Threat-driven modeling and verification of secure software using aspect-oriented Petri nets

Design-level vulnerabilities are a major source of security risks in software. To improve trustworthiness of software design, this paper presents a formal threat-driven approach, which explores explicit behaviors of security threats as the mediator between security goals and applications of security features. Security threats are potential attacks, i.e., misuses and anomalies that violate the security goals of systems' intended functions. Security threats suggest what, where, and how security features for threat mitigation should be applied. To specify the intended functions, security threats, and threat mitigations of a security design as a whole, we exploit aspect-oriented Petri nets as a unified formalism. Intended functions and security threats are modeled by Petri nets, whereas threat mitigations are modeled by Petri net-based aspects due to the incremental and crosscutting nature of security features. The unified formalism facilitates verifying correctness of security threats against intended functions and verifying absence of security threats from integrated functions and threat mitigations. As a result, our approach can make software design provably secured from anticipated security threats and, thus, reduce significant design-level vulnerabilities. We demonstrate our approach through a systematic case study on the threat-driven modeling and verification of a real-world shopping cart application.

[1]  Heinz Oswald,et al.  An environment for specifying and executing hierarchical Petri nets , 1990, [1990] Proceedings. 12th International Conference on Software Engineering.

[2]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[3]  Hartmann J. Genrich Predicate/transition nets , 1987 .

[4]  Tadao Murata,et al.  Petri nets: Properties, analysis and applications , 1989, Proc. IEEE.

[5]  Dianxiang Xu,et al.  Design an Interoperable Mobile Agent System Based on Predicate Transition Net Models , 2005, SEKE.

[6]  Clark Weissman Handbook for the Computer Security Certification of Trusted Systems , 1995 .

[7]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[8]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[9]  David A. Wagner,et al.  Model Checking One Million Lines of C Code , 2004, NDSS.

[10]  Dieter Gollmann Facets of Security , 2003, Global Computing.

[11]  Ivan Kiselev,et al.  Aspect-Oriented Programming with AspectJ , 2002 .

[12]  Bashar Nuseibeh,et al.  Deriving security requirements from crosscutting threat descriptions , 2004, AOSD '04.

[13]  Alistair Cockburn,et al.  Writing Effective Use Cases , 2000 .

[14]  Indrakshi Ray,et al.  Using aspects to design a secure system , 2002, Eighth IEEE International Conference on Engineering of Complex Computer Systems, 2002. Proceedings..

[15]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[16]  Yi Deng,et al.  Applying Aspect-Orientation in Designing Security Systems: A Case Study , 2004, SEKE.

[17]  Xudong He,et al.  A Formal Definition of Hierarchical Predicate Transition Nets , 1996, Application and Theory of Petri Nets.

[18]  Jeannette M. Wing A specifier's introduction to formal methods , 1990, Computer.

[19]  Kurt Jensen,et al.  Coloured Petri Nets: Basic Concepts, Analysis Methods and Practical Use. Vol. 2, Analysis Methods , 1992 .

[20]  Sol M. Shatz,et al.  An Approach To Using Formal Methods In Aspect Orientation , 2000, PDPTA.

[21]  John Yen,et al.  Modeling and Analyzing Multi-Agent Behaviors Using Predicate/Transition Nets , 2003, Int. J. Softw. Eng. Knowl. Eng..

[22]  Jeannette M. Wing,et al.  Tools for Generating and Analyzing Attack Graphs , 2003, FMCO.

[23]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[24]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[25]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[26]  Bashar Nuseibeh,et al.  Security requirements engineering: when anti-requirements hit the fan , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[27]  Thomas Ledoux,et al.  Aspect-Oriented Software Development , 2003 .

[28]  Dianxiang Xu,et al.  A Formal Architectural Model for Logical Agent Mobility , 2003, IEEE Trans. Software Eng..

[29]  John P. McDermott,et al.  Abuse-case-based assurance arguments , 2001, Seventeenth Annual Computer Security Applications Conference.

[30]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[31]  Bart De Decker,et al.  Security Through Aspect-Oriented Programming , 2001, Network Security.

[32]  James P. McDermott,et al.  Attack net penetration testing , 2001, NSPW '00.

[33]  Deborah A. Frincke,et al.  Planning, Petri Nets, and Intrusion Detection , 1998 .

[34]  Marco Ajmone Marsan,et al.  Modelling with Generalized Stochastic Petri Nets , 1995, PERV.

[35]  Ivar Jacobson,et al.  Object-oriented software engineering - a use case driven approach , 1993, TOOLS.

[36]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[37]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[38]  Dan C. Marinescu,et al.  Stochastic High-Level Petri Nets and Applications , 1988, IEEE Trans. Computers.

[39]  Levente Buttyán Formal methods in the design of cryptographic protocols (state of the art) , 1999 .

[40]  Yi Deng,et al.  An Approach for Modeling and Analysis of Security System Architectures , 2003, IEEE Trans. Knowl. Data Eng..

[41]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[42]  Saumil Shah,et al.  Web Hacking: Attacks and Defense , 2002 .

[43]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[44]  Kurt Jensen,et al.  Coloured Petri Nets , 1997, Monographs in Theoretical Computer Science An EATCS Series.

[45]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[46]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[47]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[48]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[49]  Indrakshi Ray,et al.  An aspect-based approach to modeling access control concerns , 2004, Inf. Softw. Technol..

[50]  Dianxiang Xu,et al.  Threat-Driven Architectural Design of Secure Information Systems , 2018, ICEIS.

[51]  Vasant Honavar,et al.  A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System , 2002, Requirements Engineering.

[52]  Volkmar Lotz,et al.  Threat Scenarios as a Means to Formally Develop Secure Systems , 1996, J. Comput. Secur..

[53]  Jeannette M. Wing A symbiotic relationship between formal methods and security , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[54]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.