Attempted Identity and Authentication Theft
Use Case Path – Attempted Spoofing using Social Engineering

Use Case Path – Attempted Spoofing using Valid User Identity

Use Case: Access Control
Use Case Path: Attempted Spoofing using Valid User Identity
Security Threat: The application authenticates and authorizes a misuser as if the misuser were actually a valid user.
Preconditions: 1) The misuser has a valid means of user identification. 2) The misuser has an invalid means of user authentication.
Misuser Interactions	System Requirements
	System Interactions	System Actions
	The system shall request the misuser’s means of identification and authentication.
The misuser provides a valid means of user identity but an invalid means of user authentication.
		1) The system shall misidentify the misuser as a valid user. 2) The system shall fail to authenticate and authorize the misuser.
	The system shall reject the misuser by canceling the transaction.
Postconditions: 1) The system shall not have allowed the misuser to steal the user’s means of authentication. 2) The system shall not have authenticated the misuser. 3) The system shall not have authorized the misuser to perform any transaction that requires authentication. 4) The system shall record the access control failure.

Use Case Path – Attempted Identity and Authentication Theft

Use Case: Access Control
Use Case Path: Attempted Identity and Authentication Theft
Security Threat: The misuser steals the user’s valid means of identification and authentication, thereby enabling the misuser to impersonate the user.
Preconditions: 1) The misuser has no valid means of user identification. 2) The misuser has no valid means or user authentication.
User Interactions	Misuser Interactions	System Requirements
		System Interactions	System Actions
		The system shall request the user’s identity and authentication.
The user identifies and authenticates himself or herself.	The misuser attempts to steal the user’s valid means of identification and authentication.		The system shall protect the user’s identity and authentication during the interaction.
			The system shall identify and authenticate the user.
		The system shall request the user’s choice of interaction.
Postconditions: 1) The system shall have prevented the misuser from stealing the user’s means of identification and authentication. 2) The system shall have identified and authenticated the user.

Use Case Path – Attempted Spoofing using Social Engineering

Use Case: Access Control
Use Case Path: Attempted Spoofing using Social Engineering
Security Threat: The misuser gains access to an unauthorized resource.
Preconditions: 1) The misuser has a valid means of user identification enabling the impersonation of a valid user that is authorized to use a protected resource. 2) The misuser does not have an associated valid means of user authentication. 3) The misuser has basic knowledge of the organization including the ability to contact the contact center.
Misuser Interactions	Contact Center Requirements
Misuser Interactions	Contact Center Interactions	Contact Center Actions
The misuser contacts the contact center.
	A user support agent shall request the misuser’s identity and authentication.
1) The misuser provides the valid user identity. 2) The misuser states that he or she has a temporary inability to authenticate himself or herself. 3) The misuser states that he or she has an urgent need to access a protected resource requiring authentication and authorization.
	The user support agent shall request one or more alternate forms of authentication.	The user support agent shall check the appropriate procedures for the proper action.
The misuser fails to provide a valid alternate form of authentication.
	The user support agent shall refuse authentication and authorization to the requested resource.
Alternative Paths: The misuser can quit at any point.
Postconditions: 1) The system shall not have authenticated the misuser. 2) The system shall not have authorized the misuser to access the protected resource. 3) The system shall record the access control failure.

Use Case — Immunity

The following example immunity use case specifies highly general and reusable immunity requirements.

This use case is defined in terms of the following use case path specifications:

Use Case Path – Virus Protection

Use Case Path – Virus Protection

Use Case: Immunity
Use Case Path: Virus Protection
Security Threat: A misuser may infect the system with an undesirable program (e.g., virus, worm, or trojan horse).
Preconditions: 1) The misuser has a virus, worm, or trojan horse. 2) The system has requested some form of input from the misuser.
Misuser Interactions	System Requirements
	System Interactions	System Actions
The misuser provides input that includes a virus, worm, or trojan horse.
		1) The system shall identify the virus, worm, or trojan horse. 2) The system shall delete the virus, worm, or trojan horse.
	The system shall notify the misuser of the virus, worm, or trojan horse.
Postconditions: The system shall not be infected.

Use Case — Integrity

The following example integrity use case specifies highly general and reusable integrity requirements.

This use case is defined in terms of the following use case path specifications:

Use Case Path – System Data Protected
Use Case Path – System Data Corrupted
Use Case Path – System Message Integrity
Use Case Path – User Message Integrity
Use Case Path – Denial Of Service (DOS) Attack

Use Case Path – System Data Protected

Use Case: Integrity
Use Case Path: System Data Protected
Security Threat: A misuser may corrupt (e.g., add, modify, delete) sensitive data that is stored by the system.
Preconditions: The system stores sensitive data that must not be corrupted.
Misuser Interactions	System Requirements
	System Interactions	System Actions
The misuser attempts to corrupt (e.g., add, modify, delete) sensitive data stored by the system.
		The system shall prevent the data from being corrupted.
	The system shall notify the security officer that an attempt to corrupt data occurred.
Postconditions: No sensitive data is corrupted.

Use Case Path – System Data Corrupted

Use Case: Integrity
Use Case Path: System Data Corrupted
Security Threat: A misuser may secretly corrupt (e.g., add, modify, delete) sensitive data that is stored by the system.
Preconditions: 1) The system stores sensitive data that must not be corrupted. 2) The misuser has the means to corrupt sensitive data that is stored by the system.
Misuser Interactions	System Requirements
	System Interactions	System Actions
The misuser corrupts (e.g., adds, modifies, deletes) sensitive data stored by the system.
		Within X seconds, the system shall: 1) Recognize that the data was corrupted. 2) Repair the corrupted data (e.g., delete added data, restore modified data, replace deleted data).
	The system shall notify the security officer that data was corrupted and repaired.
Postconditions: No sensitive data is corrupted.

Use Case Path – System Message Integrity

Use Case: Integrity
Use Case Path: System Message Integrity
Security Threat: A misuser corrupts a message from the system to a user.
Preconditions: 1) The misuser has the means to intercept a message from the system to a user. 2) The misuser has the means to modify an intercepted message. 3) The misuser has the means to forward the modified message to the user.
User Interactions	Misuser Interactions	System Requirements
		System Interactions	System Actions
		The system sends a message to a user.	The system ensures that modifications to the message will be obvious to the user.
	The misuser intercepts and modifies the system’s message and forwards it on to the user.
The user receives the corrupted message.			The system shall recognize that it’s message was corrupted.
		The system shall notify the user that it’s message was corrupted.
Postconditions: None.

Use Case Path – User Message Integrity

Use Case: Integrity
Use Case Path: User Message Integrity
Security Threat: A misuser corrupts a user’s message to the system.
Preconditions: The misuser has the means to intercept a message between the user and the system.
User Interactions	Misuser Interactions	System Requirements
		System Interactions	System Actions
The user sends a message to the system.
	The misuser intercepts, modifies, and forwards the user’s message.
			The system shall recognize that the user’s message was corrupted.
		The system shall notify the user that the user’s message was corrupted.
Postconditions: Varies depending on the message that was corrupted.

Use Case — Intrusion Detection

The following are typical examples of paths through the intrusion detection misuse case:

Use Case — Nonrepudiation

The following are typical examples of paths through the nonrepudiation use case:

Use Case — Privacy

The following are typical examples of paths through the privacy use case:

Use Case Path – Data Privacy
Use Case Path – System Message Privacy
Use Case Path – User Message Privacy

Use Case Path – Data Privacy

Use Case: Privacy
Use Case Path: Data Privacy
Security Threat: Misuser accesses private data stored by the system.
Preconditions: The system stores private data.
Misuser Interactions	System Requirements
	System Interactions	System Actions
		The system makes private stored data unreadable.
The misuser accesses private data stored by the system.
Postconditions: The misuser cannot read the private data.

Use Case Path – System Message Privacy

Use Case: Privacy
Use Case Path: System Message Privacy
Security Threat: Misuser accesses private message from the system to the user.
Preconditions: The misuser has the means to intercept a message from the system to the user.
User Interactions	Misuser Interactions	System Requirements
		System Interactions	System Actions
			The system makes the private message unreadable while in transit.
		The system sends a private message to the user.
	The misuser intercepts the system’s private message.
Postconditions: The misuser cannot read the system’s private message.

Use Case Path – User Message Privacy

Use Case: Privacy
Use Case Path: User Message Privacy
Security Threat: Misuser accesses private message from the user to the system.
Preconditions: 1) The misuser has the means to intercept a message from the user to the system. 2) The system has requested private information from the user.
User Interactions	Misuser Interactions	System Requirements
		System Interactions	System Actions
The user sends a private message to the system.
			The system makes the private message unreadable while in transit.
	The misuser intercepts the user’s private message.
Postconditions: The misuser cannot read the user’s private message.

Use Case — Physical Protection

The following are typical examples of paths through a physical protection use case:

Use Case — Security Auditing

The following are typical examples of paths through a security auditing use case:

Guidelines

The following guidelines have been found to be useful when producing access control requirements:

Misuse cases can support different activities (e.g., requirements engineering, architecting, design, testing) depending on their level of abstraction and the amount of implementation details they contain.
To analyze and specify security requirements, use essential misuse cases that do not unnecessarily contain architectural or design constraints (e.g., specific security mechanisms).
Because essential use cases do not contain architectural or design constraints, they are very general and highly reusable.
Specify requirements only on the system, not on the user or misuser.
Develop use case paths to counter specific security threats.
For each misuser, identify the following information:
- Types of misusers (e.g., hacker, cracker, or disgruntled employee)
- Objectives (i.e., motives) for their attack
- Means of attack (e.g., skills, resources)
- Assumed level of authorization (i.e., privilege)
Name the path through the use case after the specific security threat that the path thwarts.
Use cases are not equally applicable to all kinds of security requirements.
Misuse cases can be related to use cases by the “threatens” and “mitigates” relationships.
Misuse cases should be clearly differentiated from normal use cases on use case diagrams, possibly by use of a graphical or textual stereotype.
The user client external (human actor or application) of the use case is replaced by or augmented with a hostile misuser (e.g., cracker or disgruntled employee, computer virus, storm, earthquake) who threatens or attempts to misuse the business, application, component, or center.
The normal user-initiated interactions are replaced or augmented by the misuser-initiated attack interactions.
The required business, application, component, or center interactions and postconditions are replaced or augmented by security-oriented responses to the threat.

References

For more information about misuse cases, read:

Ian Alexander:
- “Misuse Cases, Use Cases with Hostile Intent,” OU Research Group, May 2002. IEEE Software, Volume 20, Number 1, January/February 2003, pp. 58–66.
- “Initial Industrial Experience of Misuse Cases in Trade-Off Analysis,” Proceedings of IEEE Joint International Requirements Engineering Conference, Essen, Germany, 9-13 September 2002, pp 61–68.
- “Misuse Cases Help to Elicit Nonfunctional Requirements,” REFSQ Workshop, Essen, September 2002.
- “Modelling the Interplay of Conflicting Goals with Use and Misuse Cases,” Proceedings of the Eighth International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ’02), Essen, Germany, 9th-10th September 2002, pp 145–152.
- “Requirements Engineering with Use Cases and Misuse Cases”
- “Misuse Cases”
Karen Allenby and Tim P. Kelly:
- “Deriving Safety Requirements using Scenarios,” Proceedings of the 5th IEEE International Symposium on Requirements Engineering (RE’01), Los Alamitos, California: IEEE Computer Society Press, 2001, pp. 228–235. Proceedings of the International Conference on Engineering Design (ICED’01), August 2001.
John McDermott and Chris Fox (Abuse Cases):
- “Using Abuse Case Models for Security Requirements Analysis,” Proceedings of the 15th Annual Computer Security Applications Conference, Phoenix, Arizona, 6–10 December 1999.
- “Abuse-Case-Based Assurance Arguments,” Proceedings of the 17th Annual Computer Security Applications Conference, New Orleans, Louisiana, 10–14 December 2001.
- “Abuse-Case Model Template”
Guttorm Sindre and Andreas L. Opdahl:
- “Eliciting Security Requirements by Misuse Cases,” Proceedings of the 37th Technology of Object-Oriented Languages and Systems (TOOLS–37 Pacific 2000), Sydney, Australia, 20–23 November 2000, pp 120–131.
- “Templates for Misuse Case Description,” Proceedings of the Seventh International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ’2001), Interlaken, Switzerland, 4–5 June 2001.
- with Gøran F. Brevik: “Generalization/Specialization as a Structuring Mechanism for Misuse Cases,” in the Proceedings of the 2nd Symposium on Requirements Engineering for Information Security (SREIS’02), Raleigh, North Carolina, USA, 15–16 October 2002.
- “Elicitation and Specification of Security Requirements During Early RE through Misuse Cases,” a seminar given at the University of Technology at Sydney (UTS) on 23 October 2002.