Misuse case
Misuse case is a business process modeling tool used in the software development industry. The term Misuse Case or mis-use case is derived from and is the inverse of use case. The term was first used in the 1990s by Guttorm Sindre of the Norwegian University of Science and Technology, and Andreas L. Opdahl of the University of Bergen, Norway. It describes the process of executing a malicious act against a system, while use case can be used to describe any action taken by the system.
Overview
s specify required behaviour of software and other products under development, and are essentially structured stories or scenarios detailing the normal behavior and usage of the software. A Misuse Case on the other hand highlights something that should not happen and the threats hence identified, help in defining new requirements, which are expressed as new Use Cases.This modeling tool has several strengths:
- It allows provision of equal weightage to functional and non-functional requirements, which may not be possible with other tools.
- It emphasises security from the beginning of the design process and helps to avoid premature design decisions.
- It is a tool for improving communication between developers and stakeholders and is valuable in ensuring that both agree on critical system solutions and Trade-off analysis.
- Creating misuse cases often trigger a chain reaction which eases the identification of functional and non-functional requirements. The discovery of a misuse case will often leads to the creation of a new use case which acts as a counter measure. This in turn might be the subject of a new misuse case.
- As compared to other tools, It relates better to use cases and UML and eases the seamless employment of the model.
From use to misuse case
In an industry it is important to describe a system's behavior when it responds to a request that originates from outside : the use cases have become popular for requirements between the engineers thanks to its features like the visual modeling technique, they describe a system from an actor's viewpoint and its format explicitly conveys each actor's goals and the flows the system must implement to accomplish them.The level of abstraction of a use case model makes it an appropriate starting point for design activities, thanks to the use of UML use case diagrams and the end user's or domain expert's language. But for software security analyses, the developers should pay attention to negative scenarios and understand them. That is why, in the 1990s, the concept of "inverse of an use case" was born in Norway.
The contrast between the misuse case and the use case is the goal: the misuse case describes potential system behaviors that a system's stakeholders consider unacceptable or, as Guttorm Sindre and Andreas L. Opdahl said, "a function that the system should not allow".
This difference is also in the scenarios: a "positive" scenario is a sequence of actions leading to a Goal desired by a person or organization, while a "negative" one is a scenario whose goal is desired not to occur by the organization in question or desired by a hostile agent.
Another description of the difference is by that defines a use case as a completed sequence of actions which gives increased value to the user, one could define a misuse case as a completed sequence of actions which results in loss for the organization or some specific stakeholder.
Between the "good" and the "bad" case the language to represent the scenario is common: the use case diagrams are formally included in two modeling languages defined by the OMG: the Unified Modeling Language and the Systems Modeling Language, and this use of drawing the agents and misuse cases of the scenario explicitly helps focus attention
on it.
Area of use
Misuse case are most commonly used in the field of security. With the ever-growing importance of IT system, it has become vital for every company to develop capability to protect its data.Hence, for example a misuse case might be used to define what a hacker would want to do with the system and define his or her requirements. A developer or designer can then define the requirements of the user and the hacker in the same UML diagram which in turn helps identify the security risks of the system.
Basic concepts
A misuse case diagram is created together with a corresponding use case diagram. The model introduces 2 new important entities (in addition to those from the traditional use case model, use case and actor:- Misuse case : A sequence of actions that can be performed by any person or entity in order to harm the system.
- Misuser : The actor that initiates the misuse case. This can either be done intentionally or inadvertently.
Diagrams
;mitigates: A use case can mitigate the chance that a misuse case will complete successfully.
;threatens: A misuse case can threaten a use case, e.g. by exploiting it or hinder it from achieving its goals.
These new concepts together with the existing ones from use case give the following meta model, which is also found as fig. 2 in Sindre and Opdahl.
Descriptions
There are two different ways of describing a misuse case textual; one is embedded in a use case description template - where an extra description field called Threats can be added. This is the field where misuse case steps can be filled in. This is referred to as the lightweight mode of describing a misuse case.The other way of describing a misuse case, is by using a separate template for this purpose only. It is suggested to inherit some of the field from use case description. It also adapts the fields Basic path and Alternative path, where they now describe the paths of the misuse cases instead of the use cases. In addition to there, it is proposed to use several other fields too:
- Misuse case name
- Summary
- Author
- Date
- Basic path
- Alternative paths
- Mitigation points
- Extension points
- Triggers
- Preconditions
- Assumptions
- Mitigation guarantee
- Related business rules
- Potential misuser profile
- Stakeholders and threats
- Terminology and explanations
- Scope
- Abstraction level
- Precision level
Sindre and Opdahl proposes the following 5 steps for using misuse cases to identify security requirements:
- Identify critical assets in the system
- Define security goals for each assets
- Identify threats to each of these security goals, by identifying the stakeholders that may want to cause harm to the system
- Identify and analyze risks for the threats, using techniques like Risk Assessment
- Define security requirements for the risks.
Research
Current field of research
Current research on misuse cases are primarily focused on the security improvements they can bring to a project, software projects in particular. Ways to increase the widespread adoption of the practice of misuse case development during earlier phases of application development are being considered: the sooner a flaw is found, the easier it is to find a patch and the lower the impact is on the final cost of the project.Other research focuses on improving the misuse case to achieve its final goal: for "there is a lack on the application process, and the results are too general and can cause a under-definition or misinterpretation of their concepts". They suggest furthermore "to see the misuse case in the light of a reference model for information system security risk management " to obtain a security risk management process.
Future improvement
The misuse cases are well known by the population of researchers. The body of research on the subject demonstrate the knowledge, but beyond the academic world, the misuse case has not been broadly adopted.As Sindre and Opdahl suggest: "Another important goal for further work is to facilitate broader industrial adoption of misuse cases". They propose, in the same article, to embed the misuse case in a usecase modeling tool and to create a "database" of standard misuse cases to assist software architects. System stakeholders should create their own misuse case charts for requirements that are specific to their own problem domains. Once developed, a knowledge database can reduce the amount of standard security flaws used by lambda hackers.
Other research focused on possible missing concrete solutions of the misuse case: as wrote "While this approach can help in a high level elicitation of security requirements, it does not show how to associate the misuse cases to legitimate behavior and concrete assets; therefore, it is not clear what misuse case should be considered, nor in what context". These criticisms might be addressed with the suggestions and improvements presented in the precedent section.
Standardization of the misuse case as part of the UML notation might allow it to become a mandatory part of project development. "It might be useful to create a specific notation for security functionality, or countermeasures that have been added to mitigate vulnerabilities and threats."