A Case Study in Security Requirements Engineering for a High Assurance System

Requirements speci cations for high assurance secure systems are rare in the open literature. This paper presents a case study in the development of a requirements document for a multilevel secure system that must meet stringent assurance and evaluation requirements. The system is secure, yet combines popular commercial components with specialized high assurance ones. Functional and non-functional requirements pertinent to security are discussed. A multidimensional threat model is presented. The threat model accounts for the developmental and operational phases of system evolution and for each phase accounts for both physical and non-physical threats. We describe our team-based method for developing a requirements document and relate that process to techniques in requirements engineering. The system requirements document presents a calibration point for future security requirements engineering techniques intended to meet both functional and assurance goals.