Computer-assisted validation and verification of cybersecurity requirements

摘要

Errors in requirements are often a contributing cause of the failure of critical infrastructure and their underlying information systems to adequately guard against cyber intrusions and withstand cyber attacks. However, detecting errors in the cybersecurity requirements, and for requirements in general, is a challenging task. In this paper we describe how computer-aided formal verification and validation can be leveraged to address the challenge of correctly capturing natural language cybersecurity requirements, converting the natural language statements into formal requirements specifications, and then checking the formal specifications to ensure that they match the original intent of the stakeholders. Our approach centers on creating a one-to-one mapping between natural language requirements and UML statechart assertions. Statechart assertions are Boolean statements about the expected behavior of the system, expressed as UML statecharts. The set of assertions created by the security or software engineer is a formal model of the system's requirements. We demonstrate our approach using examples of formally specifying and validating requirements for correct cyber system behaviors and the detection of illegal business schemes in choreographed web services.