secure-software-engineering/Exercise/Writeup/lab01.md

2.8 KiB

Lab 1: Security Requirements

Metaverse User Stories

Metaverse Users are referred to as users here.

User Task Goal Context Action Outcomes
User perform authorized payment transactions only I can make transactions in my name An adversary knows my payment information he tries to pay with my info the payment is declined if not authorized by me
Developer access user configurations (avatars, config) personalize the user experience of my applications
Teacher make physical course material available in the metaverse students can see them in virtual reality
User have a unique identification key in bound to my avatar everyone can recognize my avatar my avatar is public my avatar is used by another user the user cannot impersonate my identity because he doesn't know the key
User virtual home to be self or zero knowledge hosted my privacy can not be intruded

Corrections:

  • User stories are more non-functional and should not contain less security aspects, rather the use-case functionality
User Task Goal
User Perform a payment Acquire a virtual/physical asset
User Add and remove friends Keep track of what my friends are up to
User Set home privacy Prevent strangers from entering my home
User Use voice chat Communicate with other users
User Fast travel Quickly get to another location in the virtual space
User Give another user an item Sell/Gift assets

As a 'Metaverse user', I want to add/remove friends (from/to my virtual friend list) So I can keep track of their activites

Integrity => Befriending strangers => disclosing personal information to strangers (HARM) ACTION => Unauthorized access (edit) to FList

Assets

  • User identity
  • User belongings
  • Friends lists
  • Public image of system
  • Voice data

Harm analysis

"What HARM could come to [asset] from an [action] violating a [concern]?" assets from User Stories actions yield Avoid goals concerns from CIA+ principles

Action Asset Harm
Steal user credentials User identity User information compromised, belongings stolen
Accept unwanted friend request Friends lists User information partially compromised, trust acquired
Unmute user microphone without consent Voice data User privacy compromised

'Achieve' goals

  • Always use multi-factor authentication for users

Use Cases

Produced using Lucidchart.

Use Case / Misuse Case diagram