KR20220068877A - Model-Driven Security Framework for Security System Design and Verification - Google Patents

Abstract

According to some embodiments of the present disclosure, disclosed is a method for designing and verifying a security system by using a model-based security framework performed by a processor of a computing device. The method may comprise: a threat modeling step for deriving a security requirement of a system to be designed; a design modeling step for generating a design model based on the security requirement and verifying the design model; and an implementation modeling step for generating an implementation model based on the design model and verifying the implementation model.

Description

Model-Driven Security Framework for Security System Design and Verification

The present disclosure relates to a method for verifying whether a security system is properly designed and implemented according to security requirements when developing a security system, and is applied to a framework that can be verified by combining threat modeling, design modeling, and implementation modeling based on a model for a security system. it's about Specifically, the present disclosure relates to a method for developing a trusted system by verifying a design and implementation model of a security system through a model-based security framework for formal specification and verification.

With the development of IT systems, security problems in information systems can cause serious financial loss or human damage, so the interest in security is increasing. Some of these security problems are caused by poor design. Most of the systems are not designed properly with security functions and are implemented depending on secure coding or mock hacking at the end of development. However, according to the results of a study on the cost of fixing defects at each stage of the IBM System Science Institute in FIG. 1, when a problem is identified and fixed in the early stage of the security system development life cycle, it is about 100 more than when the problem is corrected at the completion of development. It is said that the security function should be considered from the requirements analysis and design stage, which is the initial stage of development, because it can reduce the cost of the ship.

After considering the security function in the design stage, the accuracy from the design to the implementation stage must be satisfied in order to verify that the designed security function is properly implemented and operated. is proceeding with

Republic of Korea Patent Publication No. 10-1203879

The present disclosure has been devised in response to the above-described background technology, and is intended to provide a model-based security framework for designing and verifying a security system. The present disclosure may consider various security threats that may occur in a system in order to increase the level of a product from the initial stage of development.

Specifically, since the system is implemented through the designed model, the accuracy between the design model and the implementation must be verified through verification of the security function requirements, design, and implementation model. In addition, even if the design of the security function is properly performed, if the design details are not properly reflected in the later stage, a potential threat may occur in the implementation stage and the cost incurred to correct the defect increases.

Therefore, a model-based security frame for designing and verifying a security system that can reduce the cost of fixing defects and improve security through accuracy verification from the creation and verification of the design model for requirements to the verification of the implementation model The purpose is to provide work.

The technical problems of the present disclosure are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the following description.

According to some embodiments of the present disclosure for solving the above-described problems, a method for confirming whether a security system is properly designed and implemented according to security requirements may be provided when developing a security system.

Specifically, the present disclosure can provide a framework that can be verified by combining threat modeling, design modeling, and implementation modeling based on a model for a security system.

In addition, the present disclosure may provide a method for developing a reliable system by verifying a design and implementation model of a security system through a model-based security framework for formal specification and verification.

According to some embodiments of the present disclosure for solving the above-described problems, a method of designing and verifying a security system using a model-based security framework performed by a processor of a computing device is disclosed. The method includes: a threat modeling step for deriving security requirements of a design target system; a design modeling step for generating a design model based on the security requirements and verifying the design model; and an implementation modeling step for generating an implementation model based on the design model and verifying the implementation model.

In addition, the threat modeling step, based on the functional requirements of the design target system, the step of recognizing an important asset requiring security; generating, based on the structure of the design target system, a data flow diagram based on major components; generating an attack library related to vulnerabilities of the design target system and attack methods for the design target system based on a plurality of data; recognizing an expected threat that may be generated in the design target system based on preset security attributes; generating an attack tree based on an identified threat generated by applying the predicted threat to the data flow chart and the attack library; and generating a security checklist using the attack tree and the threat list derived through the data flow diagram and the attack library, and deriving the security requirements corresponding to the security checklist.

In addition, the design modeling step, using a standardized modeling language, generating a design model corresponding to the security requirements; and verifying the accuracy of whether there is a contradiction between the design model and the security requirements by using a formal language.

In addition, the implementation modeling step, based on the design model, generating a source code; converting the source code into a verification modeling language to generate an implementation model; and performing formal verification on the implementation model using a model checker.

In addition, the important asset may be pre-stored in a memory in response to characteristics and functions of the design target system, or may be determined based on a user input.

Also, the data flow chart may include information on each of a plurality of functions provided by the design target system and information on data transmitted/received between the plurality of functions.

In addition, the attack tree includes information on the final attack target, the final attack target is disposed at the highest node of the attack tree, and at least one lower node related to the final attack target is located at at least one lower node associated with the highest node. Threats can be deployed.

The technical solutions obtainable in the present disclosure are not limited to the above-mentioned solutions, and other solutions not mentioned are clearly to those of ordinary skill in the art to which the present disclosure belongs from the description below. can be understood

The present disclosure can provide convenience to users of the framework by using open tools such as UML and OCL, Promela, and SPIN model checkers in the design and implementation stages.

In addition, the present disclosure improves the security of products by considering security functions in the early stages of development through systematic design and verification of security systems through a model-based security framework using threat modeling and formal specification and verification techniques, and Costs incurred during development can be reduced.

In addition, the present disclosure can help develop a reliable security system through a systematic framework for formal specification and verification techniques.

Effects obtainable in the present disclosure are not limited to the above-mentioned effects, and other effects not mentioned will be clearly understood by those of ordinary skill in the art to which the present disclosure belongs from the description below. .

Various aspects are now described with reference to the drawings, wherein like reference numbers are used to refer to like elements throughout. In the following example, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of one or more aspects. It will be evident, however, that such aspect(s) may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing one or more aspects.
1 is a graph of the results of a study on the cost incurred in step-by-step defect correction.
2 is a block diagram of a computing device related to a model-based security framework for designing and verifying a security system of the present disclosure.
FIG. 3 is a view for explaining a method for confirming whether a security system is properly designed and implemented according to security requirements when developing a security system according to some embodiments of the present disclosure.
4 is a diagram for explaining an example of a data flow chart according to some embodiments of the present disclosure.
5 is a diagram for explaining an example of an attack tree according to some embodiments of the present disclosure.
6 depicts a general schematic diagram of an exemplary computing environment in which embodiments of the present disclosure may be implemented.

Various embodiments and/or aspects are now disclosed with reference to the drawings. In the following description, for purposes of explanation, numerous specific details are set forth to provide a thorough understanding of one or more aspects. However, it will also be appreciated by one of ordinary skill in the art that such aspect(s) may be practiced without these specific details. The following description and accompanying drawings set forth in detail certain illustrative aspects of one or more aspects. These aspects are illustrative, however, and some of various methods may be employed in the principles of the various aspects, and the descriptions set forth are intended to include all such aspects and their equivalents. Specifically, as used herein, “embodiment”, “example”, “aspect”, “exemplary”, etc. are not to be construed as advantageous or advantageous over any aspect or design described herein. It may not be.

Hereinafter, the same or similar components are assigned the same reference numerals regardless of reference numerals, and overlapping descriptions thereof will be omitted. In addition, in describing the embodiments disclosed in the present specification, if it is determined that detailed descriptions of related known technologies may obscure the gist of the embodiments disclosed in the present specification, the detailed description thereof will be omitted. In addition, the accompanying drawings are only for easy understanding of the embodiments disclosed in the present specification, and the technical ideas disclosed in the present specification are not limited by the accompanying drawings.

Although the first, second, etc. are used to describe various elements or elements, these elements or elements are not limited by these terms, of course. These terms are only used to distinguish one element or component from another. Accordingly, it goes without saying that the first element or component mentioned below may be the second element or component within the spirit of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used herein may be used with the meaning commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in a commonly used dictionary are not to be interpreted ideally or excessively unless clearly defined in particular.

In addition, the term “or” is intended to mean an inclusive “or” rather than an exclusive “or.” That is, unless otherwise specified or clear from context, "X employs A or B" is intended to mean one of the natural implicit substitutions. That is, X employs A; X employs B; or when X employs both A and B, "X employs A or B" may apply to either of these cases. It should also be understood that the term “and/or” as used herein refers to and includes all possible combinations of one or more of the listed related items.

Also, the terms "comprises" and/or "comprising" mean that the feature and/or element is present, but excludes the presence or addition of one or more other features, elements, and/or groups thereof. should be understood as not Also, unless otherwise specified or unless it is clear from context to refer to a singular form, the singular in the specification and claims should generally be construed to mean “one or more”.

In addition, as used herein, the terms “information” and “data” can often be used interchangeably.

When a component is referred to as being “connected” or “connected” to another component, it is understood that it may be directly connected or connected to the other component, but other components may exist in between. it should be On the other hand, when it is said that a certain element is "directly connected" or "directly connected" to another element, it should be understood that there is no other element present in the middle.

The suffixes “module” and “part” for components used in the following description are given or mixed in consideration of only the ease of writing the specification, and do not have distinct meanings or roles by themselves.

Objects and effects of the present disclosure, and technical configurations for achieving them will become clear with reference to the embodiments described below in detail in conjunction with the accompanying drawings. In describing the present disclosure, if it is determined that a detailed description of a well-known function or configuration may unnecessarily obscure the subject matter of the present disclosure, the detailed description thereof will be omitted. In addition, the terms described below are terms defined in consideration of functions in the present disclosure, which may vary according to intentions or customs of users and operators.

However, the present disclosure is not limited to the embodiments disclosed below and may be implemented in various different forms. Only the present embodiments are provided so that the present disclosure is complete, and to fully inform those of ordinary skill in the art to which the present disclosure belongs, the scope of the disclosure, and the present disclosure is only defined by the scope of the claims . Therefore, the definition should be made based on the content throughout this specification.

2 is a block diagram of a server related to a model-based security framework for designing and verifying a security system of the present disclosure.

Referring to FIG. 2 , the computing device 100 may include a processor 110 , a communication unit 120 , and a memory 130 . However, since the above-described components are not essential in implementing the computing device 100 , the computing device 100 may have more or fewer components than those listed above.

Computing apparatus 100 may include any type of computer system or computer device, such as, for example, microprocessors, mainframe computers, digital processors, portable devices and device controllers, and the like. However, the present invention is not limited thereto.

The processor 110 of the computing device 100 typically controls the overall operation of the computing device 100 . The processor 110 processes signals, data, information, etc. input or output through components included in the computing device 100 or drives an application program stored in the memory 130 to provide appropriate information or functions to the user. or can be dealt with.

In addition, the processor 110 may control at least some of the components of the computing device 100 in order to drive an application program stored in the memory 130 . Furthermore, the processor 110 may operate by combining at least two or more of the components included in the computing device 100 to drive the application program.

The communication unit 120 of the computing device 100 may include one or more modules that enable communication between the computing device 100 and the user terminal and between the computing device 100 and external servers. Also, the communication unit 120 may include one or more modules for connecting the computing device 100 to one or more networks.

A network connecting the communication between the computing device 100 and the user terminal and between the computing device 100 and external servers is a Public Switched Telephone Network (PSTN), x Digital Subscriber Line (xDSL), and Rate (RADSL). Various wired communication systems such as adaptive DSL), MDSL (Multi Rate DSL), VDSL (Very High Speed DSL), UADSL (Universal Asymmetric DSL), HDSL (High Bit Rate DSL) and local area network (LAN), etc. can be used.

In addition, the network 600 presented here is CDMA (Code Division Multi Access), TDMA (Time Division Multi Access), FDMA (Frequency Division Multi Access), OFDMA (Orthogonal Frequency Division Multi Access), SC-FDMA (Single Carrier-) A variety of wireless communication systems may be used, such as FDMA) and other systems.

The network according to the embodiments of the present disclosure may be configured regardless of its communication mode, such as wired and wireless, and is composed of various communication networks such as a local area network (LAN) and a wide area network (WAN). can be In addition, the network may be a well-known World Wide Web (WWW), and may use a wireless transmission technology used for short-range communication such as Infrared Data Association (IrDA) or Bluetooth.

The techniques described herein may be used in the networks mentioned above, as well as in other networks.

The memory 130 of the computing device 100 may store a program for the operation of the processor 110 , and may temporarily or permanently store input/output data. The memory 130 may include a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (eg, SD or XD memory, etc.), RAM (Random Access Memory, RAM), SRAM (Static Random Access Memory), ROM (Read-Only Memory, ROM), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM (Programmable Read-Only Memory), magnetic memory, magnetic It may include at least one type of storage medium among disks and optical disks. The memory 130 may be operated under the control of the processor 110 .

According to the software implementation, embodiments such as the procedures and functions described in this specification may be implemented as separate software modules. Each of the software modules may perform one or more functions and operations described herein. The software code may be implemented as a software application written in a suitable programming language. The software code may be stored in the memory 130 of the computing device 100 and executed by the processor 110 of the computing device 100 .

Computing device 100 according to some embodiments of the present disclosure is based on a model-based security framework for designing and verifying a security system, related to a method for checking whether a security system is properly designed and implemented according to security requirements when developing a security system actions can be performed.

Specifically, the computing device 100 of the present disclosure may verify the design and implementation model of the security system through a model-based security framework consisting of a requirements analysis step, a design step, and an implementation step.

More specifically, according to some embodiments of the present disclosure, the security system designer (the computing device 100 or the terminal (not shown)) performs threat modeling for the security system in order to derive security function requirements necessary for design modeling. carry out In order for a designer to perform threat modeling, functional requirements for the system are required. Based on the functional requirements, the designer identifies the assets that should not be tampered with or leaked by malicious users within the system. Here, asset identification is a step of identifying important assets of data to be protected within the analysis target.

After asset identification is completed, the designer builds an attack library by securing vulnerabilities found in the system to be analyzed in order to refine and identify security threats. Here, the attack library collection is performed in the initial process of threat modeling, but since a new threat may occur after collection or a threat that has not yet been collected may exist, it is continuously performed throughout the entire process.

The designer draws a data flow chart based on the important components of the system to be analyzed based on the asset identification and attack library collection process.

It is possible for the designer to clearly understand the structure of the system to be analyzed in the process of creating a data flow diagram. Using the prepared data flow diagram and the collected attack library, the designer derives the threats that can occur in the system components themselves and the threats that can occur in the process of interaction between the components according to the STRIDE security properties. The designer sets the attack target that can be finally executed as the top node in the attack tree creation stage. The designer arranges the threats derived in the threat derivation stage as nodes in the subtree as a process and means to achieve the set final attack goal. The designer can understand the attack scenario in which the threats derived through the attack tree perform the final attack on the critical assets of the system. The designer identifies the mitigation technique to construct the kill chain for the lowest attack node of the prepared attack tree, and creates a checklist to achieve it, and finally derives the security function requirements.

The security function requirements derived by the designer using threat modeling are then used for design verification. The designer creates a design model through UML by specifying the security function requirements, and performs correctness verification on whether there is a contradiction between the design model and the security function requirements using OCL.

The designer creates the source code for the design model whose accuracy has been verified, and performs the implementation verification step of formal specification and verification. Designer performs formal specification through Promela to verify through SPIN, a model checker. After that, the designer can use SPIN to verify the implementation model, which is the source code for which the formal specification has been completed, and whether it operates according to the security function requirements to finally derive the verification results for the modeling-based design model and implementation model. have.

As described above, the model-based security framework according to some embodiments of the present disclosure includes design model generation using UML, design verification using OCL and implementation model generation using Promela, implementation model verification using SPIN model checker, You can provide convenience to users of the framework by using open tools. In addition, the model-based security framework of the present disclosure can ensure the traceability of products for each method of security design and verification.

FIG. 3 is a view for explaining a method for confirming whether a security system is properly designed and implemented according to security requirements when developing a security system according to some embodiments of the present disclosure; 4 is a diagram for explaining an example of a data flow chart according to some embodiments of the present disclosure. 5 is a diagram for explaining an example of an attack tree according to some embodiments of the present disclosure.

Referring to Figure 3, the processor 110 of the computing device 100 of the present disclosure is secured through a model-based security framework consisting of a threat modeling step (S100), a design modeling step (S200), and an implementation modeling step (S300) The design and implementation model of the system can be verified.

According to some embodiments of the present disclosure, the threat modeling step S100 may be a step for deriving security requirements of a design target system.

Specifically, the threat modeling step (S100) includes an asset identification step (S101), a data flow chart creation step (S102), an attack library collection step (S103), a preset security attribute application step (S104), an attack tree creation step (S105) And it may include a checklist derivation step (S106). However, the detailed steps described above are not essential in implementing the threat modeling step S100, so the threat modeling step S100 may have more or fewer detailed steps than the detailed steps listed above.

Threat modeling techniques are generally used to derive security functional requirements. Threat modeling is a systematic security analysis method that identifies and enumerates the assets to be analyzed, possible vulnerabilities, and potential threats, and prioritizes mitigation actions. Companies that apply the software development life cycle to consider security functions from the early stage of development need languages, processes, and tools necessary for systematic design and verification. Through threat modeling, which is mainly used in the design stage, it is possible to derive security function requirements to identify potential security threats from the system design and to mitigate them. In threat modeling, it is possible to derive requirements for security functions in the requirements analysis stage by modeling the system, identifying possible threats, and creating attack scenarios to derive mitigation measures for attack surfaces and means.

According to some embodiments of the present disclosure, the use step of threat modeling, which is a technique used in the threat modeling step ( S100 ) of the security system development life cycle, may include at least one detailed step as described above.

Specifically, the processor 110 of the computing device 100 is a data that may cause a malfunction of the design target (or analysis target) in the asset identification step (S101) of the threat modeling step (S100), related devices (hardware / software) , transmission media, systems, etc. can be identified. That is, the processor 110 may recognize important assets requiring security based on the functional requirements of the design target system. Here, the important asset may be pre-stored in the memory 130 in response to characteristics and functions of the system to be designed, or may be determined based on a user input. However, the present invention is not limited thereto.

In addition, the processor 110 of the computing device 100 may create a data flow chart based on major components through analysis of the structure of the system in the data flow chart creation step S102 of the threat modeling step S100 . That is, the processor 110 may generate a data flow chart based on major components based on the structure of the design target system.

Here, the data flow diagram may include information on each of a plurality of functions provided by the design target system and information on data transmitted/received between the plurality of functions. However, the present invention is not limited thereto.

Specifically, referring to FIG. 4 , an example of a data flow chart created by the processor 110 of the computing device 100 is illustrated.

The data flow diagram 400 may include information 402 on a plurality of functions and information 403 on data transmitted/received between the plurality of functions with the design target system 401 as the center.

For example, when the design target system 401 is a '5G security function interface', the information 402 on a plurality of functions includes information on 'key management', information on 'authentication', and 'encryption/decryption' It may include information about '. In addition, information 403 on data transmitted and received between a plurality of functions includes information on 'key management' and information on 'requested key' and 'network key', which is data transmitted and received between '5G security function interface' may include information about However, the present invention is not limited thereto.

Referring back to FIG. 3 , the processor 110 of the computing device 100 performs various data (eg, papers, conferences, technical documents, CVE (Common) Vulnerabilities and Exposures (Vulnerabilities and Exposures) and Common Weakness Enumeration (CWE), etc.) allow you to build an attack library by collecting known vulnerabilities and attack methods for the system being analyzed. That is, the processor 110 may generate an attack library related to vulnerabilities of the design target system and attack methods for the design target system based on a plurality of data.

In addition, the processor 110 of the computing device 100 may identify and classify threats that may occur in the system according to the preset security attributes in the preset security attribute application step S104 of the threat modeling step S100 . . That is, the processor 110 may recognize an expected threat that may be generated in the design target system based on the preset security attribute.

Here, the preset security attribute may include STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege). However, the present invention is not limited thereto.

In addition, the processor 110 of the computing device 100 applies preset security properties to the data flow diagram in the attack tree creation step (S105) of the threat modeling step (S100) to create an attack tree based on the identified threats and attack library can write Here, the data flow diagram may be a data flow diagram generated in step S102, and the attack library may be an attack library generated in step S103.

Here, the attack tree may include information on the final attack target. In addition, a final attack target may be disposed at the highest node of the attack tree, and at least one threat related to the final attack target may be disposed at at least one lower node related to the top node. However, the present invention is not limited thereto.

Specifically, referring to FIG. 5 , an example of an attack tree created by the processor 110 of the computing device 100 is illustrated.

In the attack tree 500 , the final attack target may be arranged at the highest node 501 . For example, the final attack target included in the uppermost node 501 may be System Destruction. However, the present invention is not limited thereto.

In addition, in the attack tree 500 , at least one threat related to the final attack target may be disposed in the lower node 502 . For example, at least one threat included in the lower node 502 may include System Access and Rootkits Installation. However, the present invention is not limited thereto.

Referring back to FIG. 3 , the processor 110 of the computing device 100 compares the threat list and the created attack tree using the data flow chart and attack library in the checklist derivation step ( S106 ) of the threat modeling step ( S100 ). can be used to derive a checklist. In addition, after deriving the checklist, the processor 110 may derive a security function requirement that can satisfy the checklist.

According to some embodiments of the present disclosure, the design modeling step S200 may be a step for generating a design model based on security requirements and verifying the design model.

Specifically, the design modeling step ( S200 ) may include a design model generation step ( S201 ) through specification of requirements and an accuracy verification step ( S202 ) for the design model. However, since the detailed steps described above are not essential in implementing the design modeling step S200 , the design modeling step S200 may have more or fewer detailed steps than the detailed steps listed above.

After designing the security function, it is necessary to develop and test the security system through the security function requirements derived through design modeling.

According to some embodiments of the present disclosure, the step of using the framework for formal specification and verification of the model in the design modeling step (S200) of the security system development life cycle may include at least one detailed step as described above. .

Specifically, the processor 110 of the computing device 100 uses a standardized modeling language in the design model creation step S201 through the specification of the requirements of the design modeling step S200, and a design model corresponding to the security requirements. can create Here, the standardized modeling language may be a Unified Modeling Language (UML).

That is, the processor 110 may generate a design model for building a security system through the UML diagram by using the security function requirements.

Next, the processor 110 of the computing device 100 checks whether there is a contradiction between the design model generated using the formal language in the accuracy verification step S202 for the design model of the design modeling step S200 and the security requirements. accuracy can be verified. Here, the formal language may be an Object Constraint Language (OCL).

That is, the processor 110 may perform threat identification, consistency check, and security policy verification in the design model through OCL for the design model.

According to some embodiments of the present disclosure, the implementation modeling step ( S300 ) may be a step for generating an implementation model based on the design model and verifying the implementation model.

Specifically, the implementation modeling step (S300) may include a source code generation step (S301) for the design model, a source code formal specification step (S302), and an implementation model formalization verification step (S303) through a model checker. However, the detailed steps described above are not essential in implementing the implementation modeling step S300, so the implementation modeling step S300 may have more or fewer detailed steps than the detailed steps listed above.

Even if a security function is designed through an accurate design, unexpected defects may occur if it is not accurately reflected in the implementation stage. After verification of the design, it is also important to specify and verify that the system is properly implemented according to the verified design model. At this time, the source code is generated using the design model, converted to the Promela language, and the implementation model is verified through the SPIN model checker.

According to some embodiments of the present disclosure, the step of using the framework for formal specification and verification of the model in the implementation modeling step (S300) of the security system development life cycle may include at least one detailed step as described above. have.

Specifically, the processor 110 of the computing device 100 may generate the source code based on the design model in the source code generation step S301 for the design model of the implementation modeling step S300 .

In addition, the processor 110 of the computing device 100 may generate an implementation model by converting the source code into a verification modeling language in the source code formal specification step S302 of the implementation modeling step S300 . Here, the verification modeling language may be a Promela (Process or Protocol Meta Language) language. However, the present invention is not limited thereto.

Finally, the processor 110 of the computing device 100 may perform formal verification on the implementation model using the model checker in the implementation model formal verification step S303 through the model checker of the implementation modeling step S300. . Here, the model checker may be a Simple Promela Interpreter (SPIN) model checker. However, the present invention is not limited thereto.

According to some embodiments of the present disclosure, in the above-described design modeling step (S200) and implementation modeling step (S300), using open tools such as UML, OCL, Promela, and SPIN model checker to provide convenience to users of the framework. can

In addition, the present disclosure can consider security functions in the early stages of development through systematic design and verification of security systems through a model-based security framework using threat modeling and formal specification and verification techniques. In this case, the security of the product can be improved, and the development cost can be reduced. Specifically, referring to the graph of the cost study results for step-by-step defect correction shown in FIG. 3 , when a problem is identified and corrected in the early stage of the security system development life cycle, the cost is about 100 times higher than when the problem is corrected after the development is completed. can save

In addition, the present disclosure can help develop a reliable security system through a systematic framework for formal specification and verification techniques.

6 depicts a general schematic diagram of an example computing environment in which embodiments of the present disclosure may be implemented.

Although the present disclosure has been described above generally in the context of computer-executable instructions that may be executed on one or more computers, those skilled in the art will appreciate that the present disclosure may be implemented as a combination of hardware and software and/or in combination with other program modules. you will know

Generally, modules herein include routines, procedures, programs, components, data structures, etc. that perform particular tasks or implement particular abstract data types. In addition, those skilled in the art will appreciate that the methods of the present disclosure can be applied to single-processor or multiprocessor computer systems, minicomputers, mainframe computers as well as personal computers, handheld computing devices, microprocessor-based or programmable consumer electronics, etc. (each of which is It will be appreciated that other computer system configurations may be implemented, including those that may operate in connection with one or more associated devices.

The described embodiments of the present disclosure may also be practiced in distributed computing environments where certain tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

Computers typically include a variety of computer-readable media. Media accessible by a computer includes volatile and nonvolatile media, transitory and non-transitory media, removable and non-removable media. By way of example, and not limitation, computer-readable media may include computer-readable storage media and computer-readable transmission media.

Computer readable storage media includes volatile and nonvolatile media, temporary and non-transitory media, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. includes media. A computer-readable storage medium may be RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage device, magnetic cassette, magnetic tape, magnetic disk storage device, or other magnetic storage device. device, or any other medium that can be accessed by a computer and used to store the desired information.

A computer readable transmission medium typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and the like. Includes all information delivery media. The term modulated data signal means a signal in which one or more of the characteristics of the signal is set or changed so as to encode information in the signal. By way of example, and not limitation, computer-readable transmission media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media. Combinations of any of the above are also intended to be included within the scope of computer-readable transmission media.

An example environment 1100 implementing various aspects of the disclosure is shown including a computer 1102 , the computer 1102 including a processing unit 1104 , a system memory 1106 , and a system bus 1108 . do. A system bus 1108 couples system components, including but not limited to system memory 1106 , to the processing device 1104 . The processing device 1104 may be any of a variety of commercially available processors. Dual processor and other multiprocessor architectures may also be used as processing unit 1104 .

The system bus 1108 may be any of several types of bus structures that may further interconnect a memory bus, a peripheral bus, and a local bus using any of a variety of commercial bus architectures. System memory 1106 includes read only memory (ROM) 1110 and random access memory (RAM) 1112 . A basic input/output system (BIOS) is stored in non-volatile memory 1110, such as ROM, EPROM, EEPROM, etc., the BIOS is the basic input/output system (BIOS) that helps transfer information between components within computer 1102, such as during startup. contains routines. RAM 1112 may also include high-speed RAM, such as static RAM, for caching data.

The computer 1102 may also include an internal hard disk drive (HDD) 1114 (eg, EIDE, SATA) - this internal hard disk drive 1114 may also be configured for external use within a suitable chassis (not shown). Yes—a magnetic floppy disk drive (FDD) 1116 (eg, for reading from or writing to removable diskette 1118), and an optical disk drive 1120 (eg, a CD-ROM) for reading disk 1122 or for reading from, or writing to, other high capacity optical media such as DVD). The hard disk drive 1114 , the magnetic disk drive 1116 , and the optical disk drive 1120 are connected to the system bus 1108 by the hard disk drive interface 1124 , the magnetic disk drive interface 1126 , and the optical drive interface 1128 , respectively. ) can be connected to Interface 1124 for external drive implementation includes, for example, at least one or both of Universal Serial Bus (USB) and IEEE 1394 interface technologies.

These drives and their associated computer-readable media provide non-volatile storage of data, data structures, computer-executable instructions, and the like. In the case of computer 1102, drives and media correspond to storing any data in a suitable digital format. Although the description of computer-readable storage media above refers to HDDs, removable magnetic disks, and removable optical media such as CDs or DVDs, those skilled in the art will use zip drives, magnetic cassettes, flash memory cards, cartridges, It will be appreciated that other tangible computer-readable storage media and the like may also be used in the exemplary operating environment and any such media may include computer-executable instructions for performing the methods of the present disclosure. .

A number of program modules may be stored in the drive and RAM 1112 , including an operating system 1130 , one or more application programs 1132 , other program modules 1134 , and program data 1136 . All or portions of the operating system, applications, modules, and/or data may also be cached in RAM 1112 . It will be appreciated that the present disclosure may be implemented in various commercially available operating systems or combinations of operating systems.

A user may enter commands and information into the computer 1102 via one or more wired/wireless input devices, for example, a pointing device such as a keyboard 1138 and a mouse 1140 . Other input devices (not shown) may include a microphone, IR remote control, joystick, game pad, stylus pen, touch screen, and the like. Although these and other input devices are connected to the processing unit 1104 through an input device interface 1142 that is often connected to the system bus 1108, parallel ports, IEEE 1394 serial ports, game ports, USB ports, IR interfaces, It may be connected by other interfaces, etc.

A monitor 1144 or other type of display device is also coupled to the system bus 1108 via an interface, such as a video adapter 1146 . In addition to the monitor 1144, the computer typically includes other peripheral output devices (not shown), such as speakers, printers, and the like.

Computer 1102 may operate in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 1148 via wired and/or wireless communications. Remote computer(s) 1148 may be workstations, server computers, routers, personal computers, portable computers, microprocessor-based entertainment devices, peer devices, or other common network nodes, and are generally Although including many or all of the components described, only memory storage device 1150 is shown for simplicity. The logical connections shown include wired/wireless connections to a local area network (LAN) 1152 and/or a larger network, eg, a wide area network (WAN) 1154 . Such LAN and WAN networking environments are common in offices and companies, and facilitate enterprise-wide computer networks, such as intranets, all of which can be connected to a worldwide computer network, for example, the Internet.

When used in a LAN networking environment, the computer 1102 is coupled to the local network 1152 through a wired and/or wireless communication network interface or adapter 1156 . Adapter 1156 may facilitate wired or wireless communication to LAN 1152 , which LAN 1152 also includes a wireless access point installed therein for communicating with wireless adapter 1156 . When used in a WAN networking environment, the computer 1102 may include a modem 1158 , connected to a communication server on the WAN 1154 , or otherwise establishing communications over the WAN 1154 , such as over the Internet. have the means A modem 1158 , which may be internal or external and a wired or wireless device, is coupled to the system bus 1108 via a serial port interface 1142 . In a networked environment, program modules described for computer 1102 , or portions thereof, may be stored in remote memory/storage device 1150 . It will be appreciated that the network connections shown are exemplary and other means of establishing a communication link between the computers may be used.

The computer 1102 may be associated with any wireless device or object that is deployed and operates in wireless communication, for example, a printer, scanner, desktop and/or portable computer, portable data assistant (PDA), communication satellite, wireless detectable tag. It operates to communicate with any device or place, and phone. This includes at least Wi-Fi and Bluetooth wireless technologies. Accordingly, the communication may be a predefined structure as in a conventional network or may simply be an ad hoc communication between at least two devices.

Wi-Fi (Wireless Fidelity) makes it possible to connect to the Internet, etc. without a wired connection. Wi-Fi is a wireless technology such as cell phones that allows these devices, eg, computers, to transmit and receive data indoors and outdoors, ie anywhere within range of a base station. Wi-Fi networks use a radio technology called IEEE 802.11 (a, b, g, etc.) to provide secure, reliable, and high-speed wireless connections. Wi-Fi can be used to connect computers to each other, to the Internet, and to wired networks (using IEEE 802.3 or Ethernet). Wi-Fi networks may operate in unlicensed 2.4 and 5 GHz radio bands, for example, at 11 Mbps (802.11a) or 54 Mbps (802.11b) data rates, or in products that include both bands (dual band). have.

Those of ordinary skill in the art of the present disclosure will recognize that the various illustrative logical blocks, modules, processors, means, circuits, and algorithm steps described in connection with the embodiments disclosed herein include electronic hardware, (convenience For this purpose, it will be understood that it may be implemented by various forms of program or design code (referred to herein as "software") or a combination of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. A person skilled in the art of the present disclosure may implement the described functionality in various ways for each specific application, but such implementation decisions should not be interpreted as a departure from the scope of the present disclosure.

The various embodiments presented herein may be implemented as methods, apparatus, or articles of manufacture using standard programming and/or engineering techniques. The term “article of manufacture” includes a computer program or media accessible from any computer-readable device. For example, computer-readable storage media include magnetic storage devices (eg, hard disks, floppy disks, magnetic strips, etc.), optical disks (eg, CDs, DVDs, etc.), smart cards, and flash drives. memory devices (eg, EEPROMs, cards, sticks, key drives, etc.). The term “machine-readable medium” includes, but is not limited to, wireless channels and various other media that can store, hold, and/or convey instruction(s) and/or data.

The description of the presented embodiments is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the present disclosure. Thus, the present disclosure is not intended to be limited to the embodiments presented herein, but is to be construed in the widest scope consistent with the principles and novel features presented herein.

Claims (7)

A method for designing and verifying a security system using a model-based security framework performed by a processor of a computing device, the method comprising:
Threat modeling step for deriving the security requirements of the design target system;
a design modeling step for generating a design model based on the security requirements and verifying the design model; and
an implementation modeling step for generating an implementation model based on the design model and verifying the implementation model;
containing,
How to design and validate a security system.
The method of claim 1,
The threat modeling step is
Recognizing an important asset requiring security based on the functional requirements of the design target system;
generating a data flow chart based on major components based on the structure of the design target system;
generating an attack library related to vulnerabilities of the design target system and attack methods for the design target system based on a plurality of data;
recognizing an expected threat that may be generated in the design target system based on preset security attributes;
generating an attack tree based on an identified threat generated by applying the predicted threat to the data flow chart and the attack library; and
generating a security checklist using the attack tree and the threat list derived through the data flow diagram and the attack library, and deriving the security requirements corresponding to the security checklist;
containing,
How to design and validate a security system.
The method of claim 1,
The design modeling step is
generating a design model corresponding to security requirements using a standardized modeling language; and
using a formal language to verify the accuracy of whether there is a contradiction between the design model and the security requirements;
containing,
How to design and validate a security system.
The method of claim 1,
The implementation modeling step is
generating a source code based on the design model;
converting the source code into a verification modeling language to generate an implementation model; and
performing formal verification on the implementation model using a model checker;
containing,
How to design and validate a security system.
3. The method of claim 2,
The important assets are:
Pre-stored in a memory corresponding to the characteristics and functions of the design target system, or determined based on a user input,
How to design and validate a security system.
3. The method of claim 2,
The data flow diagram is
Including information on each of a plurality of functions provided by the design target system and information on data transmitted and received between the plurality of functions,
How to design and validate a security system.
3. The method of claim 2,
The attack tree is
contain information about the ultimate attack target;
The final attack target is disposed at the top node of the attack tree,
At least one threat related to the final attack target is disposed in at least one lower node associated with the top node,
How to design and validate a security system.

Images