Simon Schneider,Riccardo Scandariato

2023-04-25

Abstract:Dataflow diagrams (DFDs) are a valuable asset for securing applications, as they are the starting point for many security assessment techniques. Their creation, however, is often done manually, which is time-consuming and introduces problems concerning their correctness. Furthermore, as applications are continuously extended and modified in CI/CD pipelines, the DFDs need to be kept in sync, which is also challenging. In this paper, we present a novel, tool-supported technique to automatically extract DFDs from the implementation code of microservices. The technique parses source code and configuration files in search for keywords that are used as evidence for the model extraction. Our approach uses a novel technique that iteratively detects new keywords, thereby snowballing through an application's codebase. Coupled with other detection techniques, it produces a fully-fledged DFD enriched with security-relevant annotations. The extracted DFDs further provide full traceability between model items and code snippets. We evaluate our approach and the accompanying prototype for applications written in Java on a manually curated dataset of 17 open-source applications. In our testing set of applications, we observe an overall precision of 93% and recall of 85%.

Software Engineering

Nicolas Boltz,Sebastian Hahner,Christopher Gerking,Robert Heinrich

2024-03-14

Abstract:The growing interconnection between software systems increases the need for security already at design time. Security-related properties like confidentiality are often analyzed based on data flow diagrams (DFDs). However, manually analyzing DFDs of large software systems is bothersome and error-prone, and adjusting an already deployed software is costly. Additionally, closed analysis ecosystems limit the reuse of modeled information and impede comprehensive statements about a system's security. In this paper, we present an open and extensible framework for data flow analysis. The central element of our framework is our new implementation of a well-validated data-flow-based analysis approach. The framework is compatible with DFDs and can also extract data flows from the Palladio architectural description language. We showcase the extensibility with multiple model and analysis extensions. Our evaluation indicates that we can analyze similar scenarios while achieving higher scalability compared to previous implementations.

Software Engineering,Cryptography and Security

Winnie Bahati Mbaka,Katja Tuma

2024-08-15

Abstract:The arrival of recent cybersecurity standards has raised the bar for security assessments in organizations, but existing techniques don't always scale well. Threat analysis and risk assessment are used to identify security threats for new or refactored systems. Still, there is a lack of definition-of-done, so identified threats have to be validated which slows down the analysis. Existing literature has focused on the overall performance of threat analysis, but no previous work has investigated how deep must the analysts dig into the material before they can effectively validate the identified security threats. We propose a controlled experiment with practitioners to investigate whether some analysis material (like LLM-generated advice) is better than none and whether more material (the system's data flow diagram and LLM-generated advice) is better than some material. In addition, we present key findings from running a pilot with 41 MSc students, which are used to improve the study design. Finally, we also provide an initial replication package, including experimental material and data analysis scripts and a plan to extend it to include new materials based on the final data collection campaign with practitioners (e.g., pre-screening questions).

Software Engineering

Haocheng Zhang,Wei Liu,Hao Xiong,Xiaoju Dong

DOI: https://doi.org/10.1016/j.jvlc.2018.08.001

2018-01-01

Journal of Visual Languages & Computing

Abstract:Data flow diagram (DFD) is an indispensable method to model data processing in software engineering. To analyze DFD rigorously, a formal semantics is demanded. Formal interpretation of DFD and its formal semantics lead to an accurate and non-ambiguous analysis. Calculus of Communicating System (CCS), a formal approach in concurrent system modeling, could be utilized to describe DFD. Given its CCS description, automation tools generate the state space of the system depicted by DFD, which reflects all the behaviors of the system. However, analyzing the state space only with character expressions is hard for software developers. In this paper, a visual system is introduced to assist developers to analyze and compare the systems by combination of formal methods and visualization techniques.

Hanaa Alshareef,Sandro Stucki,Gerardo Schneider

DOI: https://doi.org/10.48550/arXiv.2011.12028

2020-11-24

Abstract:Recent regulations, such as the European General Data Protection Regulation (GDPR), put stringent constraints on the handling of personal data. Privacy, like security, is a non-functional property, yet most software design tools are focused on functional aspects, using for instance Data Flow Diagrams (DFDs). In previous work, a conceptual model was introduced where DFDs could be extended into so-called Privacy-Aware Data Flow Diagrams (PA-DFDs) with the aim of adding specific privacy checks to existing DFDs. In this paper, we provide an explicit algorithm and a proof-of-concept implementation to transform DFDs into PA-DFDs. Our tool assists software engineers in the critical but error-prone task of systematically inserting privacy checks during design (they are automatically added by our tool) while still allowing them to inspect and edit the. PA-DFD if necessary. We have also identified and addressed ambiguities and inaccuracies in the high-level transformation proposed in previous work. We apply our approach to two realistic applications from the construction and online retail sectors.

Software Engineering

Katja Tuma,Sven Peldszus,Daniel Strüber,Riccardo Scandariato,Jan Jürjens

DOI: https://doi.org/10.1007/s10270-022-00991-5

2022-03-18

Abstract:Abstract It is challenging to verify that the planned security mechanisms are actually implemented in the software. In the context of model-based development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semi-automatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a design-level model (SecDFD, provided by humans) and a code-level representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence, potential security flaws in the code. These mappings enable an automated , and project-specific static analysis of the implementation with respect to the desired security properties of the design model. We developed two types of security compliance checks and evaluated the entire approach on open source Java projects.

computer science, software engineering

Andrei Brazhuk

2023-03-20

Abstract:For a long time threat modeling was treated as a manual, complicated process. However modern agile development methodologies and cloud computing technologies require adding automatic threat modeling approaches. This work considers two challenges: creating a set of machine-readable data flow diagrams that represent real cloud based applications; and usage domain specific knowledge for automatic analysis of the security aspects of such applications. The set of 180 semantic diagrams (ontologies and knowledge graphs) is created based on cloud configurations (Docker Compose); the set includes a manual taxonomy that allows to define the design and functional aspects of the web based and data processing applications; the set can be used for various research in the threat modeling field. This work also evaluates how ontologies and knowledge graphs can be used to automatically recognize patterns (mapped to security threats) in diagrams. A pattern represents features of a diagram in form of a request to a knowledge base, what enables its recognition in a semantic representation of a diagram. In an experiment four groups of the patterns are created (web applications, data processing, network, and docker specific), and the diagrams are examined by the patterns. Automatic results, received for the web applications and data processing patterns, are compared with the manual taxonomy in order to study challenges of automatic threat modeling.

Cryptography and Security,Artificial Intelligence

Ulfar Erlingsson

DOI: https://doi.org/10.1109/csf.2016.40

2016-06-01

Abstract:For computer software, our security models, policies, mechanisms, and means of assurance were primarily conceived and developed before the end of the 1970's. However, since that time, software has changed radically: it is thousands of times larger, comprises countless libraries, layers, and services, and is used for more purposes, in far more complex ways. It is worthwhile to revisit our core computer security concepts. This paper outlines what a data-driven model for software security could look like, and describes how the above three questions can be answered affirmatively. Specifically, this paper briefly describes methods for efficient, detailed software monitoring, as well as methods for learning detailed software statistics while providing differential privacy for its users, and, finally, how machine learning methods can help discover users expectations for intended software behavior, and thereby help set security policy. Those methods can be adopted in practice, even at very large scales, and demonstrate that data-driven software security models can provide real-world benefits.

Tingting Lu,Junfeng Wang

DOI: https://doi.org/10.1016/j.cose.2019.04.002

IF: 5.105

2019-01-01

Computers & Security

Abstract:Most software attacks subvert the intended data-flow of a program via exploiting the memory corruption vulnerabilities. Data-Flow Integrity (DFI) is a generic defense against such attacks. Its security guarantee mainly depends on the accuracy of the static Data-Flow Graph (DFG) generated from Data-Flow Analysis (DFA), but the static DFG is conservatively over-approximated due to the imprecision of DFA. Hence a natural question is: what is the real protective power of DFI and how to measure it? In this work, we first evaluate the effectiveness of DFI based on the constructed memory corruption offense-defense model and the proposed attack Data-Flow Bending (DFB). We show how DFB corrupts memory data while adhering to DFI through a proof-of-concept exploit. Furthermore, we verify the possibility of the state-of-the-art data-oriented attacks using practical cases in the presence of DFI. Our work indicates that DFI may be ineffective against the exploitation of memory corruption vulnerabilities in certain circumstances, and that DFB can circumvent DFI to carry out memory corruption attacks.

CHEN Feng,LI Wei-hua

2011-01-01

JOURNAL OF NORTHWEST UNIVERSITY(NATURAL SCIENCE EDITION)

Abstract:Aim To analyze and verify the software safety models effectively in the early stage of software design and development.Methods The methods for software safety analysis,derification and fomal modeling prooide that.Results A safety extended deterministic finite automata,SEDFA,is introduced.On the base of establishing security-related non-formal model by UMLsec,the sequence diagram,which expresses the security interaction,can be depicted by SEDFA.Firstly,the automata of signal object are created.Secondly,the product automaton of objects is constructed,and the SEDFA which indicates the complete interaction of the system is obtained.Conclusion It provides the foundation for the system safety property verification and achieving software safety test sases is the fatare work.

Qiong Feng,Rick Kazman,Yuanfang Cai,Ran Mo,Lu Xiao

DOI: https://doi.org/10.1109/wicsa.2016.41

2016-01-01

Abstract:Recently there has been increased attention to the consequences of architecture design decisions and their impact on security. Architectural design decisions have been identified as being critical for achieving high levels of software system security. However the majority of this research has been anecdotal and there are few tools or methods for understanding the architectural relations among files, and their impact on security. In this paper we employ a DRSpace-based analysis approach to identify architectural design flaws and we show, via an empirical study of 10 open source projects, that areas of a software architecture that suffer from greater numbers of design flaws are highly correlated with security bugs, and high levels of churn associated with those security bugs. Finally, we show that a specific type of design flaw-unstable interface-is correlated with the greatest increase in software security bugs.

Hao Xiong,Haocheng Zhang,Xiaoju Dong,Lingxi Meng,Wenyang Zhao

DOI: https://doi.org/10.1007/978-981-10-6385-5_55

2017-01-01

Abstract:Data flow diagram (DFD), as a special kind of data, is a design artifact in both requirement analysis and structured analysis in software development. However, rigorous analysis of DFD requires a formal semantics. Formal representation of DFD and its formal semantics will help to reduce inconsistencies and confusion. The logical structure of DFD can be described using formalism of Calculus of Communicating System (CCS). With a finite number of states based on CCS, state space methods will help a lot in analysis and verification of the behavior of the systems. But the number of states of even a relatively small system is often very great that is called state explosion. In this paper, we present a visual system which combines Formal methods and visualization techniques so as to help the researchers to understand and analyze the system described by the DFD regardless of the problem of state explosion.

Lirong Dai,Kendra Cooper

DOI: https://doi.org/10.1016/j.scico.2006.10.010

IF: 1.039

2007-01-01

Science of Computer Programming

Abstract:The vision, strategies, and goals of enterprises involve numerous security issues; these stem from legal and business concerns. In turn, these goals are realized by the enterprise, organized into business groups, departments, divisions, etc. For example, a financial organization, such as a bank, needs to provide a range of services to their customers including private banking, commercial banking, international banking, and investment services. These services are provided by sub-organizations in the enterprise (i.e., the enterprise architecture); the sub-organizations are often partitioned along the business lines. For example, one sub-organization is responsible for private banking, another for commercial banking, etc. When providing financial services, there is a need to ensure that customer and account data are kept private, not corrupted, and safely backed up. Some of these needs may be realized in a collection of software applications. The problem of effectively designing secure software systems to meet an organization’s needs is a critical part of their success. This paper focuses on the problem of how to bridge the gap between enterprise and software architectures for security using a set of UML based notations: the Business Modeling Extension for UML, standard UML use case diagrams, and the Formal Design Analysis Framework (FDAF). The Business Modeling Extension and standard UML are established approaches we adopt in this work. FDAF is an aspect-oriented approach that supports the design and analysis of non-functional properties for distributed, real-time systems at the software architecture level. An empirical study for an online banking system is used to illustrate the approach.

Felix Schwickerath,Nicolas Boltz,Sebastian Hahner,Maximilian Walter,Christopher Gerking,Robert Heinrich

2023-08-03

Abstract:Through the increasing interconnection between various systems, the need for confidential systems is increasing. Confidential systems share data only with authorized entities. However, estimating the confidentiality of a system is complex, and adjusting an already deployed software is costly. Thus, it is helpful to have confidentiality analyses, which can estimate the confidentiality already at design time. Based on an existing data-flow-based confidentiality analysis concept, we reimplemented a data flow analysis as a Java-based tool. The tool uses the software architecture to identify access violations based on the data flow. The evaluation for our tool indicates that we can analyze similar scenarios and scale for certain scenarios better than the existing analysis.

Software Engineering,Cryptography and Security

Binghan Wang,Hui Li,Jingjing Guan

DOI: https://doi.org/10.1145/3634737.3656288

2024-01-01

Abstract:The Data Distribution Service (DDS) constructs a highly available data transmission middleware based on the publish-subscribe model, widely used in the Internet of Things environment. To improve the security of DDS, the Object Management Group formulated the DDS Security, which provides security mechanisms for DDS in the form of security plugins. However, the security of the DDS Security protocol has not been fully analyzed. We analyze DDS Security through formal methods. We model the security goals and protocol flow of the DDS Security using ProVerif and evaluate whether its security goals can be met in different scenarios. Our analysis confirms previously manually identified vulnerabilities in an automated way and reveals new attacks. We discovered the permission file impersonation attack, the denial of service attack, the degradation attack, and the privacy leakage attack guided by the formal analysis result. For these threats, we propose corresponding mitigation measures and recommendations.

K Cooper,LR Dai

DOI: https://doi.org/10.1016/j.scico.2005.11.006

IF: 1.039

2006-01-01

Science of Computer Programming

Abstract:The problem of effectively designing and analyzing software to meet non-functional requirements is an important research topic. The Formal Design Analysis Framework (FDAF) is an aspect-oriented approach that supports the design and analysis of multiple non-functional requirements for distributed, real-time systems. In this paper, a security attribute, data origin authentication, is defined as a reusable design aspect based on its security pattern definition. FDAF provides a UML extension to weave the security aspect into a conventional UML design. This is accomplished by abstracting Aspect-Oriented Programming concepts join points and advice to the design level. FDAF then supports the automated translation of a UML design into Rapide formal architectural description language, allowing the simulation of a system's response time. Thus, the response time of a design with and without the security aspect can be respectively analyzed, and the performance cost of this aspect can be predicted. Part of the translating algorithms is presented and the FDAF approach is illustrated by using the Domain Name System.

Feiyang Tang,Bjarte M. Østvold

DOI: https://doi.org/10.48550/arXiv.2209.02948

2022-09-07

Cryptography and Security

Abstract:We increasingly rely on digital services and the conveniences they provide. Processing of personal data is integral to such services and thus privacy and data protection are a growing concern, and governments have responded with regulations such as the EU's GDPR. Following this, organisations that make software have legal obligations to document the privacy and data protection of their software. This work must involve both software developers that understand the code and the organisation's data protection officer or legal department that understands privacy and the requirements of a Data Protection and Impact Assessment (DPIA). To help developers and non-technical people such as lawyers document the privacy and data protection behaviour of software, we have developed an automatic software analysis technique. This technique is based on static program analysis to characterise the flow of privacy-related data. The results of the analysis can be presented as a graph of privacy flows and operations - that is understandable also for non-technical people. We argue that our technique facilitates collaboration between technical and non-technical people in documenting the privacy behaviour of the software. We explain how to use the results produced by our technique to answer a series of privacy-relevant questions needed for a DPIA. To illustrate our work, we show both detailed and abstract analysis results from applying our analysis technique to the secure messaging service Signal and to the client of the cloud service NextCloud and show how their privacy flow-graphs inform the writing of a DPIA.

C. P. Mu,X. J. Li,H. K. Huang,S. F. Tian

DOI: https://doi.org/10.1007/978-3-540-88313-5_3

2008-01-01

Abstract:In the paper, an online risk assessment model based on D-S evidence theory is presented. The model can quantitate the risk caused by an intrusion scenario in real time and provide an objective evaluation of the target security state. The results of the online risk assessment show a clear and concise picture of both the intrusion progress and the target security state. The model makes full use of available information from both IDS alerts and protected targets. As a result, it can deal with uncertainties and subjectiveness very well in its evaluation process. In IDAM&IRS, the model serves as the foundation for intrusion response decision-making.

Ting Su,Ke Wu,Weikai Miao,Geguang Pu,Jifeng He,Yuting Chen,Zhendong Su

DOI: https://doi.org/10.1145/3020266

2017-01-01

Abstract:Data-flow testing (DFT) is a family of testing strategies designed to verify the interactions between each program variable’s definition and its uses. Such a test objective of interest is referred to as a def-use pair. DFT selects test data with respect to various test adequacy criteria (i.e., data-flow coverage criteria) to exercise each pair. The original conception of DFT was introduced by Herman in 1976. Since then, a number of studies have been conducted, both theoretically and empirically, to analyze DFT’s complexity and effectiveness. In the past four decades, DFT has been continuously concerned, and various approaches from different aspects are proposed to pursue automatic and efficient data-flow testing. This survey presents a detailed overview of data-flow testing, including challenges and approaches in enforcing and automating it: (1) it introduces the data-flow analysis techniques that are used to identify def-use pairs; (2) it classifies and discusses techniques for data-flow-based test data generation, such as search-based testing, random testing, collateral-coverage-based testing, symbolic-execution-based testing, and model-checking-based testing; (3) it discusses techniques for tracking data-flow coverage; (4) it presents several DFT applications, including software fault localization, web security testing, and specification consistency checking; and (5) it summarizes recent advances and discusses future research directions toward more practical data-flow testing.

Jinghua Yu,Stefan Wagner,Feng Luo

DOI: https://doi.org/10.7717/peerj-cs.362

2021-01-01

PeerJ Computer Science

Abstract:Security analysis is an essential activity in security engineering to identify potential system vulnerabilities and specify security requirements in the early design phases. Due to the increasing complexity of modern systems, traditional approaches lack the power to identify insecure incidents caused by complex interactions among physical systems, human and social entities. By contrast, the System-Theoretic Process Analysis for Security (STPA-Sec) approach views losses as resulting from interactions, focuses on controlling system vulnerabilities instead of external threats, and is applicable for complex socio-technical systems. However, the STPA-Sec pays less attention to the non-safety but information-security issues (e.g., data confidentiality) and lacks efficient guidance for identifying information security concepts. In this article, we propose a data-flow-based adaption of the STPA-Sec (named STPA-DFSec) to overcome the mentioned limitations and elicit security constraints systematically. We use the STPA-DFSec and STPA-Sec to analyze a vehicle digital key system and investigate the relationship and differences between both approaches, their applicability, and highlights. To conclude, the proposed approach can identify information-related problems more directly from the data processing aspect. As an adaption of the STPA-Sec, it can be used with other STPA-based approaches to co-design systems in multi-disciplines under the unified STPA framework.