Progress in Informatics

	Online ISSN:1349-8606
Progress in Informatics
No5. March 2008
Page 75-89

Feature interaction: the security threat from within software systems

Armstrong NHLABATSI,Robin LANEY,and Bashar NUSEIBEH

LINK [1] R. Accorsi, C. Areces, W. Bouma, and M.d. Rijke, Features asConstraints,in Feature Interactions in Telecommunications and Software Systems, M. Calderand E. Magill, Editors. IOS Press: Amsterdam. pp. 210-225 , 2000.

LINK [2] I.F. Akyildiz, H. Rudin, L.G. Bouma, N. Griffeth, and K. Kimbler, “Special issue on the feature interactions in telecommunications systems.”Computer Networks, vol. 32, no. 4, 2000.

LINK [3] K. Albert, K. Jensen, and R. Shapiro, “A Tool Package Supporting the Use of Colored Nets.” Petri Net Newsletter, vol. 32, pp. 22-35, 1989.

LINK [4] P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, graph-based network vulnerability analysis.” Proceedings of the 9th ACM conference on Computer and communications security, pp. 217-224, 2002.

LINK [5] D. Amyot, “Use Case Maps as a Feature Description Notation,” in Language Constructs for Describing Features,S.Gilmore and M. Ryan, Editors. 2001, Springer, Berlin.

LINK [6]D.Amyot and L. Logrippo, “Special issue: Directions in feature interaction research.” Computer Networks, vol. 45, no. 5, 2004.

LINK [7] R. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems.Canada: John Wiley & Sons, Inc 2001.

LINK [8] A.I. Antón, and J.B. Earp, “A requirements taxonomy for reducing Web site privacy vulnerabilities.”Journal of Requirements Engineering, vol. 9, no. 3, 2004.

LINK [9]A.K.Bandara, E.C. Lupu, and A. Russo. “Using event calculus to formalise policy specification and analysis.” in Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks. 2003.

LINK [10] J. Bisbal and B.H.C. Cheng, “Resource-based Approach to Feature Interaction in Adaptive Software.” Proceedings of the 1st ACM SIGSOFT workshop on Self-managed systems, pp. 23-27, 2004.

LINK [11] S. Bistarelli, “A soft constraint-based approach to the cascade vulnerability problem.” Journal of Computer Security, vol. 13, no. 5, pp. 699-720, 2005.

LINK [12] L. Blair and K.J. Turner, “Handling Policy Conflicts in Call Control.” in Proc. International Conference on Feature Interaction VIII. Amsterdam, IOS Press. 2005.

LINK [13] G.W. Bond, E. Cheung, K.H. Purdy, P. Zave, and C. Ramming, “An Open Architecture for Next-Generation Telecommunication Services.” ACM Transactions on Internet Technology (TOIT), vol. 4, no. 1, pp. 83-123, 2004.

LINK [14] L. Bordeaux, Y. Hamadi, and L. Zhang, “Propositional Satisfiability and Constraint Programming: A comparative survey.” ACM Computing Surveys, vol. 38, no. 4, p. 12, 2006.

LINK [15] J. Bredereke, “Configuring Members of a Family of Requirements Using Features.” in Feature Interactions in Telecommunications and Software Systems VIII.Leister, U.K.,IOS Press. 2005.

LINK [16] J. Bredereke, “On Feature Orientation and on Requirements Encapsulation Using Families of Requirements,” in Objects, Agents, and Features, J.-J.C.M. Mark D. Ryan, Hans-Dieter Ehrich, Ed. Springer-Verlag, Berlin Heidelberg. pp. 26-44, 2004.

LINK [17] M. Calder, M. Kolberg, E. Magill, and S. Reiff-Marganiec, “Feature interaction: A critical review and considered forecast.” Comput. Networks, vol. 41, no. 1, pp. 115-141, 2003.

LINK [18] M. Calder, and E. Magill, Feature Interactions in Telecommunications and Software Systems VI.Amsterdam, The Netherlands, IOS Press. 2000.

LINK [19] M. Calder and A. Miller, “Feature interaction detection by pairwise analysis of LTL properties: a case study.” Formal Methods in System Design, vol. 28, no. 3, pp. 213-261, 2006.

LINK [20] M. Calder, and A. Miller, “Using SPIN for Feature Interaction Analysis - A Case Study.” in Proceedings of the 8th international SPIN workshop on Model checking of software. Toronto, Ontario, Canada, Springer-Verlag NewYork, Inc. 2001.

LINK [21] E.J. Cameron, N. Griffeth, Y.-J. Lin, M.E. Nilson, W.K. Schnure, and H. Velthuijsen, “A feature-interaction benchmark for IN and beyond.” IEEE Communications Magazine, vol. 31, no 3, pp. 64-69, 1993.

LINK [22] E.J. Cameron and H. Velthuijsen, “Feature interactions in telecommunications systems.” IEEE Communications Magazine, vol. 31, no. 8, pp. 18-23, 1993.

LINK [23] A. Charfi and M. Mezini, “Using aspects for security engineering of Web service compositions.” in Web Services, 2005. ICWS 2005. Proceedings. 2005 IEEE International Conference on. 2005.

LINK [24] C. Chi and R. Hao, “Test generation for interaction detection in feature-rich communication systems.” Journal of Computer Networks: Special Issue on Feature Interaction, vol. 51, no. 2, pp. 426-438, 2007.

LINK [25] C. Damas, B. Lambeau, P. Dupont, and A. van Lamsweerde, “Generating annotated behavior models from end-user scenarios.” IEEE Trans. Softw. Eng.,vol. 31, no. 12, pp. 1056-1073, 2005.

LINK [26] P. Dini, A. Clemm, T. Gray, F.J. Lin, L. Logrippo, and S. Reiff-Marganiec, “Policy-enabled mechanisms for feature interactions: reality, expectations, challenges.” Comput. Networks,vol. 45, no. 5, pp. 585-603, 2004.

LINK [27] C.D. Elfe, E.C. Freuder, and D. Lesaint, “Dynamic constraint satisfaction for feature interaction.” BT Technology Journal, vol. 16, no 3, 1998.

LINK [28] A.P. Felty and K.S. Namjoshi, “Feature specification and automated conflict detection.” ACM Transactions on Software Engineering and Methodology (TOSEM), vol. 12, no. 1, pp. 3-27, 2003.

LINK [29] Q. Fu, P. Harnois, L. Logrippo, and J. Sincennes, “Feature interaction detection: aLOTOS-based approach.” Comput. Networks, vol. 32, no. 4, pp. 433-448, 2000.

LINK [30] M. Gelfond and V. Lifschitz, “Representing action and change by logic programs.” The Journal of Logic Programming, vol. 17, no. 2-4, pp. 301-321, 1993.

LINK [31] D. Giannakopoulou and J. Magee, “Fluent model checking for event-based systems,” in Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering. ACM Press, Helsinki, Finland. pp. 257-266, 2003.

LINK [32] J.C. Godskesen, “A Formal Framework for Feature Interaction with Emphasis on Testing,” in Feature Interactions in Telecommunications Systems III, K.E. Cheng and T. Ohta, Editors. IOS Press. pp. 21-30, 1995.

LINK [33] N. Gorse, L. Logrippo, and J. Sincennes, “Formal Detection of Feature Interactions with Logic Programming and LOTOS.” Jornal of Software and Systems Modeling, vol. 5, no. 2, p. 135, 2006.

LINK [34] C.B. Haley, J.D. Moffett, R. Laney, andB.Nuseibeh, “A framework for security requirements engineering,” in Proceedings of the 2006 international workshop on Software engineering for secure systems. ACM, Shanghai, China. pp. 35-42, 2006.

LINK [35] R.J. Hall, “Feature combination and interaction detection via foreground/background models.” Comput. Networks, vol. 32, no. 4, pp. 449-469, 2000.

LINK [36] R.J. Hall, Feature Interaction in Electronic Mail,in Feature Interactions in Telecommunications and Software Systems VI, M.Calderand E.H. Magill, Editors. IOS Press, Glasgow, Scotland, UK, 2000.

LINK [37] R.J. Hall, “Fundamental Nonmodularity in Electronic Mail.” Autom. Softw. Eng., vol. 12, vol. 1, pp. 41-79, 2005.

LINK [38] H. Hamed and E. Al-Shaer, “Taxonomy of conflicts in network security policies.” Communications Magazine, IEEE, vol. 44, no. 3, pp. 134-141, 2006.

LINK [39] J.D. Hay and A.J. M., “Composing Features and Resolving Interactions.” ACM SIGSOFT Software Engineering Notes, vol. 25, Issue 6, pp. 110-119, 2000.

LINK [40] M. Jackson, Problem frames : analysing and structuring software development problems. ACM Press. 2001, Harlow, Addison-Wesley, 2001.

LINK [41] M. Jackson and P. Zave, “Distributed Feature Composition: A Virtual Architecture for Telecommunications Services.” Software Engineering, IEEE Transactions on, vol. 24, no. 10, pp. 831-847, 1998.

LINK [42] N. Jianwei, J.M. Atlee, and N.A. Day, “Template semantics for model-based notations.” IEEE Transactions on Software Engineering, vol. 29, no. 10, pp. 866-882, 2003.

LINK [43] H. Kaindl, “A scenario-based approach for requirements engineering: Experience in a telecommunication software development project.” Systems Engineering, vol. 8, no. 3, pp. 197-210, 2005.

LINK [44] D.O. Keck and P.J. Kuehn, “The Feature and Service Interaction Problem in Telecommunications Systems: A Survey.” IEEE Trans. on Softw. Eng., vol. 24, no. 10, pp. 779-796, 1998.

LINK [45] M. Kolberg and E.H. Magill, “Managing feature interactions between distributed SIP call control services.” Journal of Computer Networks: Special Issue on Feature Interaction, vol. 51, no. 2, pp. 536-557, 2007.

LINK [46] M. Kolberg, E.H. Magill, and M. Wilson, “Compatibility Issues between Services Supporting Networked Appliances.” IEEE Commun. Mag., vol. 41, no. 11, pp. 136-147, 2003.

LINK [47] S.L. Kryvyi and L.Y. Matveyeva, “Formal Methods of Analysis of System Properties.” Journal of Cybernetics and Systems Analysis, vol.39, no. 2, pp. 174-191, 2003.

LINK [48] R., Laney, M. Jackson, and B. Nuseibeh, Composing Problems: Deriving specifications from inconsistent requirements. The Open University: Milton Keynes, U.K., 2005.

LINK [49] R. Laney, T.T. Tun, M. Jackson, and B. Nuseibeh, Composing Features by Managing Inconsistent Requirements.in 9th International Conference on Feature Interactions in Software and Communication Systems. Grenoble, France, 2007.

LINK [50] X. Liu, H. Yang, and H. Zedan, “Formal methods for the re-engineering of computing systems: a comparison.” in Computer Software and Applications Conference, 1997. COMPSAC'97. Proceedings., The Twenty-First Annual International. 1997.

LINK [51] L. Logrippo, “Special issue on feature interactions in telecommunications software.” Comput. Networks and ISDN Systems, vol. 30, no. 15, 1998.

LINK [52] L. Lorentsen, A.-P. Tuovinen, and J. Xu, “Modelling Feature Interaction Patterns in Nokia Mobila Phones using Coloured Petri Nets,” in 23th International Conference on Application and Theory of Petri Nets. Adelaide, Australia, Springer-Verlag Berlin Heidelberg, 2002.

LINK [53] Y. Lu, G. Wei, and T.-Y. Cheung, “Managing feature interactions in telecommunications systems by Temporal Colored Petri nets.” in Proceedings of the Seventh IEEE International Conference on Engineering of Complex Computer Systems, 2001. Skovde, Sweden, 2001.

LINK [54] A. Metzger, “Feature interactions in embedded control systems.” Computer Networks, vol. 45, no. 5, pp. 625-644, 2004.

LINK [55] A. Metzger and C. Webel, “Feature Interaction Detection in Building Control Systems by Means of a Formal Product Model.” in Feature Interactions in Telecommunications and Software Systems VII.Ottawa, Canada, IO Press, 2003.

LINK [56] E.T. Mueller, “Event calculus and temporal action logics compared.” Artificial Intelligence, vol. 170, no. 11, pp. 1017-1029, 2006.

LINK [57] M. Nakamura, H. Igaki, and K.-i. Matsumoto, “Feature Interactions in Integrated Services of Networked Home Appliances: An Object Oriented Approach.” in 8th International Conference on Feature Interactions in Telecommunications and Software Systems. Leicester, UK, 2004.

LINK [58] M. Nakamura, T. Kikuno, J. Hassine, and L. Logrippo, “Feature Interaction Filtering with Use Case Maps at Requirements Stage,” in Feature Interactions in Telecommunications and Software Systems VI, M. Calder and E. Magill, Editors. IOS Press, 2000.

LINK [59] M. Nakamura, P. Leelaprute, and T. Kikuno, “Deriving Interaction-Prone ScenariosinFeature Interaction Filtering with Use Case Maps.” in Proceedings of the Seventh IEEE International Workshop on Object-Oriented Real-Time Dependable Systems (WORDS'02). 2002.

LINK [60] S.R. Palmer and J.M. Felsing, A Practical Guide to Feature-Driven Development. Pearson Education, 2002.

LINK [61] C. Phillips and L. Swiler, “A graph-based system for network-vulnerability analysis.” Proceedings of the 1998 workshop on New security paradigms, pp. 71-79, 1998.

LINK [62] K.P. Pomakis and J.M. Atlee, “Reachability analysis of feature interactions: a progress report.” in Proceedings of the 1996 ACM SIGSOFT international symposium on Software testing and analysis. San Diego, California, UnitedStates: ACM Press New York, NY, USA. 1996.

LINK [63] C. Ramakrishnan and R. Sekar, Model-based analysis of configuration vulnerabilities. Intrusion Detection, 2002.

LINK [64] S. Reiff-Marganiec, “Policies: Giving Users Control over Calls,” in Agents, Objects and Features, M.D. Ryan, J.-J.C. Meyer, and H.-D. Ehrlich, Ed.Springer Verlag, Berlin. pp. 189-208, 2004.

LINK [65] S. Reiff-Marganiec and M.D. Ryan, Feature Interactions in Telecommunications and Software Systems VIII. Amsterdam, The Netherlands, IOS Press, 2005.

LINK [66] S. Reiff-Marganiec and M.D. Ryan, “Guest Editorial.” Journal of Computer Networks: Special Issue on Feature Interaction, vol. 51, no. 2, pp. 357-358, 2007.

LINK [67] S. Reiff-Marganiec and K.J. Turner, “Feature Interaction in Policies.” Comput. Networks: The International Journal of Computer and Telecommunications Networking, vol. 45, no. 5, pp. 569-584, 2004.

LINK [68] W.N. Robinson, S.D. Pawlowski, and V. Volkov, “Requirements Interaction Management.” ACM Computi. Surv., vol. 35, no. 2, pp. 132-190, 2003.

LINK [69] M. Shanahan, “The Event Calculus Explained,” in Lecture Notes in Computer Science. Springer: Berlin / Heidelberg. p. 409, 1999.

LINK [70] M. Shehata, A. Eberlein, and A.O. Fapojuwo, “A taxonomy for identifying requirement interactions in software systems.” Journal of Computer Networks: Special Issue on Feature Interaction, vol. 51, no. 2, pp. 398-425, 2007.

LINK [71] S. Siddiqi and J.M. Atlee, “A hybrid model for specifying features and detecting interactions.” Comput. Networks, vol. 32, no. 4, pp. 471-485, 2000.

LINK [72] G. Sindre and A.L. Opdahl, “Eliciting security requirements with misuse cases.” Journal of Requirements Engineering, vo. 10, no. 1, pp. 34-44, 2005.

LINK [73] G. Spanoudakis and K. Mahbub, “Non Intrusive Monitoring of Service Based Systems.” International Journal of Cooperative Information Systems, vol. 15, no. 3, pp. 325-358, 2006.

LINK [74] R. Telang and S. Wattal, “An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price.” Software Engineering, IEEE Transactions on, vol. 33, no. 8, pp. 544-557, 2007.

LINK [75] S. Thiel, S. Ferber, T. Fischer, A. Hein, and M. Schlick, “A Case Study in Applying a Product Line Approach for Car Periphery Supervision Systems,” in Proceedings of In-Vehicle Software 2001 (SP-1587).Detroit, Michigan, USA. 2001.

LINK [76] C.R. Turner, A. Fuggetta, L. Lavazza, and A.L. Wolf, “A Conceptual basisfor feature engineering.” The Journal of Systems and Software, vol. 49, no. 1, pp. 3-15, 1999.

LINK [77] K.J. Turner, “Formalising the Chisel Feature Notation,” in Proceedings of the Feature Interactions in Telecommunications Networks VI, M.H. Calder and E.H. Magill, Ed.IOS Press Amsterdam, Amsterdam. pp. 241-256, 2000.

LINK [78] K.J. Turner and L. Blair, “Policies and conflicts in call control.” Journal of Computer Networks: Special Issue on Feature Interaction, vol.51, no. 2, pp. 496-514, 2007.

LINK [79] K.J. Turner, E.H. Magill, and D.J. Marples, Service Provision. Wiley Series in Communications Networking & Distributed Systems, ed. D. Hutchison. John Wiley & Sons, Ltd. 2004.

LINK [80] S. Uchitel and M. Chechik, “Merging Partial Behavioural Models.” in ACM International Symposium on Foundations of Software Engineering (FSE'04). Newport Beach, 2004.

LINK [81] M. Weiss, Detecting Feature Interactions in Web Services. 2003, Carleton University, Ottawa, Canada.

LINK [82] M. Weiss, “Feature Interactions in Web Services.” in Feature Interactions in Telecommunications and Software Systems VII, June 11-13, 2003. Ottawa, 2003.

LINK [83] M. Weiss, B. Esfandiari, and Y. Luo, “Towards a Classification of Web Service Feature Interactions.” in Proceedings Third International Conference Service-Oriented Computing-ICSOC 2005.Amsterdam, The Netherlands: Springer Berlin/Heidelberg. 2005.

LINK [84] M., Weiss, B. Esfandiari, and Y. Luo, “Towards a classification of web service feature interactions.” Journal of Computer Networks: Special Issue on Feature Interaction, vol. 51, no. 2, pp. 359-381, 2007.

LINK [85] X. Wu and H. Schulzrinne, “Handling feature interactions in the language for end system services.” Journal of Computer Networks: Special Issue on Feature Interaction, vol. 51, no. 2, pp. 515-535, 2007.

LINK [86] T. Yokogawa, T. Tsuchiya, M. Nakamura, and T. Kikuno, “Feature Interaction Detection by Bounded Model Checking.” IEICE Transactions on Information and Systems 2003, vol. E86-D, no. 12, pp. 2579-2587, 2003.

LINK [87] P.S. Yu and D.M. Dias, “Performance analysis of concurrency control using locking with deferred blocking.” Software Engineering, IEEE Transactions on, vol. 19, no. 10, pp. 982-996, 1993.

LINK [88] P. Zave, “Requirements for Evolving Systems: A Telecommunications Perspective.” in Fifth IEEE International Symposium on Requirements Engineering (RE '01), 2001.IEEE Computer Society, 2001.

LINK [89] P. Zave and M. Jackson, “Conjunction as composition.” ACM Transactions on Software Engineering and Methodology (TOSEM), vol. 2, no. 4, pp. 379-411, 1993.

LINK [90] P. Zave and M. Jackson, “Four dark corners of requirements engineering.” ACM Trans. Softw. Eng. Methodol. (TOSEM), vol. 6, no. 1, pp. 1-30, 1997.