New version page

KU CSC 422 - misuse cases

Upgrade to remove ads
Upgrade to remove ads
Unformatted text preview:

Misuse CasesWhat Happens if You Always Look on the Positive Side?So, It Pays to Think Out 'Negative Scenarios'Understanding Negative ScenariosNegative Scenarios are Not NewUse CasesUse Case Diagram(Unknown) Use Case StructureUse Case ProblemsSlide 10A MiniMax Approach to SecurityAnthropomorphize … for SafetyMisuse Cases Identify NFRsDesign Trade-OffsPowerPoint PresentationBenefits of Misuse CasesApplications of Misuse CasesTool SupportRule-Based LinkingSummaryAbout...Misuse CasesUse Cases with Hostile IntentIan AlexanderIndependent Consultanthttp://www.scenarioplus.org.ukWhat Happens if You Always Look on the Positive Side?•At least you relax and are happy•But you aren't ready for problems when they come up–In business, there are people who want you to fail–On projects, there are many types of cockup–In systems, there are threats and hazards all round–In software, there's a bug in every module"If anything can go wrong, it will"(The REAL Captain Murphy, USAAF)So, It Pays to Think Out 'Negative Scenarios'#1 Either you think out what could happen– and what you mean to do about it#2 Or you wait until it happens– and you find out whether it's too late to do anything about it.Here are some techniques for approach #1.Understanding Negative Scenarios•A Scenario* is a sequence of actions leading to a Goal desired by a person or organisation•A Negative Scenario is a scenario whose Goal is–desired Not to occur by the organisation in question–desired by a hostile agent (not necessarily human)* This is a different usage from 'four possible future business scenarios'Negative Scenarios are Not New'Suppose it turns and charges us before it falls into the pit'Montignac Caves, Dordogne, FranceUse Cases•Ivar Jacobson, 1992•Large Telecom Systems (Ericsson switches)•Add a little bit of functionality to please some user•Use Case = Design Feature???•Black? or White-Box??Use Case Diagram•UML: like UK, USA, the Unified/United covers a multitude of sins•Use Cases predate UML and are quite unlike much of it•"Use Cases are fundamentally a textual form" - Alistair Cockburn•Bubbles and Stick-Men by themselves aren't terribly informativeDrive the CarDriverSteer the CarBrake the Carincludesincludes(Unknown) Use Case Structure•Goal–Primary Scenario•list of steps (Actor, Action)–Alternative Paths•set of Scenarios branching from 1ry–Exceptions•set of Scenarios, each with a triggering Event–AOB•preconditions, trigger, results if successful, minimal guarantees (successful or not), constraints, ...Use Case Problems•Many!–Fragmentation of problems (not necessarily any better than a mass of Dataflow Diagrams)–Functional Approach tends to ignore non-functional requirements (Constraints)–Looking for the Primary and positive first can mean never getting around to looking for Exceptions–Drawing little bubbles and stickmen can mean never writing Scenarios as Stories (… the Dataflow peril, again)Misuse Cases•Guttorm Sindre and Andreas Opdahl, 2000•Actor is a Hostile Agent•Bubble is drawn in inverted colours•Goal is a Threat to Our System•Obvious Security ApplicationsDrive the CarSteal the CarCar ThiefCar ThiefthreatensA MiniMax Approach to SecurityincludesUse Cases for 'Car Security'includesincludesthreatensmitigatesDrive the CarSteal the CarLock the CarCar ThiefCar ThiefShort the IgnitionDriverDriverDriverLock the Transmissionthreatensmitigates•White's Best Move … is to find out Black's Best Move, and counter it•Seems natural to me to introduce 'threatens', 'mitigates'•Economical use of types of relationship (UML stereotypes)Anthropomorphize … for Safety•UML's stick-man looks like 'human agent' but can be of any type (robot, system)•Anthropomorphizing Forces of Nature is useful: it enables us to use our Social/Soap Opera Brain to reason about threats to our systems•Misuse Case helps to Elicit Subsystem Functionshas exceptionhas exceptionthreatensmitigatesmitigatesDriverControl the CarWeatherMake Car SkidControl TractionControl Braking with ABSMisuse Cases Identify NFRs•Use Cases are weak on NFRs •Misuse Cases naturally focus on NFRs, e.g. Safety•Response is often a SubSystem Function, possibly to handle an ExceptionIn terp la y of U se & M isu se C ase s w ith F u n ctio n a l & N o n -F u n ctio n a l R e q u ire m en tsD riv e rS yste m F u nc tio nM is u s e C a seD riv e rS ub -S y s te m F u nc tio n'M is us er',S o urce o f T hre a t'U se r'F un ctio n a l R e q u ire m e ntsF u nc tio na l R eq uire m e n tsN o n -Fu n ctiona l R eq u ire m e ntsDesign Trade-Offs Conflict Analysis builds upon Use/Misuse Case Modelling with additional relationships 'aggravates' and 'conflicts with'Use Cases for 'Web Portal Security'threatensincludesincludesthreatensmitigatesaggravatesaggravatesthreatensmitigatesmitigatesincludesincludesincludesaggravatesthreatensincludesincludesincludesmitigatesmitigatesmitigatesRogue EmployeeSabotageService UserAccess the ServicesService UserFrustrated by ControlsSecurityControl LooselyHackerDenial-of-Service AttackSecurityControl StrictlyHackerIntrude into SystemLog Access AttemptsHackerBrute-Force Password AttackOperate FirewallHackerAttack Unblocked PortsRecognize UsersImpersonate UsersHackerconflicts withA Real Example – Tube Seat Trade-OffsThe seat designers in the workshop quickly came up with 3 candidate solutions, once the conflicts were understoodthreatensthreatensthreatensaggravatesmitigatesaggravatesaggravatesthreatensmitigatesaggravatesmitigatesaggravatesmitigatesthreatensmitigatesPassengerSit ComfortablyAccidentCause InjuryWear Out SeatWear & TearMisalign Locking PinDesign EngineerWeaken ArmrestVandalBreak ArmrestDesign EngineerStrengthen ArmrestDesign EngineerOmit ArmrestVandalSlash SeatPestHarass WomenDesign EngineerReinforce SeatFireBurn Seatthreatensconflicts withthreatensBenefits of Misuse Cases•Open a new avenue of exploration•Contribute to searching systematically for exceptions, directed by the structure of the scenarios •Offer immediate justification for the search and indicate the priority of the requirements discovered•By personifying and anthropomorphizing the threats, add the force of metaphor to requirements elicitation•Make the search enjoyable and provide an algorithm for the search. Obvious parallel here with Cost/Benefit analysis•Make the reasoning behind affected requirements immediately


View Full Document
Download misuse cases
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view misuse cases and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view misuse cases 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?