A requirements engineering driven approach to security architecture design for distributed embedded systems

During the last ten years, the impact of security concerns on the development and exploration of distributed embedded systems never ceased to grow. This is mainly related to the fact that these systems are increasingly interconnected and thus vulnerable to attacks, and that the economic interest in attacking them has simultaneously increased. In such a context, requirement engineering methodologies and tools have become necessary to take appropriate decisions regarding security early on. Security requirements engineering should thus strongly support the elicitation and specification of software security issues and solutions well before designers and developers are committed to a particular implementation. However, and that is especially true in embedded systems, security requirements should not be considered only as the abstract expression of a set of properties independently from the system architecture or from the threats and attacks that may occur. We believe this consideration is of utmost importance for security requirements engineering to be the driving force behind the design and implementation of a secure system. We thus describe in this thesis a security engineering requirement methodology depending upon a constant dialog between the design of system functions, the requirements that are attached to them, the design and development of the system architecture, and the assessment of the threats to system assets. Our approach in particular relies on a knowledge-centric approach to security requirement engineering, applicable from the early phases of system conceptualization to the enforcement of security requirements. Our methodology can be seen of as an iterative and complementary co-design process between security requirements and the system architecture. Its main goals are to identify, refine, and trace security requirements with enough expressivity and precision to become a central element throughout the lifecycle of a security architecture. We illustrate our approach with examples from the automotive on-board system domain.