RE: [mdt-sbvr.dev] SBVR for formalization of security weaknesses:lessons

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

RE: [mdt-sbvr.dev] SBVR for formalization of security weaknesses:lessons learned

From: "Dave Carlson" <dcarlson@xxxxxxxxxxxxxxx>
Date: Thu, 21 Aug 2008 16:22:26 -0600
Delivered-to: mdt-sbvr.dev@xxxxxxxxxxx
Importance: Normal
List-archive: <https://dev.eclipse.org/mailman/private/mdt-sbvr.dev>
List-help: <mailto:mdt-sbvr.dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/mdt-sbvr.dev>, <mailto:mdt-sbvr.dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/mdt-sbvr.dev>, <mailto:mdt-sbvr.dev-request@eclipse.org?subject=unsubscribe>
Thread-index: Acj0vmTbT1DOmSOlQ+Oe00yJFAGAFwPG/fgQ

Title: Message

Hello Nikolai,

Thanks for your message. I look forward to more active involvement by you and Spencer.

I corresponded with Spencer early this year about the SBVR metamodel that you implemented from the interchange schemas, and we agreed that it must be generated from the UML/CMOF metamodel specification, not from the schemas. I had also implemented a sample UI with pull-down menu similar to your screenshot (and sent the source for that prototype to Spencer).

We all agree that the SBVR interchange metamodel is not suitable for tool development. Since then, I have worked on an SBVR Tooling metamodel that has most concepts from meaning and vocabulary covered. I posted a message on 16 June with some specific queries... and received no responses. I will assume that no dissent means complete agreement :-) Please review the Wiki pages I created and referenced in that message and let me know if this approach, and the metamodel checked into CVS will meet your needs.

If we have initial agreement, then I will check into CVS the generated plugins for this SBVR Tools Metamodel. As described in my previous message, I also implemented a proof-of-concept transformation to the SBVR Exchange Metamodel. And I also implemented a partial UI navigator with pull-down menus very similar to yours.

This project must implement complete coverage of the metamodel; we cannot remove concepts. However, there were strong opinions stated in this list early on that we must support the levels of compliance points in the SBVR specification. The current SBVR Tools Metamodel attempts to satisfy this request by dividing the metamodel, and generated plugins, into modules so that you can create tooling applications that depend only on the vocabulary concept, and omit the business rules and logic concepts.

Best Regards,

Dave Carlson

-----Original Message-----
From: mdt-sbvr.dev-bounces@xxxxxxxxxxx [mailto:mdt-sbvr.dev-bounces@xxxxxxxxxxx] On Behalf Of Nikolai Mansourov
Sent: Saturday, August 02, 2008 10:40 AM
To: mdt-sbvr.dev@xxxxxxxxxxx
Cc: 'Spencer Cheng'
Subject: [mdt-sbvr.dev] SBVR for formalization of security weaknesses:lessons learned

Folks,

Spencer Cheng and myself from KDM Analytics have been on the list of interested parties from the beginning, unfortunately we have been unable to participate in any active sort of way until recently as we were heads down working on a couple of projects. Now that the major one is completed, we are looking forward to reengage with the rest of the team and to contribute.

I would like to share some of our experiences from a project that involved using SBVR for the formalization of security requirements in the context of software assurance.

First, our background. KDM Analytics the company is actively involved in the OMG software assurance and modernization task forces. I am part of the SBVR FTF. I am also chairing the Knowledge Discovery Metamodel (KDM) RTF within OMG. KDM is a normalized representation of existing software artifacts, and it is aligned with SBVR and also with RDF from W3C. Here is where you can learn more: http://www.kdmanalytics.com/kdm

and http://www.kdmanalytics.com/sbvr

Our recent project was in the area of building a standards-compliant framework for tool interoperability for software assurance of production code. This sounds like a mouthful. The project is about 1) creating common content for software assurance that can be plugged into the analysis tools; 2) tools to reverse engineer production code and populate KDM-compliant repository; 3) static analysis tools that can utilize standard content and search KDM-compliant repository and validate the formalized properties.

We are utilizing SBVR and KDM in this framework. The pilot studies showed that SBVR is a suitable way to formalize security requirements. The alignment between SBVR and KDM allows for the transformation of the security requirements into recursive queries against the KDM repository that contains standardized facts about the application. On the KDM side there is a growing community of tool vendors, in particular Modisco Eclipse project: http://www.eclipse.org/gmt/modisco/

Regarding SBVR tools. We looked at the Sbeaver tool, talked to the development team and assessed their entire code base. I am also part of the early adopter program for the Unisys Rules Modeler tool for a couple of years now. None of these tools were battle ready.

So we developed our own SBVR SDK using Eclipse EMF. The objective of the SBVR SDK is to provide guidance in developing semantic formulations for security-related statements. Security-related statements are simply statements that describe a certain condition using a controlled vocabulary. In other words, they are similar to business rules written against a business vocabulary, even though the community of interest does not call itself “business people”. We performed a pilot project in which we formalized security weaknesses taking the content from the so-called Common Weakness Enumeration (CWE) at http://cwe.mitre.org

The official MOF SBVR SDK is structured in such a way that does not offer much guidance for authoring using EMF-based tools. It is flat, while the EMF-based tool need single-parent ownership hierarchy to generate the editor with good guidance. By guidance I mean the reasonable pull-down menus (generated from the meta-model) that are reasonable restricted to the context-sensitive choices of modeling elements (Child and Sibling). The same type of guidance is useful for generating the EMF validator.

The other problem with the official SBVR (with respect to authoring tools) is the separation between Meaning, Presentation and Representation. While very useful as part of the SBVR framework in general, when naively plugged into a EMF-type tool, this is not useful, because of this separation leads to great redundancy in a simple use case, where a vocabulary and the corresponding rules are being authored for a given speech community. In this simple use case one creates an instance of Meaning element, and gives it a name (for example Concept “code path”), and then has to create a Representation element with a string “code path”, and say that the Concept “code path” is represented by a string “code path”. As the result, 3 elements are created, which is redundant.

So we decided to focus only on the Meaning slice of SBVR. In EMF terms, the name of the element is the presentation of the element, and the both the presentation and representation parts of the official SBVR MOF can be autogenerated. Note, this only works for a preselected speech community, in a more general case the entire SBVR framework is required. However, when it comes to authoring, there are usually two separate roles of 1) developing the base vocabulary and 2) translating it into another language.

The third thing we did was to disable all predefined SBVR vocabulary items (Vocabulary and Rules vocabulary), limiting the EMF metamodel to core elements. This is done by making these element abstract in the EMF.

The resulting SBVR SDK is quite useable, at least for someone who does not mind to work directly with SBVR semantic formulations. The resulting XMI has exactly the same structure as the semantic formulation outlines, provided in the specification. Attached is a screenshot of the SBVR SDK.

On top of the base SBVR SDK we implemented an export capability that generates the official SBVR XMI.

We used the SBVR SDK to author the vocabulary corresponding to some 30 Common Weakness Enumerations (from http://cwe.mitre.org) which provide informal descriptions for security weaknesses; and several corresponding semantic formulations. As part of the project we have delivered a detailed SBVR formalization methodology.

I understand that this approach is very similar to what was reported by Mike Linehan and what is being implemented in the MDT-SBVR tool metamodel.

I am in the process of doing a detailed assessment of the MDT-SBVR project so far. As I mention, we are looking forward to contribute to the MDT-SBVR. There is preliminary agreement that our SBVR SDK should be available as some kind of open source format.

Looking forward to your feedback,

Nick

Nikolai Mansourov

Chief Technology Officer

KDM Analytics

cell (613) 276-2323

www.kdmanalytics.com

e-mail: nick@xxxxxxxxxxxxxxxx

References:
- [mdt-sbvr.dev] SBVR for formalization of security weaknesses: lessons learned
  - From: Nikolai Mansourov

Prev by Date: RE: [mdt-sbvr.dev] ISO 16642
Next by Date: [mdt-sbvr.dev] Packaging convention
Previous by thread: [mdt-sbvr.dev] SBVR for formalization of security weaknesses: lessons learned
Next by thread: [mdt-sbvr.dev] ISO 16642
Index(es):
- Date
- Thread

Breadcrumbs