Threat Scenarios as a Means to Formally Develop Secure Systems

We introduce a new method for the formal development of secure systems that closely corresponds to the way secure systems are developed in practice. It is based on Focus, a general-purpose approach to the design and verification of distributed, interactive systems. Our method utilizes threat scenarios which are the result of threat identification and risk analysis and model those attacks that are of importance to the system's security. We describe the adversary's behaviour and influence on interaction. Given a suitable system specification, threat scenarios can be derived systematically from that specification. Security is defined as a particular relation on threat scenarios and systems. Security relations covering different aspects as authenticity and availability are given. We show the usefulness of our approach by developing an authentic and available server component, based on standardized cryptographic protocols.     «

We introduce a new method for the formal development of secure systems that closely corresponds to the way secure systems are developed in practice. It is based on Focus, a general-purpose approach to the design and verification of distributed, interactive systems. Our method utilizes threat scenarios which are the result of threat identification and risk analysis and model those attacks that are of importance to the system's security. We describe the adversary's behaviour and influence on inter...     »