Efficiency and Automation in Threat Analysis of Software Systems
Doctoral thesis, 2021
Context: Security is a growing concern in many organizations. Industries developing software systems plan for security early-on to minimize expensive code refactorings after deployment. In the design phase, teams of experts routinely analyze the system architecture and design to find potential security threats and flaws. After the system is implemented, the source code is often inspected to determine its compliance with the intended functionalities.
Objective: The goal of this thesis is to improve on the performance of security design analysis techniques (in the design and implementation phases) and support practitioners with automation and tool support.
Method: We conducted empirical studies for building an in-depth understanding of existing threat analysis techniques (Systematic Literature Review, controlled experiments). We also conducted empirical case studies with industrial participants to validate our attempt at improving the performance of one technique. Further, we validated our proposal for automating the inspection of security design flaws by organizing workshops with participants (under controlled conditions) and subsequent performance analysis. Finally, we relied on a series of experimental evaluations for assessing the quality of the proposed approach for automating security compliance checks.
Findings: We found that the eSTRIDE approach can help focus the analysis and produce twice as many high-priority threats in the same time frame. We also found that reasoning about security in an automated fashion requires extending the existing notations with more precise security information. In a formal setting, minimal model extensions for doing so include security contracts for system nodes handling sensitive information. The formally-based analysis can to some extent provide completeness guarantees. For a graph-based detection of flaws, minimal required model extensions include data types and security solutions. In such a setting, the automated analysis can help in reducing the number of overlooked security flaws. Finally, we suggested to define a correspondence mapping between the design model elements and implemented constructs. We found that such a mapping is a key enabler for automatically checking the security compliance of the implemented system with the intended design. The key for achieving this is two-fold. First, a heuristics-based search is paramount to limit the manual effort that is required to define the mapping. Second, it is important to analyze implemented data flows and compare them to the data flows stipulated by the design.
Objective: The goal of this thesis is to improve on the performance of security design analysis techniques (in the design and implementation phases) and support practitioners with automation and tool support.
Method: We conducted empirical studies for building an in-depth understanding of existing threat analysis techniques (Systematic Literature Review, controlled experiments). We also conducted empirical case studies with industrial participants to validate our attempt at improving the performance of one technique. Further, we validated our proposal for automating the inspection of security design flaws by organizing workshops with participants (under controlled conditions) and subsequent performance analysis. Finally, we relied on a series of experimental evaluations for assessing the quality of the proposed approach for automating security compliance checks.
Findings: We found that the eSTRIDE approach can help focus the analysis and produce twice as many high-priority threats in the same time frame. We also found that reasoning about security in an automated fashion requires extending the existing notations with more precise security information. In a formal setting, minimal model extensions for doing so include security contracts for system nodes handling sensitive information. The formally-based analysis can to some extent provide completeness guarantees. For a graph-based detection of flaws, minimal required model extensions include data types and security solutions. In such a setting, the automated analysis can help in reducing the number of overlooked security flaws. Finally, we suggested to define a correspondence mapping between the design model elements and implemented constructs. We found that such a mapping is a key enabler for automatically checking the security compliance of the implemented system with the intended design. The key for achieving this is two-fold. First, a heuristics-based search is paramount to limit the manual effort that is required to define the mapping. Second, it is important to analyze implemented data flows and compare them to the data flows stipulated by the design.
Automation
Secure Software Design
Security Compliance
Threat Analysis (Modeling)
Author
Katja Tuma
University of Gothenburg
Threat analysis of software systems: A systematic literature review
Journal of Systems and Software,;Vol. 144(2018)p. 275-294
Journal article
Two architectural threat analysis techniques compared
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),;Vol. 11048 LNCS(2018)p. 347-363
Paper in proceeding
Towards security threats that matter
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),;Vol. 10683(2017)p. 47-62
Paper in proceeding
Flaws in Flows: Unveiling Design Flaws via Information Flow Analysis
Proceedings - 2019 IEEE International Conference on Software Architecture, ICSA 2019,;(2019)p. 191-200
Paper in proceeding
Inspection guidelines to identify security design flaws
ACM International Conference Proceeding Series,;Vol. 2(2019)p. 116-122
Paper in proceeding
Automating the early detection of security design flaws
Proceedings of the 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems,;(2020)p. 332-342
Paper in proceeding
Secure Data-Flow Compliance Checks between Models and Code Based on Automated Mappings
Proceedings - 2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems, MODELS 2019,;(2019)p. 23-33
Paper in proceeding
K.Tuma, C. Sandberg, U. Thorsson, M. Widman, T. Herpel, and R. Scandariato. Finding Security Threats That Matter: Two Industrial Case Studies
K.Tuma, S. Peldszus, R. Scandariato, Daniel Strüber and J. Jürjens. Checking Security Compliance between Models and Code
Software systems are constantly under threat from cyber-attacks. To protect their software, organizations design blueprints of future software and scrutinize them for security holes, even before any line of code written. Usually, this thorough analysis is performed manually by security experts, who strive to find as many issues as possible. However, due to resource constraints, only the most critical issues will be addressed. Not only is this way of working time-consuming, but it also leads analysts to discuss less important issues while possibly overlooking other critical issues. Further, even when analysts do find critical issues and require countermeasures to be put in place, there is no guarantee that the software developers will implement the security defenses as planned.
This thesis contributes to solving these problems. First, we improve an existing manual technique which enables the analysts to identify twice as many critical issues in our case studies. Second, we propose two techniques that detect security design flaws automatically and help in reducing the number of overlooked issues. Finally, we introduce a semi-automated approach to link the intended design to the implemented constructs and automatically verify that the implementation complies with the planned security requirements.
This thesis contributes to solving these problems. First, we improve an existing manual technique which enables the analysts to identify twice as many critical issues in our case studies. Second, we propose two techniques that detect security design flaws automatically and help in reducing the number of overlooked issues. Finally, we introduce a semi-automated approach to link the intended design to the implemented constructs and automatically verify that the implementation complies with the planned security requirements.
Holistiskt angreppssätt att förbättra datasäkerhet (HoliSec)
VINNOVA (2015-06894), 2016-04-01 -- 2019-03-31.
Cyber Resilience for Vehicles - Cybersecurity for automotive systems in a changing environment - phase1 (CyReV)
VINNOVA (2018-05013), 2019-04-01 -- 2021-03-31.
Subject Categories
Software Engineering
Computer Science
Computer Systems
ISBN
978-91-8009-155-8
Publisher
University of Gothenburg