Seok-Won Lee IRISH SINGH 2022-08 31991 https://aurora.ajou.ac.kr/handle/2018.oak/20653 학위논문(박사)--아주대학교 일반대학원 :컴퓨터공학과,2022. 8 Chapter I. Introduction 1 A. Background and Motivation 1 B. Problem Statement 3 C. Contribution 5 D. Thesis Organization 7 Chapter II. Related Work 8 A. Systematic Literature Review Method 8 1. Research Process 9 B. Self-adaptive Security in Software Engineering 9 1. Self-adaptive Security Definition 10 2. Eliciting Self-Adaptive Security Requirements 11 3. Security Requirements Addressed Using Blockchain 12 4. Smart Contract enabled Self-Adaptive Security 12 5. Contribution & Comparison with the State-of-the-Art 13 6. Research Gap analysis 14 C. Goal-Based Modelling 15 D. Blockchain and Cloud Technology 16 1. Service Level Agreements in Cloud 18 Chapter III. Proposed Blockchain-Based Cloud Framework, RE_BBC & Self-adaptive Security for RE_BBC 20 A. Blockchain-Based Cloud (BBC) 20 1. Evaluating Comparative analysis between Blockchain and Cloud 20 2. Blockchain-Based Cloud (BBC) Framework 23 B. RE_BBC: Requirements Engineering Process for Blockchain-Based Cloud (BBC) 25 1. Phase 1: SLA Elicitation and SLA Definition 27 2. Phase 2: SLA Analysis and Negotiation 28 3. Phase 3: SLA Specification 28 4. SLA Requirements for BBC Systems 29 5. Phase 4: SLA Assessment and Validation 31 C. Service Level Agreement Smart Contracts in Blockchain-Based Cloud 32 1. Functioning of Service Level Agreement Smart Contracts in Blockchain-Based Cloud 33 2. Agents in Service Level Agreement Smart Contracts 34 D. Security Vulnerabilities in Blockchain-Based Cloud Smart Contract 35 1. Transaction-Ordering Dependence (TOD) 35 2. Timestamp dependence 38 3. Mishandled exceptions 39 4. Reentrancy vulnerability 41 5. Goal models for Service Level Agreement Smart Contract 42 E. Self-Adaptive Security Requirements Engineering Approach for Blockchain-Based Cloud Process (SRE_BBC) 44 1. Phase 1: Secure SLA based SC Monitoring and Elicitation 45 2. Phase 2: SLA based SC Threat Analysis 46 3. Phase 3: Secure SLA based SC Specification for BBC 47 4. Security Specification for SLA based SC 47 5. Phase 4: SLA based SC Assessment and Validation 49 F. Adaptive Secure Smart Contract Specifications 50 1. Concepts of Adaptive Secure-Business Contract Language (AS_BCL) and Adaptive Secure-Formal Contract Language (AS_FCL) 51 2. Adaptive Secure- Business Contract Language (AS_BCL) and mapping to MAPE-BBC 52 3. Adaptive Secure- Formal Contract Language (AS_FCL) and its mapping to MAPE-BBC 53 Chapter IV. Validation Method 56 A. Theoretical Evaluation 56 1. Case Study Design Methodology 56 2. Data Collection Method 59 B. Empirical Evaluation 60 1. Study Question and Hypothesis 60 2. Feasibility Study 62 3. Replicated Study 66 Chapter V. Case Study Description, Requirements & Formal Specifications 70 A. Case study 1: Healthcare Data Management-BBC (HDM_BBC) 70 1. SLA based Healthcare Data Management Blockchain-Based Cloud (HDM_BBC) Smart Contracts 70 2. Functional Requirements 71 3. Security Requirements 72 4. Scenarios 72 5. Formal Representation of SLA based HDM_BBC using AS_BCL and AS_FCL 73 B. Case study 2: Banking _Blockchain-Based Cloud (B_BBC) 77 1. SLA based Banking Blockchain-Based cloud (B_BBC) Smart Contracts 78 2. Functional Requirements 78 3. Security Requirements 78 4. Scenarios 79 5. Formal Representation of SLA based B_BBC using AS_BCL and AS_FCL 80 C. Case study 3: Intelligent Transportation System Blockchain Based Cloud (ITS_BBC) 82 1. SLA based Intelligent Transportation System-Blockchain-based cloud Smart contract (ITS_BBC_SC). 83 2. Functional Requirements 83 3. Security Requirements 83 4. Scenarios 84 5. Formal Representation of SLA based ITS_BBC using AS_BCL and AS_FCL 85 Chapter VI. Proposed Methodology Implementation 87 A. Secure SLA based SC Monitoring and Elicitation Phase (Monitoring) 87 B. SLA based SC Threat Analysis Phase 88 1. Transaction Ordering Dependence (V1) 88 2. Timestamp dependence (V2) 89 3. Mishandled exceptions (V3) 90 4. Reentrancy vulnerability (V4) 93 C. Secure SLA based SC Specification for BBC Phase (Planning) 95 D. SLA based SC Assessment and Validation Phase (Execution) 98 Chapter VII. Theoretical Evaluation Result 100 A. Theoretical Result 100 Chapter VIII. Empirical Evaluation Result 104 A. Feasibility Study Result 104 B. Replicated Study Result 120 Chapter IX. Discussion 136 Chapter X. Conclusion 137 REFERENCES 138 eng The Graduate School, Ajou University 아주대학교 논문은 저작권에 의해 보호받습니다. Self-Adaptive Security Requirements Engineering for Blockchain-Based Cloud Platform Thesis 아주대학교 일반대학원 SINGH IRISH 일반대학원 컴퓨터공학과 2022. 8 Doctoral I804:41038-000000031991 https://dcoll.ajou.ac.kr/dcollection/common/orgView/000000031991 SLA attacks blockchain cloud healthcare banking intelligent transportation system security smart contract threat model self-adaptation vulnerabilities goal model Several security vulnerabilities have been reported in the current state of blockchain-based cloud systems. One of these is the lack of a standard design process for developing secure smart contracts (SC). Also, the security mechanisms in the system are not designed to continuously evolve to address evolving adversary attacks. These issues prevent the BBC from taking effective decisions when faced with an attack. The goal of this study is to build a self-adaptive security framework that will allow the BBC to take effective decisions when faced with evolving adversary attacks. This framework is built on the principles of the software development lifecycle, which is designed to model secure SC. The system uses the multi-model adaptation loop to make decisions based on the threat models and the service level agreement, which are used to identify and mitigate threats. Through the validation of the proposed methodology, we were able to demonstrate the validity of the research questions and the hypothesis. We then compare the proposed approach with the security quality requirements engineering approach known as SQUARE. The results of the study revealed that the proposed approach performed better than the SQUARE approach in terms of various parameters such as the quality of artifacts, the time it took to respond to security threats, and the complexity of the system. The proposed methodology can be used by SC security developers to quickly develop and implement secure contracts. They can also take advantage of the flexibility of the framework to adapt it to their needs. The key contribution of this study are as follows: 1) Comparatively Analyze the feasibility of Blockchain for secure cloud 2) Propose a Blockchain based cloud (BBC) framework to enhance the security and trust of the data stored in the Cloud, make Service Level Agreements (SLA) transparent and open to all users, and maintain the confidentiality and integrity of the data 3) Propose RE_BBC: Requirements Engineering process for Service Level Agreements in BBC, where we used RE modelling to build SC to perform actions of third-party providers in the cloud, such as to develop SLA and to provision SLA for services and security functionalities to the users. 4) The proposed SRE_BBC Process is a self-adaptive security requirements engineering (SRE) approach to address the security vulnerabilities in the BBC's Smart Contracts using a combination of threat model, goal model, and MAPE-BBC process. This approach can be used to provide secure implementations of the contracts based on the Service Level Agreement (SLA). 5) To provide a secure and resilient framework, we need to develop formalisms that are designed to provide a self-adaptive approach to contract language. So, we propose the Adaptive Secure Business Contract Language (AS_BCL) and Adaptive Secure Formal Contract Language (AS_FCL). 6) We statistically prove the research questions and hypotheses using the t-test [11] and Mann–Whitney U test [12]. 7) The proposed SRE_BBC approach is compared with the state-of-the-art Security Quality Requirements Engineering approach (SQUARE) method [13] to evaluate various parameters such as quality of artifacts and self-adaptive security evaluation quality, efficiency, complexity, and usability based on statistical tests. 8) We applied our proposed approach to three case studies, including Healthcare Data Management Blockchain-Based Cloud (HDM_BBC) case study, Banking Blockchain-Based Cloud (B_BBC), and Intelligent Transportation system Blockchain-Based Cloud (ITS_BBC). 9) Six subject matter experts from the software engineering field are involved in this study to validate our research study. They have extensive experience in analyzing security concepts such as blockchain, cloud computing, and SC. The proposed approach SRE_BBC is novel and necessary because as of now, there is no design standard that follows RE principles to model secure smart contracts for the BBC system. As a result, the development quality is not assured, and several security issues, and privacy leakage plague the development of smart contracts for BBC applications. The SRE-_BBC process responds to the many of these challenges of the BBC and determines a novel direction to provide secure and quality development of blockchain-based applications. The SRE_BBC process aims to reach a complete understanding of the problems in BBC systems and to have a quality set of security requirements for a meaningful SLA process that is sufficient for building secure BBC systems and is satisfied by customers. Smart contract development has a lot of potential as the Smart contract market size is to reach USD 345.4 million by 2026 from USD 106.7 Million in 2019 at a Compound Annual Growth Rate of 18.1% and there is increasing adoption of more than 50 industries that smart contract development could transform. Some of them are banking, healthcare, government, management, supply chain, automobile, real estate, insurance, etc. Our SRE_BBC process can provide secure and quality development services to the above industries. Keywords: security; attacks; vulnerabilities; goal model; threat model; self-adaptation; Service Level Agreement; smart contract; blockchain; cloud; healthcare; banking; intelligent transportation system.