CN101989230B - Method for extracting requirements and describing behaviors during software safety test based on profile division - Google Patents
Method for extracting requirements and describing behaviors during software safety test based on profile division Download PDFInfo
- Publication number
- CN101989230B CN101989230B CN2010105161497A CN201010516149A CN101989230B CN 101989230 B CN101989230 B CN 101989230B CN 2010105161497 A CN2010105161497 A CN 2010105161497A CN 201010516149 A CN201010516149 A CN 201010516149A CN 101989230 B CN101989230 B CN 101989230B
- Authority
- CN
- China
- Prior art keywords
- security
- software
- uml
- activity diagram
- requirements
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method for extracting requirements and describing behaviors during a software safety test based on profile division. The method comprises the following four steps of: firstly, creating a unified modeling language (UML) use case diagram and a UML activity diagram; secondly, extracting safety functional requirements from the UML use case diagram and the UML activity diagram; thirdly, creating a software safety timing sequence activity diagram; and fourthly, creating a software test use case. By the method for extracting the requirements and describing the behaviors during the software safety test based on the profile division, software is analyzed in two levels of the UML use case diagram and the UML activity diagram, and the safety functional test requirements are extracted and expressed by a formalized method which is simple and clear; and even the specific safety requirements are not extracted from the software, testers can propose the complete, normalized and effective safety functional test requirements through normalized classified tabulation.
Description
Technical field
The present invention relates to the software security property testing, relate in particular to a kind of software security functional test demand of dividing and extract and the behavior description method based on section.
Background technology
The development of Along with computer technology, software product has obtained using widely in growing field, but software security incident layer goes out not study carefully simultaneously, is bringing harm and the loss that can't estimate.Add up according to the processing enter CERT/CC of american computer crisis Emergency Response Team (Computer Emergency Readiness Team Coordination Center); From 1998 to 2002; The software security critical incident has increased by 2099%; Increase by 116% every year on average, arrive 2008 and be only the security flaw finding then and announce above 8000.
The safety issue that solves software mainly contains two kinds of approach, modelling verification and software tests.In present stage, software test be acknowledged as solve security of computer software property problem the most effectively, feasible approach.In the software security property testing, the functional test of security is one of Validity Test method of finding the software security defective.Problems such as but in the actual operating process, the security functions test is more, and what adopt is the traditional function method of testing, and existing the security functions testing requirement, to extract target indeterminate, and leaching process is lack of standardization, and the content of extraction is incomplete.
The reason that causes the security functions testing requirement to extract problems mainly contains following 2 points:
A. the security requirement of software definition itself is indeterminate.The explanation that most of softwares just blur its security objectives through the mode of document does not have its peaceful sexual demand of concrete, detailed definition, that is to say in software design and production phase, just its security objectives is not considered fully.There is not clear and definite security requirement to be difficult to extract clear and definite peaceful property testing demand certainly.
B. the security functions testing requirement method for distilling that does not have standard.The mode of different testers when extracting the security functions testing requirement is all inequality, or lays particular emphasis on document, or lays particular emphasis on software product, or lays particular emphasis on experience.Do not have unified demand to extract standard, the demand of the unified standard of regulation is not extracted guidance standard.
Section thought is a kind of means of describing with refinement of obtaining that are used to solve the reliability testing scene that in his article Operational Profile in Software-ReliabilityEngineering, proposed by Musa.And obtaining and describing of software security functional test demand meets this thought of successively dividing, but in practice, also do not use.
Summary of the invention
Goal of the invention: in order to overcome the deficiency that exists in the prior art; The present invention provides a kind of software security functional test demand of dividing based on section to extract and the behavior description method, adopts a kind ofly with the three-decker of illustration-activity diagram-sequential chart software security functional test demand to be carried out layering extraction and description based on UML.
Technical scheme: for realizing above-mentioned purpose, the technical scheme that the present invention adopts is:
A kind of software security testing requirement of dividing based on section is extracted and the behavior description method, comprises the steps:
(1) creates UML with illustration and activity diagram;
(2) set up the security functions testing requirement according to UML with illustration and activity diagram, set up the security functions testing requirement and comprise the steps:
(2-1) confirm the assets of UML, analyze the content that needs protection with illustration and activity diagram;
(2-2) according to each assets, the STRIDE model is adopted in the identification that impends, and analysis maybe be to the hurtful unscheduled event reason of assets;
(2-3) according to each threat, set up the security mechanism tabulation;
(2-4) according to the security mechanism tabulation, corresponding " infotech safety evaluation Common Criteria " extracts the security functions testing requirement;
(3) the security mechanisms set and the security functions testing requirement that obtain according to step (2) are created software security sequential behavior figure;
(4) create software test case according to software security sequential behavior figure.
In step (1), what at first need set up is that UML uses illustration, sets up activity diagram according to UML with illustration again.UML is the main means of catching application demand with illustration; Also be to carry out the main method that functional requirement is analyzed; It is to stand in the manageable various use-cases of the user of system angle descriptive system; A common systemic-function needs a use-case to describe at least, so the set of use-case is exactly the repertoire of system.And software test can be exactly verification system satisfy the demands, i.e. use-case set.Use UML each functional module of tested software system to be carried out modeling, lay the first stone for using activity diagram that software systems are decomposed with illustration.
Use-case can show the functional requirement of software; For further refinement use-case; Just need to obtain basic procedure, unusual flow process and other the flow process that software systems are carried out; These flow processs are the main and less important execution scene during the system handles client requests just, and activity diagram can be described these flow processs very intuitively and easily.
Use activity diagram that each use-case is carried out dynamic modeling; Come application programs to carry out the decomposition of ground floor with this; Can create deeper activity diagram to the action node in the activity diagram as required then, so iteration can successively be decomposed the whole software system.But the main target of activity of constructing figure is the composition of research software systems, obtains resource, boundary information and the data stream of software, rather than in order to confirm the principle of work of software, must carry out around this target the decomposition of software systems.Under the situation of accomplishing target, the level of decomposition does not need too dark, and that kind can cause the activity diagram too complex, is difficult for carrying out next step ground and analyzes.
In creating the process of UML with illustration and activity diagram; All comprise the identification of confirming, threatening of assets and confirming of security mechanisms; Its difference is that the object of analyzing is different; The object of for example in creating UML use illustration, analyzing is the login use-case, and the object of in activity diagram, analyzing is the checking user profile activity in the login use-case.
In computer realm, assets are meant any to the valuable thing of user, comprise computer hardware, communications facility, database, document information, software, information service and personnel etc.In the software security field tests, assets mainly are meant software systems and relevant data and information thereof, promptly consider the content that needs protection from the software security aspect.In confirming the process of assets, the tester is according to the UML of the system underlying assets with illustration and activity diagram extraction system, UML with illustration in, assets mainly comprise participant, activity and the traffic flow information etc. of use-case, use-case; In activity diagram, assets mainly comprise database, document information, data message, activity etc.
Threat is meant maybe be to the potential cause of the hurtful unscheduled event of assets.In the process of threat identification, the tester can analyze threat, identification threat that assets possibly receive according to the STRIDE model, and the STRIDE model mainly comprises following six kinds of threats:
Identity spoofing (Spoofing): identity spoofing is meant that the assailant pretends to be other user capture systems, or malicious server is pretended to be legal server.The modal example of identity spoofing is that malicious user pretends to be validated user that software systems are carried out unauthorized access.
Altered data (Tampering): altered data is meant malicious user malicious modification system data.For example the user revises system data under undelegated situation, perhaps revises his personal data through illegal means.
Deny (Repudiation): deny being meant that the user denies being engaged in a certain activity, he has been engaged in this activity and system does not have the method proof yet.For example, the user has carried out illegal operation in system, but system lacks daily record, thereby can't prove that the user carries out this operation.
Information leakage (Information Disclosure): information leakage is meant that the information of internal system is exposed to unauthorized user.For example, the user can have access to the file that he should not have the right visit.
Denial of service (Denial of Service): denial of service is meant the services request of system's refusal validated user.For example, system can't visit.
Elevation of privilege (Elevation of Privilege): elevation of privilege is meant that the user uses illegal means to obtain bigger system's power, thereby can destroy even destroy total system.
Security mechanisms is to threaten to each that confirm in the threat identification process, alleviates the method for threat accordingly, and corresponding to the STRIDE model, the security mechanism that alleviates full spectrum of threats can be summed up as shown in table 1.
Table 1
" infotech safety evaluation Common Criteria " (being called for short " CC ") is the basic norm of evaluating system security, and CC has defined 11 generally acknowledged security function demand class, and wherein each class comprises subclass again.These security function demands are expression software security required standard modes, also are the foundations of extracting the software security functional requirement.To 11 kinds of security function demands of CC, can set up the table of comparisons of the security function demand of security mechanism as shown in table 2 and CC.
Table 2
Can easily find out each through table 1 and table 2 and threaten the security function demand among the corresponding CC, check the subclass of security function demand then, can extract the security functions demand that software needs.
According to security mechanisms set and security functions testing requirement, can carry out the sequential scene analysis.Create the security mechanism sequential chart of corresponding assets for more senior UML use-case and create that security mechanism sequential chart method is identical in the activity diagram of next stage, only the function of two kinds of security mechanisms is different.
Because sequential chart in detail, has intactly been described the sequential operation of tested software security functions, also can be regarded as the formalized description of security functions testing requirement.Carry out the automatic generation of test case according to this sequential chart, promptly realized of the automatic conversion of security functions testing requirement to the security functions test case.It is more at present to generate the research of test case automatically according to the UML sequential chart, and achievement in research is also ripe.
Beneficial effect: software security testing requirement of dividing based on section provided by the invention is extracted and the behavior description method; Software is analyzed with illustration and two aspects of activity diagram from UML; Extract the security functions testing requirement; With formal method representation, method is simple and clear at last, through normalized classification tabulation; Even guaranteed not propose clear and definite security requirement at software, the purpose of complete, standard, effective security functions testing requirement that the tester also can propose.
Description of drawings
Fig. 1 is a process flow diagram of the present invention;
Fig. 2 is that the UML of login process uses illustration;
Fig. 3 is the activity diagram of login process;
Fig. 4 unifies the sequential scene graph of authentication mechanism for identity;
Fig. 5 is three wrong login restriction sequential scene graph.
Embodiment
Below in conjunction with accompanying drawing the present invention is done explanation further.
Accompanying drawing 1 is depicted as based on the software security testing requirement extraction of section division and the process flow diagram of behavior description method; Extract and the description process for detailed, clear explanation security functions testing requirement of the present invention, this example is that example is carried out related description with the library system of a simplification.The user of this system can carry out user management, operation such as gather, uploads and retrieve after login system.
The first step: UML is with the establishment of illustration and activity diagram
Create UML and use illustration: make UML as shown in Figure 2 according to software function and use illustration, this example is logined the use-case process with the user and is made specifically and illustrating.
Activity of constructing figure: with the illustration activity of constructing figure process, the present situation that combine to have developed software is considered its security requirement from UML.Whether in this example, the login process of software requires the user to input user name and password, legal through the checking user name, and whether password and user name factor such as mate is realized login control and identification security function.
Second step: extract the security functions testing requirement with illustration and activity diagram according to UML
Corresponding to analysis with illustration:
Confirm assets: in computer realm, assets are meant any to the valuable thing of user, comprise computer hardware, communications facility, database, document information, software, information service and personnel etc., so these assets are all wanted safekeeping.Here, assets mainly are meant software systems and relevant data and information thereof.
Assets main in illustration comprise: login system, and management system, information and retrieval are uploaded in Information Monitoring.With the login system is example, is depicted as the assets that the login use-case needs protection like table 3 and table 4.
Table 3
| The participant | Describe |
| The user | The major customer of this system logins activity. |
Table 4
| Use-case | Describe |
| Login system | The user submits authentication information to, login system. |
Threat identification: as " login system ", according to the STRIDE model analysis, in this complete process of login, no matter login success or not, system does not relate to contents such as the Any user data relevant with " user identity ", service.So " altered data ", " denying ", " information leakage ", " identity spoofing ", " elevation of privilege " five kinds threaten inapplicable example; And the main threat that user " login system " faces is " denial of service "; Be that malicious user is through concurrent malice connected system; Take the login resource, thereby cause other validated users correctly not login.
Confirm the security mechanism tabulation:, can obtain threatening the security mechanism that is mainly concerned with that access control mechanisms is arranged to denial of service according to table 1.
Confirm the security functions demand:, can obtain three kinds of security function demands among the access control mechanisms correspondence CC: " sign and discriminating class ", " user data protection class " and " utilization of resources class " according to table 2.
After the security function class in obtaining CC, just can carry out the security class and decompose, obtain its corresponding subclass, thereby be convenient to the foundation of sequential scene according to existing C C standard.For example, consult CC and can obtain the subclass and corresponding security policies that it comprises for " sign and discriminating class ".
Analysis corresponding to activity diagram:
Confirm assets: in the assets deterministic process, can determine respectively with each use-case the illustration and each activity in the activity diagram from UML and dissimilar will protect assets.For ease of explanation, this example is only carried out next step analysis to " login " use-case and " password validation verification " activity; Safety analysis is carried out in " login " use-case and " password validation verification " activity, can be drawn the target that user identity is a system, login password authentication is the means of checking user status, the assets that " user identity " will be protected for us.
Consider above factor, can flow with movable shown in table 5 and table 6 with the general data that illustration obtains login process from software and UML.
Table 5
| Data stream | Describe |
| Log-on message | The authentication information of submitting to when the user logins. |
| Verify data | User's identification authentication data. |
| Personal data | User's personal data information. |
Table 6
| Movable | Describe |
| Access system | The user submits authentication information to, login system. |
| Response request | Authentication is carried out in system responses user's request. |
| Allow login | Identifying user identity is legal, allows login. |
| The refusal login | The identifying user identity failure, the refusal login. |
| Withdraw from | User log off. |
By a table 5 and table 6 column information, can draw login activity diagram as shown in Figure 3, the relation between all possible activity and activity in the login process has been described.
Threat identification: according to the STRIDE model, analyze the assets of above-mentioned login process, the main activities that system possibly face threat is a response request.According to the STRIDE model, the main threat that the response request activity faces is " identity spoofing ", and promptly malicious user is pretended to be other logging in system by user through illegal means.
Confirm the security mechanism tabulation:, can draw correspondence " status deception " and have only a kind of security mechanism " authentication scheme " according to table 1.
Confirm the security functions demand: can draw the corresponding CC security function demand of authentication scheme according to " infotech safety evaluation Common Criteria " is sign and discriminating class.Sign and differentiate that class comprises 6 sub-category, and, need not consider all safe subclasses as the login process internal activity of configuration item level.
According to shown in Figure 3, this login process only need be differentiated failure and secret standard two sub-category.Obtain the security functions demand of login process thus, as shown in table 7.
Table 7
Obtain the security functions demand according to table 7 and comprise whether system uses the complex password strategy; When system arrives certain number of times in input error, whether has the mechanism of locked account; And whether system provides concrete error message when input error.
The 3rd step:, create software security sequential behavior figure according to the security mechanisms set
According to threat analysis, can obtain corresponding security functions demand with illustration and activity diagram.The description of functional requirement at this moment is very detailed, can create corresponding sequential behavior scene, and this example is the example explanation with " when system arrives certain number of times in input error, locked account " demand.Fig. 4 unifies the sequential scene graph of authentication mechanism for identity; Fig. 5 is three wrong login restriction sequential scene graph.This step different security strategy possibly produce different sequential scenes; For example just limit after 10 minutes after four wrong logins and can not carry out register again; But the different security strategies of these " when system arrives certain number of times in input error, locked account " demands that all are satisfied.
The 4th step: figure creates software test case according to the behavior of software security sequential.
Because the sequential chart that obtains in this example can be regarded as the formalized description of tested software security functions testing requirement, so in fact be exactly the security functions test case according to the test case of its generation.
The above only is a preferred implementation of the present invention; Be noted that for those skilled in the art; Under the prerequisite that does not break away from the principle of the invention, can also make some improvement and retouching, these improvement and retouching also should be regarded as protection scope of the present invention.
Claims (1)
1. a software security testing requirement of dividing based on section is extracted and the behavior description method, and it is characterized in that: said method comprises the steps:
(1) creates UML with illustration and activity diagram;
(2) set up the security functions testing requirement according to UML with illustration and activity diagram, set up the security functions testing requirement and comprise the steps:
(2-1) confirm the assets of UML, analyze the content that needs protection with illustration and activity diagram;
(2-2) according to each assets, the STRIDE model is adopted in the identification that impends, and analysis maybe be to the hurtful unscheduled event reason of assets;
(2-3) according to each threat, set up the security mechanism tabulation;
(2-4) according to the security mechanism tabulation, corresponding " infotech safety evaluation Common Criteria " extracts the security functions testing requirement;
(3) the security mechanisms tabulation and the security functions testing requirement that obtain according to step (2) are created software security sequential behavior figure;
(4) create software test case according to software security sequential behavior figure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105161497A CN101989230B (en) | 2010-10-22 | 2010-10-22 | Method for extracting requirements and describing behaviors during software safety test based on profile division |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105161497A CN101989230B (en) | 2010-10-22 | 2010-10-22 | Method for extracting requirements and describing behaviors during software safety test based on profile division |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101989230A CN101989230A (en) | 2011-03-23 |
| CN101989230B true CN101989230B (en) | 2012-07-04 |
Family
ID=43745772
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105161497A Active CN101989230B (en) | 2010-10-22 | 2010-10-22 | Method for extracting requirements and describing behaviors during software safety test based on profile division |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101989230B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109683854A (en) * | 2018-12-21 | 2019-04-26 | 北京国舜科技股份有限公司 | A kind of software security requirement analysis method and system |
| CN111309368B (en) * | 2020-03-12 | 2023-05-16 | 超越科技股份有限公司 | Method, system, equipment and readable storage medium for developing information management based on B/S framework |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1866206A (en) * | 2005-03-30 | 2006-11-22 | 西门子共同研究公司 | Generating performance tests from UML specifications using Markov chains |
| CN101625641A (en) * | 2009-08-05 | 2010-01-13 | 天津大学 | Trusted software development method based on security defect knowledge base |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090282289A1 (en) * | 2008-05-06 | 2009-11-12 | Microsoft Corporation | Generation and evaluation of test cases for software validation and proofs |
-
2010
- 2010-10-22 CN CN2010105161497A patent/CN101989230B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1866206A (en) * | 2005-03-30 | 2006-11-22 | 西门子共同研究公司 | Generating performance tests from UML specifications using Markov chains |
| CN101625641A (en) * | 2009-08-05 | 2010-01-13 | 天津大学 | Trusted software development method based on security defect knowledge base |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101989230A (en) | 2011-03-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101950271B (en) | Modeling technology-based software security test method | |
| Li et al. | Security attack analysis using attack patterns | |
| Singh et al. | An approach to understand the end user behavior through log analysis | |
| CN112637108B (en) | Internal threat analysis method and system based on anomaly detection and emotion analysis | |
| Singh et al. | Cyber forensics and comparative analysis of digital forensic investigation frameworks | |
| Francia III et al. | Security best practices and risk assessment of SCADA and industrial control systems | |
| Singh et al. | Sql injection detection and correction using machine learning techniques | |
| Salini et al. | Model oriented security requirements engineering (MOSRE) framework for web applications | |
| CN113709170A (en) | Asset safe operation system, method and device | |
| Haris | Risk Assessment on Information Asset an academic Application Using ISO 27001 | |
| Makarova | Determining the choice of attack methods approach | |
| Ramasubramanian et al. | A genetic-algorithm based neural network short-term forecasting framework for database intrusion prediction system | |
| CN101989230B (en) | Method for extracting requirements and describing behaviors during software safety test based on profile division | |
| Kersten et al. | 'Give Me Structure': Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center | |
| Durai et al. | A survey on security properties and web application scanner | |
| Chernov et al. | Method of identifying and assessing of automated process control systems vulnerable elements | |
| Rathod et al. | Database intrusion detection by transaction signature | |
| Kuechler et al. | Misconceptions and Barriers to Adoption of FOSS in the US Energy Industry | |
| Wu et al. | Extracting software security concerns of problem frames based on a mapping study | |
| Kosmacheva et al. | Predicting of cyber attacks on critical information infrastructure | |
| Prabhakaran et al. | Performance analysis of security requirements engineering framework by measuring the vulnerabilities. | |
| Selvarajah et al. | A framework for handling digital forensic evidence and evaluation on cyber resilience | |
| Alvi et al. | Security pattern detection through diagonally distributed matrix matching | |
| Acquesta et al. | Detailed statistical models of host-based data for detection of malicious activity | |
| Ziro et al. | Improved Method for Penetration Testing of Web Applications. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |