Checking Security Compliance between Models and Code

The verification that planned security mechanisms are actually implemented in the software code is a challenging endeavor. In the context of modelbased development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semiautomatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a designlevel model (SecDFD, provided by humans) and a codelevel representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence potential security flaws in the code. These mappings enable an automated, and project-specific static analysis of the implementation with respect to the desired security properties of the design model. We contribute with (i) a definition of corresponding elements between the design-level and the implementation-level models and a heuristic-based approach to search for correspondences, (ii) two types of security compliance checks using static code analysis, and (iii) an implementation of our approach as a publicly available Eclipse plugin, evaluated with three studies on Katja Tuma E-mail: k.tuma@vu.nl · Sven Peldszus Email: speldszus@uni-koblenz.de · Daniel Strüber Email: d.strueber@cs.ru.nl · Riccardo Scandariato Email: riccardo.scandariato@tuhh.de · Jan Jürjens E-mail: juerjens@uni-koblenz.de 1Vrije Universiteit Amsterdam, The Netherlands 2University of Koblenz-Landau, Germany 3Radboud University Nijmegen, The Netherlands 4Hamburg University of Technology, Germany 5Fraunhofer Institute for Software and Systems Engineering ISST, Germany open source Java projects. Our evaluation shows that the mappings are automatically suggested with up to 87.2% precision. Further, the two developed types of security compliance checks are relatively precise (average precision is 79.6% and 100%), but may still overlook some implemented information flows (average recall is 65.5% and 94.5%) due to the large gap between the design and implementation. Finally, our approach enables a project-specific analysis with up to 62% less false alarms raised by an existing data flow analyzer.

[1]  Katerina Goseva-Popstojanova,et al.  On the capability of static code analysis to detect security vulnerabilities , 2015, Inf. Softw. Technol..

[2]  Robert Heinrich,et al.  The CoCoME Platform for Collaborative Empirical Research on Information System Evolution : Evolution Scenarios in the Second Founding Period of SPP 1593 , 2018 .

[3]  Wouter Joosen,et al.  Solution-aware data flow diagrams for security threat modeling , 2018, SAC.

[4]  Jan Jürjens,et al.  Secure Data-Flow Compliance Checks between Models and Code Based on Automated Mappings , 2019, 2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS).

[5]  Julien Botella,et al.  Model-Based Security Verification and Testing for Smart-cards , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[6]  Pietro Ferrara,et al.  Tailoring Taint Analysis to GDPR , 2018, APF.

[7]  Alexander Egyed,et al.  Incremental consistency checking for complex design rules and larger model changes , 2012, MODELS'12.

[8]  Marwan Abi-Antoun,et al.  Checking threat modeling data flow diagrams for implementation conformance and security , 2007, ASE.

[9]  Josep Carmona,et al.  Conformance checking in UML artifact-centric business process models , 2018, Software & Systems Modeling.

[10]  Yang Liu,et al.  An Empirical Evaluation of GDPR Compliance Violations in Android mHealth Apps , 2020, 2020 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE).

[11]  Lujo Bauer,et al.  Android taint flow analysis for app sets , 2014, SOAP '14.

[12]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[13]  Radu Vanciu,et al.  Finding architectural flaws using constraints , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[14]  Thorsten Keuler,et al.  Architecture compliance checking at run-time , 2009, Inf. Softw. Technol..

[15]  Steven Arzt Static Data Flow Analysis for Android Applications , 2017 .

[16]  Lars Lundberg,et al.  Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter? , 2009, 2009 International Conference on Availability, Reliability and Security.

[17]  Robert C. Seacord,et al.  Secure Design Patterns , 2009 .

[18]  Jan Jürjens,et al.  From Secure Business Process Modeling to Design-Level Security Verification , 2017, 2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS).

[19]  Ruth Breu,et al.  Security Testing: A Survey , 2016, Adv. Comput..

[20]  Jens Knodel,et al.  A Comparison of Static Architecture Compliance Checking Approaches , 2007, 2007 Working IEEE/IFIP Conference on Software Architecture (WICSA'07).

[21]  Malte Lochau,et al.  Incremental Co-Evolution of Java Programs based on Bidirectional Graph Transformation , 2015, PPPJ.

[22]  David M. Eyers,et al.  Information Flow Control for Secure Cloud Computing , 2014, IEEE Transactions on Network and Service Management.

[23]  Riccardo Scandariato,et al.  Threat analysis of software systems: A systematic literature review , 2018, J. Syst. Softw..

[24]  Laurie Hendren,et al.  Jimple: Simplifying Java Bytecode for Analyses and Transformations , 1998 .

[25]  Jan Jürjens,et al.  Model-based security analysis of feature-oriented software product lines , 2018, GPCE.

[26]  A. En-Nouaary,et al.  Catalog of Metrics for Assessing Security Risks of Software throughout the Software Development Life Cycle , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[27]  Karsten Sohr,et al.  Extracting and Analyzing the Implemented Security Architecture of Business Applications , 2013, 2013 17th European Conference on Software Maintenance and Reengineering.

[28]  Richard F. Paige,et al.  Metamodel-based model conformance and multiview consistency checking , 2007, TSEM.

[29]  Wouter Joosen,et al.  A descriptive study of Microsoft’s threat modeling technique , 2015, Requirements Engineering.

[30]  Katy Tarrit,et al.  A Catalog of Security Architecture Weaknesses , 2017, 2017 IEEE International Conference on Software Architecture Workshops (ICSAW).

[31]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[32]  Stefanie Jasser,et al.  Enforcing Architectural Security Decisions , 2020, 2020 IEEE International Conference on Software Architecture (ICSA).

[33]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[34]  Vamsi Paruchuri,et al.  Threat modeling using attack trees , 2008 .

[35]  Colin J. Fidge,et al.  Security Metrics for Object-Oriented Class Designs , 2009, 2009 Ninth International Conference on Quality Software.

[36]  Gregorio Robles,et al.  The quest for open source projects that use UML: mining GitHub , 2016, MoDELS.

[37]  Sebastián Uchitel,et al.  Using contexts to extract models from code , 2017, Software & Systems Modeling.

[38]  Riccardo Scandariato,et al.  Two Architectural Threat Analysis Techniques Compared , 2018, ECSA.

[39]  Eric Armengaud,et al.  A Review of Threat Analysis and Risk Assessment Methods in the Automotive Context , 2016, SAFECOMP.

[40]  Malte Lochau,et al.  Continuous detection of design flaws in evolving object-oriented programs using incremental multi-pattern matching , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[41]  Dharini Balasubramaniam,et al.  Controlling software architecture erosion: A survey , 2012, J. Syst. Softw..

[42]  Malte Lochau,et al.  A Solution to the Java Refactoring Case Study using eMoflon , 2015, TTC@STAF.

[43]  Riccardo Scandariato,et al.  Contextualisation of Data Flow Diagrams for security analysis , 2020, GraMSec@CSF.

[44]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[45]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[46]  Shrinath,et al.  Information Flow Control for Secure Cloud Computing , 2016 .

[47]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[48]  Claudia Eckert,et al.  Automated Detection of Information Flow Vulnerabilities in UML State Charts and C Code , 2015, 2015 IEEE International Conference on Software Quality, Reliability and Security - Companion.

[49]  Malte Lochau,et al.  Controlling the Attack Surface of Object-Oriented Refactorings , 2018, FASE.

[50]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[51]  Kurt Stenzel,et al.  Model-Driven Development of Information Flow-Secure Systems with IFlow , 2013, 2013 International Conference on Social Computing.

[52]  Krzysztof Czarnecki,et al.  Specifying overlaps of heterogeneous models for global consistency checking , 2010, MDI '10.

[53]  Jens Bürger,et al.  A framework for semi-automated co-evolution of security knowledge and system models , 2018, J. Syst. Softw..

[54]  Shinpei Hayashi,et al.  Modeling Security Threat Patterns to Derive Negative Scenarios , 2013, 2013 20th Asia-Pacific Software Engineering Conference (APSEC).

[55]  Riccardo Scandariato,et al.  Flaws in Flows: Unveiling Design Flaws via Information Flow Analysis , 2019, 2019 IEEE International Conference on Software Architecture (ICSA).

[56]  Zinovy Diskin,et al.  Efficient Consistency Checking of Interrelated Models , 2017, ECMFA.

[57]  Karin Bernsmed,et al.  Threat modelling and agile software development: Identified practice in four Norwegian organisations , 2019, 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security).

[58]  Eric Bodden,et al.  SuSi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks , 2013 .

[59]  Jacques Klein,et al.  Static analysis of android apps: A systematic literature review , 2017, Inf. Softw. Technol..

[60]  Ville Leppänen,et al.  Annotation-Based Static Analysis for Personal Data Protection , 2019, Privacy and Identity Management.

[61]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[62]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .