Software security metrics for malware resilience

We examine the level of resistance offered by a software product against malicious software (malware) attacks. Analysis is performed on the software architecture. This is available as a result of the software design process and can hence be used at an early stage in development. A model of a generic computer system is developed, based on the internationally recognized Common Criteria for Information Technology Security Evaluation. It is formally specified in the Z modeling language. Malicious software attacks and security mechanisms are captured by the model. A repository of generic attack methods is given and the concept of resistance classes introduced to distinguish different levels of protection. We assess how certain architectural properties and changes in system architecture affect the possible resistance classes of a product. This thesis has four main contributions: A generic model of an operating system from a security perspective, a repository of typical attack methods, a set of resistance classes, and an identification of software architecture metrics pertaining to ordered security levels. Thesis Supervisor: Prof. Dr. Armin B. Cremers Institut für Informatik III, Rheinische Friedrich-Wilhelms-Universität Bonn Thesis Supervisor: Prof. Dr. Einar A. Snekkenes Avdeling for informatikk og medieteknikk, Høgskolen i Gjøvik

[1]  Armin B. Cremers,et al.  Protecting Java Component Integrity Against Trojan Horse Programs , 2002, IICIS.

[2]  David A. Carrington,et al.  A Formal Mapping between UML Models and Object-Z Specifications , 2000, ZB.

[3]  PipekVolkmar,et al.  Component-based tailorability , 2008 .

[4]  Timothy W. Finin,et al.  Security for DAML Web Services: Annotation and Matchmaking , 2003, SEMWEB.

[5]  J. Simpson,et al.  The Oxford English Dictionary , 1884 .

[6]  Stephen H. Kan,et al.  Metrics and Models in Software Quality Engineering , 1994, SOEN.

[7]  Susan Stepney,et al.  Z in practice , 1995, BCS practitioner series.

[8]  Leigh A. Davis,et al.  A notation for problematic architecture interactions , 2001, ESEC/FSE-9.

[9]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[10]  Armin B. Cremers,et al.  Functional behavior in data spaces , 1978, Acta Informatica.

[11]  H. Dieter Rombach Design measurement: some lessons learned , 1990, IEEE Software.

[12]  Morrie Gasser,et al.  Building a Secure Computer System , 1988 .

[13]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[14]  Armin B. Cremers,et al.  Formal Modeling of Virtual Machines , 1978, IEEE Transactions on Software Engineering.

[15]  Jonathan Jacky The way of Z , 1996 .

[16]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[17]  Cecilia Mascolo,et al.  Analyzing and Refining an Architectural Style , 1997, ZUM.

[18]  Armin B. Cremers,et al.  Protecting Confidentiality against Trojan Horse Programs in Discretionary Access Control System , 2000, ACISP.

[19]  Armin B. Cremers,et al.  Trojan horse attacks on software for electronic signatures , 2002, Informatica.

[20]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[21]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[22]  Gregg Schudel,et al.  Adversary work factor as a metric for information assurance , 2001, NSPW '00.

[23]  Csusb October 30th 2006 , 2006 .

[24]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[25]  Susan Stepney,et al.  Segregation with Communication , 2000, ZB.

[26]  Jane Sinclair,et al.  Introduction to formal specification and Z , 1991, Prentice Hall International Series in Computer Science.

[27]  Carole B. Hogan Protection imperfect: the security of some computing environments , 1988, OPSR.

[28]  Peter G. Neumann,et al.  Practical Architectures for Survivable Systems and Networks: Phase-One Final Report , 1999 .

[29]  Ferenc Leitold Mathematical Model of Computer Viruses , 2000 .

[30]  Stefanos Gritzalis,et al.  Distributed component architectures security issues , 2005, Comput. Stand. Interfaces.

[31]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[32]  Edward A. Schneider Security architecture-based system design , 1999, NSPW '99.

[33]  Hanno Langweg,et al.  With gaming technology towards secure user interfaces , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[34]  Eduardo B. Fernandez,et al.  A pattern language for security models , 2001 .

[35]  Peter G. Neumann,et al.  Architectures and Formal Representations for Secure Systems , 1995 .

[36]  A. Kohn [Computer viruses]. , 1989, Harefuah.

[37]  Gregory D. Abowd,et al.  Formalizing style to understand descriptions of software architecture , 1995, TSEM.

[38]  S. Griffis EDITOR , 1997, Journal of Navigation.

[39]  Xiaowen Wang,et al.  Supporting Security Sensitive Architecture Design , 2005, QoSA/SOQUA.

[40]  Marc Dacier,et al.  Privilege Graph: an Extension to the Typed Access Matrix Model , 1994, ESORICS.

[41]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[42]  William Yurcik,et al.  Why Johnny Can Hack: The Mismatch between Vulnerabilities and Security Protection Standards , 2006 .

[43]  Philip Alan Myers Subversion : the neglected aspect of computer security. , 1980 .

[44]  Susan Stepney,et al.  Modular UML Semantics : Interpretations in Z Based on Templates and Generics , 2003 .

[45]  Marc Donner,et al.  Toward a Security Ontology , 2003, IEEE Secur. Priv..

[46]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[47]  Armin B. Cremers,et al.  Protecting the Creation of Digital Signatures with Trusted Computing Platform Technology Against Attacks by Trojan Horse Programs , 2001, SEC.

[48]  Hanno Langweg,et al.  Framework for malware resistance metrics , 2006, QoP '06.

[49]  G E Murine,et al.  Measuring computer system security using software security metrics , 1984 .

[50]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[51]  Andrew M. Gravell,et al.  What is a Good Formal Specification? , 1990, Z User Workshop.

[52]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[53]  Charles Cresson Wood,et al.  Computer Security: A Comprehensive Controls Checklist , 1987 .

[54]  Marc Dacier Vers une évaluation quantitative de la sécurité informatique. (Towards a quantitative evaluation of computer security) , 1994 .

[55]  Einar Snekkenes,et al.  A classification of malicious software attacks , 2004, IEEE International Conference on Performance, Computing, and Communications, 2004.

[56]  Jonathan P. Bowen Formal Specification and Documentation Using Z: A Case Study Approach , 1996 .

[57]  Cemal Yilmaz,et al.  Software Metrics , 2008, Wiley Encyclopedia of Computer Science and Engineering.

[58]  Donald Paul Clements,et al.  Fuzzy ratings for computer security evaluation. , 1977 .

[59]  IEEE-SA Standards Board , 2000 .

[60]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[61]  Daniel J. Paulish,et al.  Software metrics - a practitioner's guide to improved product development , 1993, Chapman & Hall computing series.

[62]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[63]  Armin B. Cremers,et al.  The fairy tale of''what you see is what you sign , 2001 .

[64]  Sallie M. Henry,et al.  Software Structure Metrics Based on Information Flow , 1981, IEEE Transactions on Software Engineering.

[65]  Oliver Stiemerling,et al.  Component based tailorability , 2000 .

[66]  Morris Sloman,et al.  A Case Study in Representing a Model: to Z or not to Z? , 1990, Z User Workshop.

[67]  Adrian Spalka,et al.  Protecting the User from the Data: Security and Privacy Aspects of Public Web Access , 2002, AH.

[68]  George M. Galambos,et al.  Technical Reference Architectures , 1999, IBM Syst. J..

[69]  Martin Shepperd,et al.  Foundations of software measurement , 1995 .

[70]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[71]  Haralambos Mouratidis,et al.  An Ontology for Modelling Security: The Tropos Approach , 2003, KES.

[72]  A. Hughes Oxford English Dictionary. , 2008, Isis; an international review devoted to the history of science and its cultural influences.

[73]  James J. Whitmore A method for designing secure solutions , 2001, IBM Syst. J..

[74]  Mary Shaw,et al.  Toward boxology: preliminary classification of architectural styles , 1996, ISAW '96.

[75]  Hanno Langweg Building a Trusted Path for Applications Using COTS Components , 2004 .

[76]  J.A. Hamilton,et al.  Security in software architecture: a case study , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[77]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[78]  Victor R. Basili,et al.  Metrics of Software Architecture Changes Based on Structural Distance , 2005, 11th IEEE International Software Metrics Symposium (METRICS'05).

[79]  J. Hallberg,et al.  Measuring IT security - a method based on common criteria's security functional requirements , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[80]  Hanno Langweg Malware Attacks on Electronic Signatures Revisited , 2006, Sicherheit.

[81]  Kevin J. Sullivan,et al.  Using Formal Methods to Reason about Architectural Standards , 1996, Proceedings of the (19th) International Conference on Software Engineering.

[82]  Shari Lawrence Pfleeger,et al.  Software Metrics , 1991 .

[83]  Lance J. Hoffman,et al.  SECURATE - Security evaluation and analysis using fuzzy metrics , 1978, AFIPS National Computer Conference.