17
Misuse Cases Claude Turner

Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Embed Size (px)

Citation preview

Page 1: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Misuse Cases

Claude Turner

Page 2: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Outline• Introduction

• Misuse Cases

• Example 1

• Example 2

• Tool Support for Use and Misuse Cases

Page 3: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Introduction

Page 4: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

“Humans have analyzed negative scenarios ever since they first sat around Ice Age campfires debating the dangers of catching wooly rhinoceros: ‘What if it turns and charges us before it falls into the pit?’”

Ian Alexander

Page 5: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

A more recent scenario is ‘What if the hackers launch a denial of service attack?’ Modern systems engineers can employ a misuse case—the negative form of a use case—to document and analyze such scenarios. A misuse case is simply a use case from the point of view of an actor hostile to the system under design.”

Ian Alexander

Page 6: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Misuse Cases

Page 7: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Misuse Case• A use case that documents a negative scenario• A use case from an attacker’s perspective or from an

actor hostile to the system under design.• Applies the concept of negative scenario in a use-

case context. – A negative scenario is a situation that the system’s owner

does not want to occur. – Example: business leaders, game planners, and military

tacticians are familiar with the strategy of analyzing their opponents’ best moves as identifiable threats.

– In contrast, a use case generally describes behavior the owner wants the system to possess.

• Represents what if type questions

Page 8: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Recursive Misuse and Use Cases

• Can develop misuse and use cases recursively, going from system to subsystem levels or lower as necessary

• Lower-level cases can highlight aspects not considered at higher levels, possibly forcing another analysis

• Approach offers rich possibilities for exploring, understanding, and validating the requirements in any direction

Page 9: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Example 1 (Figure 1)

Drive the Car

Lock the Car

Lock theTransmission

Short the Ignition

Steal the Car

Driver

Car Thief

Threatens

Threatens

Mitigates

Mitigates

Includes

Includes

Includes

Page 10: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Example 1• Like a game (ex. Chess or Draft): “a team’s best

strategy consists of thinking ahead to the other team’s best move and acting to block it.”

• In the figure, use cases appear on the left, and misuse cases are on the right

• Misuse threat: car theft• Use case actor: lawful driver• Misuse actor: car thief• Risk: driver’s freedom to drive the car if thief

can steal it

Page 11: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Example 1

• Top-level analysis: driver must be able to lock the car (a derived requirement) to mitigate the threat

• Next-level analysis (thief’s response): if thief breaks the door lock and shorts the ignition, this requires another mitigating approach– such as, locking the transmission

• Thus, threat and mitigation forms a balanced zigzag.

Page 12: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Example 2 (Figure 2)

Access the services

Control strictly

Control loosely

Sabotage

Frustrated bycontrols

Denial-of-serviceattack

Intrude into system

Brute forcepassword

Recognize users

Operate firewall

Log access attempts

Attack unblockedports

Impersonate users

Service user

Security

Rogue employee

Service user

Hacker

Threatens

includes

includes

includes

Mitigates

Aggravates

Aggravates

includes

Mitigates

Mitigates

Mitigates

Threatens

Threatens

Threatens

ThreatensMitigates

includes

includes

includes

Page 13: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Example 2—Design Tradeoffs (satisfying conflicting user demands)

• Each design choice opens up new possibilities for both use and misuse

• Designers must therefore tradeoff one option against the other

• Example: – Web portal users must be able to access the

provided services– Access can be threatened by a variety of security

assaults (e.g., sabotage by rogue employees, sophisticated attacks by hackers)

Page 14: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Example 2—Design Tradeoffs (usability)

• Security can threaten system use if it is so strict that it frustrates lawful users (usability) and leads them to seek alternative services

• But, loose control that are more comfortable for such users invite misuse

• Figure 2 illustrates these dilemmas by adding “aggravates” and “conflicts with” relationships between cases

Page 15: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Usability and Misuse Cases

Can also apply misuse case solutions to usability, as when a novice operator confused by the user interface becomes a negative agent

Page 16: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

Tool Support for Use and Misuse Cases

• DOORS requirements management tool• Scenario Plus (free set of add-ons for doors

Page 17: Misuse Cases Claude Turner. Outline Introduction Misuse Cases Example 1 Example 2 Tool Support for Use and Misuse Cases

References

Alexander, I. (2003). Misuse Cases: Use Cases with Hostile Intent. IEEE Software , 58-66.