The Main Results of the CORAS Project

The CORAS Framework

The CORAS framework is the overall result of the CORAS project since it integrates all the other CORAS results. The framework consists of terminology, languages for system modelling, processes for system development and risk management, methodologies for security risk analysis as well as computerised tools. In particular, the framework provides:

The CORAS Methodology for Model-Based Risk Assessment

The CORAS methodology for model-based risk assessment (MBRA) applies the standardised modelling technique UML to form input models to risk analysis methods that are used in a risk management process. This process is based on the standard AS/NZS 4360:1999 “Risk Management”. The CORAS methodology for MBRA can be utilised at three abstraction levels, and for each level recommendations and guidelines are provided, as well as templates, questionnaires and supportive descriptions. The CORAS methodology for MBRA is specialised towards assessment of security critical systems. The CORAS methodology for MBRA has been tested and turned out successfully on telemedicine and e-commerce systems through several trials. The benefit from using the methodology is that the assessment becomes effective due to a high degree of standardisation in describing the target of assessment and the increased level of reusability. At the same time the results become much easier to communicate to the different stakeholders.

The CORAS UML Profile for Security Assessment

The CORAS UML profile is an extension of the basic UML language targeting security risk assessment. The profile makes the UML diagrams easier to understand for non-experts, and at the same time preserves the well-definedness of UML. The profile for risk assessment provides rules and constraints for risk assessment relevant system documentation.

The CORAS Library of Reusable Experience Packages

The CORAS library of reusable experience packages supports reuse of risk assessment experiences and documentation. A significant part of the results of a security analysis carried out on an IT-system will typically have a certain general character. To avoid starting from scratch for every new analysis, it is important to gather these general aspects. The library of reusable experience packages captures such generic aspects in the form of e.g. UML-diagrams, table-formats, check lists, patterns and plain text. Each experience package is decomposed into experience elements. An experience package belongs to a domain, but may inherit elements from experience packages of other domains; e.g., an experience package in the telemedicine domain may inherit elements from experience packages in the health domain and the general domain. The experience packages are classified into constructive and supportive packages, which contain constructive and supportive elements, respectively. A supportive package documents methodological aspects like guidelines and recommendations while a constructive package provides formats and patterns for the documentation of assessment results and the assumptions on which they depend.

The CORAS Integration Platform

The CORAS integration platform is the main computerised component of the CORAS framework. The CORAS platform is used to store the results from ongoing and completed security analyses, as well as the reusable elements and experience packages. These are stored in two separate repositories, the Assessment Repository for the analysis results, and the Reusable Elements Repository for the reusable elements. During a security analysis, reusable elements may be instantiated and become part of the security analysis results. The platform GUI provides the end-user with administrative functionality, such as creating new security analysis projects and managing the reusable elements and experience packages. A wide variety of UML modelling tools and risk analysis tools exist and are in use by security analysts and system engineers today. The CORAS platform provides flexible support for integration with such external tools. To this end, the platform provides an integration layer with a defined API which tools can use to integrate with the platform, utilising standardised XML formats for data integration. The CORAS platform comes with full documentation and provides:

The CORAS XML Mark-Up for Security Assessment

In the absence of any standardised meta-data format for representing information related to risk assessment, the CORAS consortium has developed an XML mark-up for representing risk assessment information. Such meta-data description of core risk assessment data are being used for the purpose of consistency checking between different items of the repositories provided by the CORAS integration platform. The XML mark-up is also used to facilitate easy integration of risk analysis tools with the CORAS integration platform. In particular, the mark-up defines information models for the core elements of the different risk analysis methods used in CORAS.

The CORAS Vulnerability Assessment Report Format

As networks of hosts continue to grow in size and complexity, evaluating their vulnerabilities that could be exploited becomes increasingly more important preventative measure. Periodic network assessment, used to uncover and correct vulnerabilities, is a common intrusion prevention technique. Although the tools that perform those assessments, report the same basic information, there are some tool specific differences. Unfortunately, trying to combine output from these tools would require separate parsing tools to address the significant low-level differences. A standard format for representing assessment information in XML would bring with it the same types of benefits to the vulnerability assessment area with the ones that IDMEF and IODEF are going to bring to the intrusion detection and incident handling areas. The CORAS vulnerability assessment report format (VARF) addresses this problem by proposing data formats for sharing information of interest to vulnerability assessment and to facilitate the interaction with the risk management process.

Created 2/11/2003. Last updated 02/11/2003.