Matching attack patterns to security vulnerabilities in software-intensive system designs

Fortifying software applications from attack is often an effort that occurs late in the software development process. Applying patches to fix vulnerable applications in the field is a common approach to securing applications. Abstract representations of attacks such as attack trees and attack nets can be used for identifying potential threats before a system is released. We have constructed attack patterns that can illuminate security vulnerabilities in a software-intensive system design. Matching our attack patterns to vulnerabilities in the design phase may stimulate security efforts to start early and to become integrated with the software process. The intent is that our attack patterns can be used to effectively encode software vulnerabilities in vulnerability databases. A case study of our approach with undergraduate students in a security course indicated that our attack patterns can provide general descriptions of vulnerabilities. The students were able to accurately map the patterns to vulnerabilities in a system design.

[1]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[2]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[3]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[4]  Murray Silverstein,et al.  A Pattern Language , 1977 .

[5]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[6]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[7]  Hao Chen,et al.  Using build-integrated static checking to preserve correctness invariants , 2004, CCS '04.

[8]  M. Gegick Analyzing Security Attacks to Generate Signatures from Vulnerable Architectural Patterns , 2004 .

[9]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[10]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[11]  James P. McDermott,et al.  Attack net penetration testing , 2001, NSPW '00.

[12]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[13]  Standard Glossary of Software Engineering Terminology , 1990 .

[14]  Gary McGraw,et al.  Exploiting Software , 2004, USENIX Security Symposium.

[15]  Steve W. Manzuik,et al.  Windows of Vulnerability , 2006 .

[16]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[17]  Christopher G. Lasater,et al.  Design Patterns , 2008, Wiley Encyclopedia of Computer Science and Engineering.

[18]  Markus Schumacher,et al.  Collaborative attack modeling , 2002, SAC '02.

[19]  Carl E. Landwehr,et al.  A Taxonomy of Computer Program Security Flaws, with Examples , 1993 .

[20]  Gerald Popek,et al.  Pattern-Directed Protection Valuation , 1975 .