Secure Data-Flow Compliance Checks between Models and Code Based on Automated Mappings

During the development of security-critical software, the system implementation must capture the security properties postulated by the architectural design. This paper presents an approach to support secure data-flow compliance checks between design models and code. To iteratively guide the developer in discovering such compliance violations we introduce automated mappings. These mappings are created by searching for correspondences between a design-level model (Security Data Flow Diagram) and an implementation-level model (Program Model). We limit the search space by considering name similarities between model elements and code elements as well as by the use of heuristic rules for matching data-flow structures. The main contributions of this paper are three-fold. First, the automated mappings support the designer in an early discovery of implementation absence, convergence, and divergence with respect to the planned software design. Second, the mappings also support the discovery of secure data-flow compliance violations in terms of illegal asset flows in the software implementation. Third, we present our implementation of the approach as a publicly available Eclipse plugin and its evaluation on five open source Java projects (including Eclipse secure storage).

[1]  Riccardo Scandariato,et al.  Flaws in Flows: Unveiling Design Flaws via Information Flow Analysis , 2019, 2019 IEEE International Conference on Software Architecture (ICSA).

[2]  Jan Jürjens,et al.  Model-based security analysis of feature-oriented software product lines , 2018, GPCE.

[3]  Riccardo Scandariato,et al.  Threat analysis of software systems: A systematic literature review , 2018, J. Syst. Softw..

[4]  Riccardo Scandariato,et al.  Two Architectural Threat Analysis Techniques Compared , 2018, ECSA.

[5]  Jens Bürger,et al.  A framework for semi-automated co-evolution of security knowledge and system models , 2018, J. Syst. Softw..

[6]  Malte Lochau,et al.  Controlling the Attack Surface of Object-Oriented Refactorings , 2018, FASE.

[7]  Wouter Joosen,et al.  Solution-aware data flow diagrams for security threat modeling , 2018, SAC.

[8]  Robert Heinrich,et al.  The CoCoME Platform for Collaborative Empirical Research on Information System Evolution : Evolution Scenarios in the Second Founding Period of SPP 1593 , 2018 .

[9]  Jan Jürjens,et al.  From Secure Business Process Modeling to Design-Level Security Verification , 2017, 2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS).

[10]  Riccardo Scandariato,et al.  Towards Security Threats that Matter , 2017, CyberICPS/SECPRE@ESORICS.

[11]  Zinovy Diskin,et al.  Efficient Consistency Checking of Interrelated Models , 2017, ECMFA.

[12]  Other Contributors Are Indicated Where They Contribute The Eclipse Foundation , 2017 .

[13]  Jaime Font,et al.  Feature location in models through a genetic algorithm driven by information retrieval techniques , 2016, MoDELS.

[14]  Eric Armengaud,et al.  A Review of Threat Analysis and Risk Assessment Methods in the Automotive Context , 2016, SAFECOMP.

[15]  Malte Lochau,et al.  Continuous detection of design flaws in evolving object-oriented programs using incremental multi-pattern matching , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[16]  Malte Lochau,et al.  Incremental Co-Evolution of Java Programs based on Bidirectional Graph Transformation , 2015, PPPJ.

[17]  Mark von Rosing,et al.  Business Process Model and Notation - BPMN , 2015, The Complete Business Process Handbook, Vol. I.

[18]  Malte Lochau,et al.  A Solution to the Java Refactoring Case Study using eMoflon , 2015, TTC@STAF.

[19]  Mira Mezini,et al.  FlowTwist: efficient context-sensitive inside-out taint analysis for large codebases , 2014, SIGSOFT FSE.

[20]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[21]  Shane McIntosh,et al.  The impact of code review coverage and code review participation on software quality: a case study of the qt, VTK, and ITK projects , 2014, MSR 2014.

[22]  Marsha Chechik,et al.  Splitting Models Using Information Retrieval and Model Crawling Techniques , 2014, FASE.

[23]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[24]  Wouter Joosen,et al.  A descriptive study of Microsoft’s threat modeling technique , 2015, Requirements Engineering.

[25]  Shinpei Hayashi,et al.  Modeling Security Threat Patterns to Derive Negative Scenarios , 2013, 2013 20th Asia-Pacific Software Engineering Conference (APSEC).

[26]  Karsten Sohr,et al.  Extracting and Analyzing the Implemented Security Architecture of Business Applications , 2013, 2013 17th European Conference on Software Maintenance and Reengineering.

[27]  Bogdan Dit,et al.  Feature location in source code: a taxonomy and survey , 2013, J. Softw. Evol. Process..

[28]  Alberto Bacchelli,et al.  Expectations, outcomes, and challenges of modern code review , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[29]  Marsha Chechik,et al.  A Survey of Feature Location Techniques , 2013, Domain Engineering, Product Lines, Languages, and Conceptual Models.

[30]  Alexander Egyed,et al.  Incremental consistency checking for complex design rules and larger model changes , 2012, MODELS'12.

[31]  Dharini Balasubramaniam,et al.  Controlling software architecture erosion: A survey , 2012, J. Syst. Softw..

[32]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[33]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[34]  Krzysztof Czarnecki,et al.  Specifying overlaps of heterogeneous models for global consistency checking , 2010, MDI '10.

[35]  Thorsten Keuler,et al.  Architecture compliance checking at run-time , 2009, Inf. Softw. Technol..

[36]  Robert C. Seacord,et al.  Secure Design Patterns , 2009 .

[37]  Colin J. Fidge,et al.  Security Metrics for Object-Oriented Class Designs , 2009, 2009 Ninth International Conference on Quality Software.

[38]  Benjamin Morin,et al.  Policy-based intrusion detection in Web applications by monitoring Java information flows , 2008, 2008 Third International Conference on Risks and Security of Internet and Systems.

[39]  Mohammad Zulkernine,et al.  Security metrics for source code structures , 2008, SESS '08.

[40]  Vamsi Paruchuri,et al.  Threat modeling using attack trees , 2008 .

[41]  Marwan Abi-Antoun,et al.  Checking threat modeling data flow diagrams for implementation conformance and security , 2007, ASE.

[42]  Richard F. Paige,et al.  Metamodel-based model conformance and multiview consistency checking , 2007, TSEM.

[43]  Jens Knodel,et al.  A Comparison of Static Architecture Compliance Checking Approaches , 2007, 2007 Working IEEE/IFIP Conference on Software Architecture (WICSA'07).

[44]  Wei Zhao,et al.  SNIAFL: towards a static non-interactive approach to feature location , 2004, Proceedings. 26th International Conference on Software Engineering.

[45]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[46]  Grzegorz Rozenberg,et al.  Handbook of Graph Grammars and Computing by Graph Transformations, Volume 1: Foundations , 1997 .

[47]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .