Motivation and Problem Description
In recognition of the fact that information and communication technologies are becoming a dominant part of people's everyday life, the proposers, representing users and vendors of information and communication technology, value the importance of establishing trust and confidence in their products and services. Beyond and above the obvious market advantage, building consumer confidence and trust in information and telecommunication products is nowadays becoming a social matter.
To implement security in a way that meets business needs cost-effectively, both in the short term and as enterprise needs expand, is a major challenge for users and vendors of information and communication technology in Europe and world-wide. In order to meet this challenge, we need to improve the existing methods of identifying and analysing possible security threats, of developing security specifications, and of designing and implementing security policies. We consider systematic methods for threat identification and risk analysis to be the best candidate for this.
Main Objectives
The CORAS project intends to develop a base framework applicable to security critical systems that will supply customisable, component-based road maps to aid the early discovery of security vulnerabilities, inconsistencies and redundancies and will provide methods to achieve the assurance of the security policy implementation. Its main objectives are:
-
To develop a practical framework for a precise, unambiguous and efficient
risk analysis, by exploiting the synthesis of risk analysis methods with
object oriented modelling, semiformal methods and tools, in order to improve
the security analysis and security policy implementation of security-critical
systems.
-
To assess the applicability, usability and efficiency of the framework
by extensive experimentation in the fields of e-commerce, telemedicine
and telecommunication.
-
To investigate its commercial viability and pursue its exploitation within
relevant market segments, while playing an influential role in standardisation
organisations
Operational Objectives
The CORAS framework will provide a general and modular approach to realising systems security in a manner that gives comprehensibility, precision, flexibility, ease of automation, and ease of verification and validation. It will be useful in developing new systems as well as in maintaining and improving legacy systems. The framework will comprise:
- Standards for precise and unambiguous evaluation, description and definition of the analysed object and the risks to which it is exposed.
- Standards for the accurate specification of security requirements, which form the basis for establishing security policy.
- The adaptation or extension of an RM-ODP inspired reference model aimed at the modelling of security critical systems.
- Libraries of standard modelling elements for the various analysed object models based on UML, its extension OCL and other specification techniques selected for this purpose.
- Methods for consistency checks of the analysis results.
- Methods for the comprehensible presentation and communication of the object analysis results and the security requirements, thus making possible the qualitative modelling, management and documentation of risks.
Rationale
Both users and vendors of information and communication technology have interests in a high level of security. Vendors need to establish trust and confidence in their products and services and users need to protect their information and trust their vendor. Although all systems need some level of security, we believe that systems for e-commerce, medical and legal databases, financially critical systems, centralised and web hosting are particularly security critical.
We appreciate the need for improved methods of identifying and analysing possible security threats. We also recognise that the traditional models of trust between vendors and buyers fail to live up to the requirement for an electronic market place, where anonymous transactions cross territorial and legal boundaries. Whereas alternative quantification of trust based on systematic methods for threat identification and risk analysis may offer better evaluations of transaction risk in this environment. The risk analysis approach aims to control risk; it is a rigorous balancing process of determining how much and what kind of security to incorporate in light of business needs and acceptable levels of risk.
Risk analysis has already been proven as a powerful tool in ensuring safety in transportation, production and industry. However, the increasing complexity of today's systems urges the improvement of existing methods of analysing systems and their security specification in order to increase the likelihood that all possible security threats are taken into consideration. Consequently, the demand for a more orderly and formal treatment of risks is increasing. By applying semiformal methods we aim to alleviate, and in some cases eliminate, ambiguities and other difficulties in specifying security requirements. By applying object oriented modelling techniques we expect to achieve tractable system descriptions and therefore improve the use of risk analysis techniques. This combination will eventually lead to assuring the realised security policy.
Funding and Consortium
- European funding (Project Number IST-2000-25031) January 2001 - June 2003
- Telenor AS, Intracom SA, IFE, NR, SINTEF, NCT, RAL-CLRC, QMW, CTI, Solinet, and FORTH
The main CORAS results
The CORAS tool-supported methodology provides:
- A methodology for model-based risk assessment integrating aspects from partly complementary risk assessment methods and state-of-the-art modelling methodology
- A UML based specification language targeting security risk assessment.
- A library of reusable experience packages.
- A computerised tool that supports the methodology and provides two repositories; an assessment repository and a repository for the reusable experience packages.
- An XML mark-up for exchange of risk assessment data.
- A vulnerability assessment report format.
The CORAS field trials
The CORAS project was carried out and managed based on an iterative process driven by field trials within the e-commerce and telemedicine domains. There were three main iterations. Each iteration was terminated by two field-trials; one focusing on telemedicine, and one targeting e-commerce. The CORAS field trials had basically three objectives:
- To guide the development of the CORAS framework by providing feedback to the CORAS R&D work throughout the lifetime of the CORAS project.
- Assess and evaluate the CORAS framework.
- Benefit the pilot sites subject to evaluation.
The CORAS main results are further described below
I. The CORAS Framework
The CORAS framework is the overall result of the CORAS project since it integrates all the other CORAS results. The framework consists of terminology, languages for system modelling, processes for system development and risk management, methodologies for security risk analysis as well as computerised tools. In particular, the framework provides:
- A methodology for model-based risk assessment integrating aspects from partly complementary risk assessment methods and state-of-the-art modelling methodology (see II).
- A UML based specification language targeting security risk assessment (see III).
- A library of reusable experience packages (see IV).
- A computerised integration platform providing two repositories; an assessment repository and a repository for the reusable experience packages (see V).
- An XML mark-up for exchange of risk assessment data (see VI).
- A vulnerability assessment report format (see VII).
II. The CORAS Methodology for Model-Based Risk Assessment
The CORAS methodology for model-based risk assessment (MBRA) applies the standardised modelling technique UML to form input models to risk analysis methods that are used in a risk management process.
- This process is based on the standard AS/NZS 4360:1999 "Risk Management".
- The CORAS methodology for MBRA can be utilised on three abstraction levels, and for each level recommendations and guidelines are provided, as well as templates, questionnaires and supportive descriptions.
- The CORAS methodology for MBRA is specialised towards assessment of security critical systems.
- The CORAS methodology for MBRA has been tested and turned out successfully on telemedicine and e-commerce systems through several trials. The benefit from using the methodology is that the assessment becomes effective due to a high degree of standardisation in describing the target of assessment and the increased level of reusability. At the same time the results become much easier to communicate to the different stakeholders.
III. The CORAS UML Profile for Security Assessment
A CORAS UML profile is an extension of the basic UML language targeting security risk assessment.
- The profile makes the UML diagrams easier to understand for non-experts, and at the same time preserves the well-definedness of UML.
- The profile for risk assessment provides rules and constraints for risk assessment relevant system documentation.
IV. The CORAS Library of Reusable Experience Packages
The CORAS library of reusable experience packages supports reuse of risk assessment experiences and documentation. A significant part of the results of a security analysis carried out on an IT-system will typically have a certain general character. To avoid starting from scratch for every new analysis, it is important to gather these general aspects.
- The library of reusable experience packages captures such generic aspects in the form of e.g. UML-diagrams, table-formats, check lists, patterns and plain text. Each experience package is decomposed into experience elements.
- An experience package belongs to a domain, but may inherit elements from experience packages of other domains; e.g., an experience package in the telemedicine domain may inherit elements from experience packages in the health domain and the general domain.
- The experience packages are classified into constructive and supportive packages, which contain constructive and supportive elements, respectively. A supportive package documents methodological aspects like guidelines and recommendations while a constructive package provides formats and patterns for the documentation of assessment results and the assumptions on which they depend.
V. The CORAS Integration Platform
The CORAS integration platform is the main computerised component of the CORAS framework. The CORAS platform is used to store the results from ongoing and completed security analyses, as well as the reusable elements and experience packages. These are stored in two separate repositories, the Assessment Repository for the analysis results, and the Reusable Elements Repository for the reusable elements. During a security analysis, reusable elements may be instantiated and become part of the security analysis results. The platform GUI provides the end-user with administrative functionality, such as creating new security analysis projects and managing the reusable elements and experience packages. A wide variety of UML modelling tools and risk analysis tools exist and are in use by security analysts and system engineers today. The CORAS platform provides flexible support for integration with such external tools. To this end, the platform provides an integration layer with a defined API which tools can use to integrate with the platform, utilising standardised XML formats for data integration. The CORAS platform comes with full documentation and provides:
- methodological guidelines in electronic form;
- an advanced tool for table-editing;
- automatic procedures for consistency checking;
- support for generating partly filled in tables based on existing data;
- user-guidelines in the form of help functionality.
VI. The CORAS XML Mark-Up for Security Assessment
In the absence of any standardised meta-data format for representing information related to risk assessment, the CORAS consortium has developed an XML mark-up for representing risk assessment information.
- Such meta-data description of core risk assessment data are being used for the purpose of consistency checking between different items of the repositories provided by the CORAS integration platform.
- The XML mark-up is also used to facilitate easy integration of risk analysis tools with the CORAS integration platform. In particular, the mark-up defines information models for the core elements of the different risk analysis methods used in CORAS.
VII. The CORAS Vulnerability Assessment Report Format
As networks of hosts continue to grow in size and complexity, evaluating their vulnerabilities that could be exploited becomes increasingly more important preventative measure. Periodic network assessment, used to uncover and correct vulnerabilities, is a common intrusion prevention technique. Although the tools that perform those assessments, report the same basic information, there are some tool specific differences. Unfortunately, trying to combine output from these tools would require separate parsing tools to address the significant low-level differences. A standard format for representing assessment information in XML would bring with it the same types of benefits to the vulnerability assessment area with the ones that IDMEF and IODEF are going to bring to the intrusion detection and incident handling areas.
- The CORAS vulnerability assessment report format (VARF) addresses this problem by proposing data formats for sharing information of interest to vulnerability assessment and to facilitate the interaction with the risk management process.