Formalizing Security and Safety Requirements by Mapping Attack-Fault Trees on Obstacle Models with Constraint Programming Semantics

Requirements Engineering (RE) covers not only the capture and structuring of various properties the system should achieve but also the identification of high-level choices on how to achieve such goals or to avoid related obstacles. Generic RE frameworks support simple formalisation of alternatives using AND/OR refinements while more specialised fields such as safety and security engineering have richer analysis capabilities respectively through fault and attack trees. In this paper, we review the various constructs proposed in those domains and state their semantics at RE level to support safety and security co-engineering. As a supplementary step, we propose a mapping on the semantics provided by Constraint Programming in order to search for optimal configurations in the design space of a RE model. We consider multiple objectives stated as non-functional requirements and formalised using quantified attributes over goal models. Our work is validated on the complex design of an oil pipe system mixing safety and security critical properties.