Chapter 8

Vulnerability Mapping
 Objectives
• Constructing use cases and misuse cases for the
system
• How to document the system and identify security
issues at a high level
• Mapping system vulnerability according to the
design
• Identifying where mitigation and security techniques
are needed from the design perspective
• Finalizing the complete business specification of the
system
 Goals
• Construct use case and misuse case diagrams.
• Identify overlapping security concerns in a use
case overview diagram.
• Construct supporting documents in UML with
the addition of security concerns.
• Identify and prioritize system vulnerabilities.
• Manage the required documentation to provide
a complete business specification of the system.
 Use Case Construction and Extension
• The first step in moving from a listing of
system requirements to an actualized and
deployed system is the process of use case
mapping.
• A use case is a translation of functional
requirements into a visual map of activity that
details the steps of arriving at a measurable
system outcome in more granular and explicit
fashion.
 Use Case Construction and Extension
Use cases involve three primary components:
1. An actor is a person, external system, or entity that plays a
role in the performance of the functional task described in
the use case.
2. A procedure is a step performed to achieve the outcome of
the system specified by the functional requirement.
3. An association is a relationship between actors and
procedures. For actors and procedures, this is represented
by a directional arrow specifying the instantiation of the
next step in the process for the system.
Sample Use Case
 Managing Misuse
• This is an attempt to elicit security requirements by considering
what a malicious actor could do within the context of the system.
• Misuse Management Method (MMM) is done by first, keeping all
of the actors in your use case to the left of the procedures and
keeping the procedures in the middle of the diagram. Draw a
dotted line down through the middle of your procedures to
separate the normal operating case from the diagram for
malicious attacks on the system. The left side will retain the use
case properties and information. The right side will contain the
analysis of security needs and the procedural extensions
necessary to round out the functionality in the use case to
manage attacks. (The next slide has a sample)
Misuse Management Method (MMM)
 Sequence Diagrams and Class Analysis
• A sequence diagram is a detailed breakdown of the
communication that will occur between actors and
system objects or components.
• A sequence diagram is most compatible with
object-oriented systems, because it allows
relatively straightforward mapping from use cases
by applying object models to the instantiation.
• A class is a template for behavior and variable
usage; an object is an instantiation of this
template.
 Sequence Diagram
There are several types of classes that will be determined
in a sequence diagram:
• An entity class is, broadly, a storage class. The objects it
generates are the housing for most of the data in a
system.
• A boundary class is primarily responsible for handling
interactions between the actors and the system.
• A control class is a coordinator for the system. These
classes insulate entity classes from changing business
rules and policies, effectively modularizing the system to
a degree.
 Sequence Diagrams Process Steps
1. Choose a single use case.
2. Write out each process of the use case in detail.
3. Specify a boundary class between the system and each actor.
4. Specify a single control class for the use case.
5. Specify an entity class for each object referenced in the use case.
6. Specify a control class for any generalized use case referenced.
7. Align the use case steps next to the row of actors and classes.
8. Determine lifetimes for the objects based on a complete sequence of
messages to and from the boundary class indicating a single overall
transaction in the system.
9. Refine your classes for any functionality that is too complex for a
single class.
10. Identify trusted and untrusted classes.
Sample Sequence Diagram
 Restrictions for Boundary Classes
There are several good restrictions for boundary
classes:
• A boundary class is not allowed to directly execute
any input.
• A boundary class on the client machine is not
allowed to divulge or contain privacy data that is not
entered by the client or sent by the internal control
class.
• A boundary class must authenticate the
communicating control class to which it is connected.
 Restrictions for Control Classes
• A control class on the outside of the trust boundary should never be
allowed to interface directly with a control class on the inside of the trust
boundary.
• A control class must authenticate the boundary classes from which it
receives a message.
• A control class must provide authentication to the boundary class to
which it is communicating.
• A control class must evaluate or process input from a boundary class
before directly executing any information coming from a boundary class.
• A control class must provide authentication to an entity class from which
it is requesting privacy data or mission-critical data.
• A control class that is not trusted cannot directly communicate to an
entity class that is trusted.
• All data members of a control class must be private or protected.
 Restrictions for Entity Classes
• An entity class can divulge information only to a control class.
• An entity class on a client machine may not directly access
information inside the system trust boundary.
• An entity class may not communicate with a boundary class.
• An entity class housing private, confidential, or mission-critical
data must authenticate the control class with which it is
communicating.
• An entity class has the right to refuse to divulge information.
• An entity class is not allowed to have public data members.
 Vulnerability Mapping
• The overall goal of performing vulnerability
mapping is to determine the most likely
locations within the system in development
where an attacker will strike.
• To start vulnerability mapping, identify the
input locations of the system, the internal
communications, and the inter-process
communications.
 Vulnerability Mapping
The following basic classification system will work:
• V3: This is the highest level of vulnerability. Example:
Text input in a form. They should get highest security
priority.
• V2: This is the moderate level of vulnerability.
Example: Inter-process communications on the
server, failing safely is the mitigation policy.
• V1: This is the lowest priority level of vulnerability.
Example: HTML loading in the client machine, failing
safely is the mitigation policy.
Vulnerability Mapping
Another Example
 CA-4
Protection System for Software Piracy
• The main concept of this project is to develop a protection system to avoid software
privacy & also enhance the protection of software. In industries, software piracy is a
major threat because hackers using different malicious and malware codes to get
access to software products. Thus, it is crucial to use the required protection system
to maintain data protection and software products’ copyright rights. At first, the
users must register their software products and then buy the software online.
• When the online payment is done, software product users can easily download the
software along with the serial key. This software reads the desktop ID so that it
generates a user ID through an algorithm. So the user can access by using the ID and
serial key. Once the key is entered, then the software will produce a key through
encryption to compare it with the user’s serial key for verification. If the generated
key matches with the user key, it gives access to the software product otherwise it
will be locked.

– Draw a sequence diagram for authenticating the user given key into the system.
– Map the potential vulnerability locations in the sequence diagram.