Practical Computer Security Analysis

This dissertation introduces Methodically Organized Argument Trees, a new approach to the development and presentation of assurance arguments about security properties. The MOAT approach was developed to assist users of the Legion Security Model, one of many new approaches to building novel distributed security architectures. Users of these new approaches need assurance that their systems will exhibit the security properties they require. Conventional security techniques do not solve this problem. Existing evaluation criteria are based on experience with conventional architectures and are not applicable to novel systems. And formal methods approaches are simply impractical.
The MOAT approach presents assurance arguments using AND/OR trees, similar to system fault trees. The trees provide a framework for the combination of multiple notations in a risk-specific manner. This allows the construction of balanced assurance arguments, where different elements are pursued to different extents, and assertions and assumptions coexist within a single framework. MOATs are developed using a risk-driven process model. Informal assurance strategies are gradually refined, by making them both more complete and more precise. The ordering of this refinement is based on the identified risks. The analysis is iterative and can be halted as soon as all interested parties are sufficiently convinced.
Based on several experiments involving aspects of the Legion Security Model, MOATs have proven to be a useful and affordable approach to building novel security architectures. They contribute to general problem understanding. They facilitate the communication of security arguments. And they can be smoothly integrated into a realistic, risk-driven process model. Based on these results, further development of the method appears to be warranted.