120 Domain-Specific Languages for Security

Markus Krausz,Sven Peldszus,Francesco Regazzoni,Thorsten Berger,Tim Güneysu
2024-08-13
Abstract:Security engineering, from security requirements engineering to the implementation of cryptographic protocols, is often supported by domain-specific languages (DSLs). Unfortunately, a lack of knowledge about these DSLs, such as which security aspects are addressed and when, hinders their effective use and further research. This systematic literature review examines 120 security-oriented DSLs based on six research questions concerning security aspects and goals, language-specific characteristics, integration into the software development lifecycle (SDLC), and effectiveness of the DSLs. We observe a high degree of fragmentation, which leads to opportunities for integration. We also need to improve the usability and evaluation of security DSLs.
Cryptography and Security,Software Engineering
What problem does this paper attempt to address?
The main problem that this paper attempts to solve is: **The lack of systematic understanding of domain - specific languages (DSLs) in the security field, which hinders the effective use and further research of these languages**. Specifically, the paper focuses on the following points: 1. **Fragmentation of security - specific domain - specific languages**: There are a large number of DSLs for different security aspects at present, but they lack integration among them, forming a highly fragmented state. 2. **Insufficient usability and evaluation of security DSLs**: The usability and effectiveness of existing security DSLs in practical applications have not been fully verified. To address these problems, the paper conducts a systematic literature review, aiming to: - Provide a comprehensive overview of security DSLs, covering their characteristics, application stages, types, semantics and their effectiveness. - Identify the connections and gaps between existing security DSLs, and propose possible directions for integration and improvement. ### Research Questions The paper guides its investigation through six research questions: 1. **RQ1**: What security DSLs are proposed in the literature? - The goal is to create a directory of known security DSLs to fill the current gap in the systematic overview. 2. **RQ2**: What security aspects do security DSLs target? - Analyze how these DSLs deal with different security goals, attack models and defense mechanisms. 3. **RQ3**: Which stages of the development process do DSLs support? - Determine the relevant stages in the software development life cycle (SDLC) for each DSL and the security aspects they focus on. 4. **RQ4**: What types of DSLs exist and how are they used? - Examine the general characteristics of DSLs, such as whether they are stand - alone DSLs or embedded DSLs, and whether they are text - based or visual DSLs, and explore the actual use of their related tools. 5. **RQ5**: What are the semantics of DSLs? - Explore how DSL instances achieve security goals, and how the transformation mechanisms provided by the back - end propagate and utilize the specified security attributes. 6. **RQ6**: How effective are DSLs? - Evaluate the effectiveness of DSLs, including formal security assurances (such as soundness, precision and integrity), and analyze whether there is empirical data to support the actual application effects of these DSLs. ### Summary Through a systematic review of 120 security DSLs, the paper aims to provide a comprehensive reference framework for developers, security researchers and relevant stakeholders, helping them better understand and apply these DSLs, thereby improving the quality and efficiency of secure software development.