Maintaining Security in Software Evolution

In this chapter, we introduce a three-layered framework for maintaining security in software evolution at design time and run time. Additionally, we present a suite of five approaches that employ the framework. Two approaches focus on design-time use of knowledge extracted from natural-language documents to identify potential steps for co-evolving the system’s design and on integrating architecture model information with program code. A third approach bridges design time and run time to support architects as the software evolves. The two remaining approaches focus on run-time security maintenance. The fourth approach monitors run-time information in order to detect suspicious behaviour, which is reacted to automatically by adapting the system with mitigation, while the fifth approach focuses on interdisciplinary changes in automation software. In combination, the approaches address current challenges for security maintenance at design time and run time.

[1]  Jean-Jacques Lesage,et al.  Black-box identification of discrete event systems with optimal partitioning of concurrent subsystems , 2010, Proceedings of the 2010 American Control Conference.

[2]  Jens Bürger,et al.  A framework for semi-automated co-evolution of security knowledge and system models , 2018, J. Syst. Softw..

[3]  Winfried Lamersdorf,et al.  A Knowledge Carrying Service-Component Architecture for Smart Cyber Physical Systems - An Example Based on Self-documenting Production Systems , 2017, ICSOC Workshops.

[4]  Pierre-Yves Schobbens,et al.  Tool support for code generation from a UMLsec property , 2010, ASE.

[5]  Kurt Schneider Rationale as a By-Product , 2006 .

[6]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[7]  Shahin Hashtrudi-Zad,et al.  Fault diagnosis in discrete-event systems: framework and model reduction , 2003, IEEE Trans. Autom. Control..

[8]  Kurt Schneider,et al.  Knowledge from Document Annotations as By-Product in Distributed Software Engineering , 2014, SEKE.

[9]  Jens Bürger,et al.  Restoring Security of Long-Living Systems by Co-evolution , 2015, 2015 IEEE 39th Annual Computer Software and Applications Conference.

[10]  Yijun Yu,et al.  Run-Time Security Traceability for Evolving Systems , 2010, Comput. J..

[11]  Winfried Lamersdorf,et al.  Automated Determining of Manufacturing Properties and Their Evolutionary Changes from Event Traces , 2016 .

[12]  Dimitri Lefebvre,et al.  Stochastic Petri Net Identification for the Fault Detection and Isolation of Discrete Event Systems , 2011, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[13]  Chris Aldrich,et al.  Unsupervised Process Monitoring and Fault Diagnosis with Machine Learning Methods , 2013, Advances in Computer Vision and Pattern Recognition.

[14]  Winfried Lamersdorf,et al.  An active service-component architecture to enable self-awareness of evolving production systems , 2014, Proceedings of the 2014 IEEE Emerging Technology and Factory Automation (ETFA).

[15]  Heiko Mantel A uniform framework for the formal specification and verification of information flow security , 2003 .

[16]  Marco Konersmann Explicitly Integrated Architecture - An Approach for Integrating Software Architecture Model Information with Program Code , 2018 .

[17]  Winfried Lamersdorf,et al.  Evolution of production facilities and its impact on non-functional requirements , 2013, 2013 11th IEEE International Conference on Industrial Informatics (INDIN).

[18]  Bashar Nuseibeh,et al.  Caprice: a tool for engineering adaptive privacy , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[19]  Kurt Schneider,et al.  Tailoring video recording to support efficient GUI testing and debugging , 2014, Software Quality Journal.

[20]  Marco Konersmann A Process for Explicitly Integrated Software Architecture , 2016, Softwaretechnik-Trends.

[21]  David Notkin,et al.  An empirical study of static call graph extractors , 1998, TSEM.

[22]  Jens Bürger,et al.  Restoring security of evolving software models using graph transformation , 2014, International Journal on Software Tools for Technology Transfer.

[23]  Winfried Lamersdorf,et al.  Supporting commissioning of production plants by model-based testing and model learning , 2015, 2015 IEEE 24th International Symposium on Industrial Electronics (ISIE).

[24]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[25]  Bashar Nuseibeh,et al.  Engineering adaptive privacy: On the role of privacy awareness requirements , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[26]  Jan Jürjens,et al.  Supporting Security Assurance in the Context of Evolution: Modular Modeling and Analysis with UMLsec , 2012, 2012 IEEE 14th International Symposium on High-Assurance Systems Engineering.

[27]  Dawn M. Tilbury,et al.  Anomaly Detection Using Model Generation for Event-Based Systems Without a Preexisting Formal Model , 2012, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[28]  Oliver Niggemann,et al.  Data-driven anomaly detection in cyber-physical production systems , 2015, Autom..

[29]  Jens Bürger,et al.  Towards Adaptation and Evolution of Domain-Specific Knowledge for Maintaining Secure Systems , 2014, PROFES.

[30]  Birgit Vogel-Heuser,et al.  Evolution of software in automated production systems: Challenges and research directions , 2015, J. Syst. Softw..

[31]  Winfried Lamersdorf,et al.  Evolution Management of Production Facilities by Semi-Automated Requirement Verification , 2014, Autom..