Checking security compliance between models and code
Artikel i vetenskaplig tidskrift, 2023

It is challenging to verify that the planned security mechanisms are actually implemented in the software. In the context of model-based development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semi-automatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a design-level model (SecDFD, provided by humans) and a code-level representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence, potential security flaws in the code. These mappings enable an automated, and project-specific static analysis of the implementation with respect to the desired security properties of the design model. We developed two types of security compliance checks and evaluated the entire approach on open source Java projects.

Författare

Katja Tuma

Göteborgs universitet

Chalmers, Data- och informationsteknik, Interaktionsdesign och Software Engineering

Sven Peldszus

Ruhr-Universität Bochum

Daniel Strüber

Software Engineering 2

Göteborgs universitet

Riccardo Scandariato

Göteborgs universitet

Software Engineering 2

Jan Jürjens

Fraunhofer-Gesellschaft

Universität Koblenz-Landau

Software and Systems Modeling

1619-1366 (ISSN) 1619-1374 (eISSN)

Vol. 22 273-296

Ämneskategorier (SSIF 2025)

Programvaruteknik

Datavetenskap (datalogi)

DOI

10.1007/s10270-022-00991-5

Mer information

Senast uppdaterat

2025-06-25