STS-Tool is the modelling and analysis support tool for STSml, our proposed actor- and goal-oriented security requirements modelling language for Socio-Technical Systems (STSs). STS-Tool allows designers to model an STS through high-level primitives, to express security constraints over the interactions between the actors in the STS, as well as to derive security requirements once the modelling is completed. The tool features a set of automated reasoning techniques for (i) checking if a given STS-ml model is well-formed, and (ii) determining if the speci cation of security requirements is consistent, that is, there are no con icts among security requirements. We have implemented these techniques using disjuntive datalog programs.
STS-Tool STS-Tool is the modelling and analysis support tool for STS-ml. It is an Eclipse Rich Client Platform application written in Java, it is distributed as a compressed archive for multiple platforms (Win 32/64, Mac OS X, Linux), and it is freely available for download from http://www.sts-tool.eu. The website includes extensive documentation including manuals, video tutorials, and lectures. STS-Tool has the following features: { Diagrammatic: the tool enables the creation (drawing) of diagrams. Apart from typical create/modify/save/load operations, the tool also supports: Providing di erent views on a diagram, speci cally: social view, information view, authorisation view. Each view shows speci c elements and hides others, while keeping always visible elements that serve as connection points between the views (e.g., roles and agents). Inter-view consistency is ensured by for instance propagating insertion or deletion of certain elements to all views.
Ensuring diagram validity (online): the models are checked for syntactic/ well-formedness validity while being drawn.
Exporting diagrams to di erent le formats (png, jpg, pdf, svg, etc.). { Automatic derivation of security requirements : security requirements are generated from a model as relationships between a requester and a responsible actor for the satisfaction of a security need. Security requirements can be sorted or ltered according to their di erent attributes. { Automated reasoning
O ine well-formedness analysis : some well-formedness rules of STS-ml are computationally too expensive for online veri cation, or their continuous analysis would limit the exibility of the modelling activities. Thus, some analyses about well-formedness are performed upon explicit user request. In Fig. 1, o ine well-formedness analysis has found no errors. Security analysis : verify (i) if the security requirements speci cation is consistent|no requirements are potentially con icting; (ii) if the diagram allows the satisfaction of the speci ed security requirements. This analysis is implemented in disjunctive Datalog and consists of comparing the possible actor behaviors that the model describes against the security requirements. The results are enumerated in a tabular form below the diagram, and rendered visible on the diagram itself when selected (see Fig. 1). A textual description provides details on the identi ed con icts. { Generating requirements documents : the modelling process terminates with the generation of a security requirements document, which supports the communication between the analyst and stakeholders. This document is customisable: the analyst can choose among a number of model features to include in the report (e.g., including only a subset of the actors, concepts or relations he or she wants more information about). The diagrams are explained in detail providing textual and tabular descriptions of the models. An example report is provided in 3.
The current version of STS-Tool (v1.3.1) is ready for public use. This version
of the tool is the result of an iterative development process, having been tested
on multiple case studies and evaluated with practitioners [
Tabs to switch between different views document provision
expressing security needs goal delegation selected conflict is visualised Identification of conflicts
through Security Analysis
ownership !"#$%$&'($0:
List of security requirements
The diagram is well-formed
Textual description of the identified conflict
9)$%/ aolploewraetido/npsrohibited !""#$%$&#'(7'&$&-/0%'( 5"$(-$#6 '&&)*+'( ;'#6$<(/5: ;'#6$<(/5: !"#$%$&'( '&&)*+'( 8*#0)'%0 -)'30 733$%$'( %*#0)'%0 ;'#6$<(/5: 9')073 ;'#6$<(/5: 2'(/ $#3*)4'0$*# 9')073 ,'#-. -/0'$I(1nformation view
3-$%, 3!'-)91 +'(, $#1/-2')$/# 3'!-)91 +,((,
!"#$%$&'($)* " # $ % +'(,7$#1/-2')$/# 8&&-/0'(7&-/0$5,5 !"#$%$&'(
" # $ % '&&-/0'(
!"#$%$&'(7'&&-/0'( +'(,7$#1/-2')$/# information
./0,-#2,#)7#/)$1$,5
goal scope
,./0
'&&($%')$/#
FP7 European Project Aniketos 4. It has proven suitable to model and reason
over models of a large size from di erent domains [
Acknowledgments. The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant no 257930 (Aniketos) and 256980 (NESSoS). 4 http://www.aniketos.eu