Requirements Engineering Laboratory @ CMU
Director:
Dr. Travis D. Breaux
 
Collaborators:
Dr. Alessandro Acquisti
Dr. Thomas Alspaugh
Dr. Lorrie Cranor
Dr. David Baumer
Dr. David Gordon
Dr. Jianwei Niu
Dr. Rahul Telang
Dr. Joel Reidenberg
Dr. Norman Sadeh
Dr. Florian Schaub
Dr. Laurie Williams
 
Associates:
Jaspreet Bhatia
Hanan Hibshi
Rocky Slavin
Daniel Smullen

The Requirements Engineering Laboratory is a research lab dedicated to the study of computational methods, tools and techniques for capturing, modeling and analyzing software requirements to improve trust and assurance in the software systems. Our research combines formal and experimental methods to study both limits of design specification in characterizing problems and solutions, as well as the limits of human comprehension in the application of tools to solve real world problems. Following is a list of our current projects:

Composable and Usable Security and Privacy Requirements

Mobile and cloud-based computing have transformed how users interact with data and computation at unprecedented scale, including social and crowd-based computing. Developers create these new experiences by integrating components from different services for data storage, authentication and navigation, among others. To do, however, developers must share sensitive user information with third parties in ways that may compromise the privacy and security of users. This project is developing new specification languages to enable developers to express their privacy and security design intent and to check that this intent is preserved across multi-party services and component-based software. Tools that we are developing can be used to check data sharing specifications for undesirable ambiguities, inconsistencies and conflicts with privacy and security requriements. As a result, developers will be able to transparently consider design trade-offs by comparing third-party services and be able to more effectively design systems to preserve privacy across complex, multi-party data supply chains.

Relevant Publications: [BHR13] [BR13]


Handling Risk and Uncertainty in Security Requirements Analysis

Critical and commercial IT infrastructure is subject to security and privacy risks that developers must address through rigorous requirements analysis. While large repositories of security and privacy requirements (i.e., best practice) exist and are publicly available, developers generally fail to implement these requirements in practice. Based on our research, we believe this failure is due to the challenges of perceiving and comprehending risk cues, and then transitioning to reason about potential threats and attacks. This project aims to study how developers and analysts perceive privacy and security risk and how they mitigate these risks by capturing and encoding the analyst reasoning processes using a combination of qualitative and quantitative research methods.

Relevant Publications: [HB14]


Harmonizing Multi-Jurisdictional Privacy and Security Policy.

Products and services are increasingly designed for consumption across multiple jurisdictions, and in some cases these services require sharing information across national and provincial boundaries. This subjects data to the different governmental privacy and security laws, which may conflict or require reconciliation. This project aims to enable software developers to reason about multi-jurisdictional trade-offs in cloud computing requirements, where data is stored and distributed across multi-national and provincial boundaries and users enjoy the privacy protections of their host nations, provinces and municipalities. Our current work includes techniques for comparing requirements across jurisdictions and identifying a high and low water mark to assess various levels of care in legal compliance.

Relevant Publications: [GB13a] [GB13b] [GB12]