College of Computing Sciences
|
|
College of Computing Sciences |
|
Quantifiable Security Attributes
George Boole has ushered the era of modern logic by arguing that logical reasoning does not fall in the realm of philosophy, as it was considered up to his time, but rather in the realm of mathematics, whereby logical propositions and logical arguments are modeled by algebraic structures. Likewise, we argue that security attributes ought to be modeled as mathematical propositions that can be formulated and reasoned about using algebraic structures, specifically refinement like structures. This approach, which captures security attributes by their observable, verifiable attributes rather than their hypothesized causes (in terms of vulnerabilities, counter measures, mitigation measures), is further borne out by the observation that, in the same way that reliability is not necessarily contingent upon the total absence of faults, it is possible that security is only weakly correlated to the presence of vulnerabilities. This observation supports an approach to the characterization of security properties that departs from a focus on vulnerabilities and focuses instead on observable system behavior. A synopsis of this viewpoint is presented in this paper.