Upload
branden-bennett
View
216
Download
2
Embed Size (px)
Citation preview
Misuse Cases
Claude Turner
Outline• Introduction
• Misuse Cases
• Example 1
• Example 2
• Tool Support for Use and Misuse Cases
Introduction
“Humans have analyzed negative scenarios ever since they first sat around Ice Age campfires debating the dangers of catching wooly rhinoceros: ‘What if it turns and charges us before it falls into the pit?’”
Ian Alexander
A more recent scenario is ‘What if the hackers launch a denial of service attack?’ Modern systems engineers can employ a misuse case—the negative form of a use case—to document and analyze such scenarios. A misuse case is simply a use case from the point of view of an actor hostile to the system under design.”
Ian Alexander
Misuse Cases
Misuse Case• A use case that documents a negative scenario• A use case from an attacker’s perspective or from an
actor hostile to the system under design.• Applies the concept of negative scenario in a use-
case context. – A negative scenario is a situation that the system’s owner
does not want to occur. – Example: business leaders, game planners, and military
tacticians are familiar with the strategy of analyzing their opponents’ best moves as identifiable threats.
– In contrast, a use case generally describes behavior the owner wants the system to possess.
• Represents what if type questions
Recursive Misuse and Use Cases
• Can develop misuse and use cases recursively, going from system to subsystem levels or lower as necessary
• Lower-level cases can highlight aspects not considered at higher levels, possibly forcing another analysis
• Approach offers rich possibilities for exploring, understanding, and validating the requirements in any direction
Example 1 (Figure 1)
Drive the Car
Lock the Car
Lock theTransmission
Short the Ignition
Steal the Car
Driver
Car Thief
Threatens
Threatens
Mitigates
Mitigates
Includes
Includes
Includes
Example 1• Like a game (ex. Chess or Draft): “a team’s best
strategy consists of thinking ahead to the other team’s best move and acting to block it.”
• In the figure, use cases appear on the left, and misuse cases are on the right
• Misuse threat: car theft• Use case actor: lawful driver• Misuse actor: car thief• Risk: driver’s freedom to drive the car if thief
can steal it
Example 1
• Top-level analysis: driver must be able to lock the car (a derived requirement) to mitigate the threat
• Next-level analysis (thief’s response): if thief breaks the door lock and shorts the ignition, this requires another mitigating approach– such as, locking the transmission
• Thus, threat and mitigation forms a balanced zigzag.
Example 2 (Figure 2)
Access the services
Control strictly
Control loosely
Sabotage
Frustrated bycontrols
Denial-of-serviceattack
Intrude into system
Brute forcepassword
Recognize users
Operate firewall
Log access attempts
Attack unblockedports
Impersonate users
Service user
Security
Rogue employee
Service user
Hacker
Threatens
includes
includes
includes
Mitigates
Aggravates
Aggravates
includes
Mitigates
Mitigates
Mitigates
Threatens
Threatens
Threatens
ThreatensMitigates
includes
includes
includes
Example 2—Design Tradeoffs (satisfying conflicting user demands)
• Each design choice opens up new possibilities for both use and misuse
• Designers must therefore tradeoff one option against the other
• Example: – Web portal users must be able to access the
provided services– Access can be threatened by a variety of security
assaults (e.g., sabotage by rogue employees, sophisticated attacks by hackers)
Example 2—Design Tradeoffs (usability)
• Security can threaten system use if it is so strict that it frustrates lawful users (usability) and leads them to seek alternative services
• But, loose control that are more comfortable for such users invite misuse
• Figure 2 illustrates these dilemmas by adding “aggravates” and “conflicts with” relationships between cases
Usability and Misuse Cases
Can also apply misuse case solutions to usability, as when a novice operator confused by the user interface becomes a negative agent
Tool Support for Use and Misuse Cases
• DOORS requirements management tool• Scenario Plus (free set of add-ons for doors
References
Alexander, I. (2003). Misuse Cases: Use Cases with Hostile Intent. IEEE Software , 58-66.