Finding architectural flaws using constraints

During Architectural Risk Analysis (ARA), security architects use a runtime architecture to look for security vulnerabilities that are architectural flaws rather than coding defects. The current ARA process, however, is mostly informal and manual. In this paper, we propose Scoria, a semi-automated approach for finding architectural flaws. Scoria uses a sound, hierarchical object graph with abstract objects and dataflow edges, where edges can refer to nodes in the graph. The architects can augment the object graph with security properties, which can express security information unavailable in code. Scoria allows architects to write queries on the graph in terms of the hierarchy, reachability, and provenance of a dataflow object. Based on the query results, the architects enhance their knowledge of the system security and write expressive constraints. The expressiveness is richer than previous approaches that check only for the presence or absence of communication or do not track a dataflow as an object. To evaluate Scoria, we apply these constraints to several extended examples adapted from the CERT standard for Java to confirm that Scoria can detect injected architectural flaws. Next, we write constraints to enforce an Android security policy and find one architectural flaw in one Android application.

[1]  Michele Lanza,et al.  Software Analytics for Mobile Applications--Insights & Lessons Learned , 2013, 2013 17th European Conference on Software Maintenance and Reengineering.

[2]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[3]  Rupak Majumdar,et al.  Fine-Grained Access Control with Object-Sensitive Roles , 2009, ECOOP.

[4]  Samuel T. King,et al.  Verifying security invariants in ExpressOS , 2013, ASPLOS '13.

[5]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[6]  Edith Schonberg,et al.  Making Sense of Large Heaps , 2009, ECOOP.

[7]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[8]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[9]  Yi Deng,et al.  Formally analyzing software architectural specifications using SAM , 2004, J. Syst. Softw..

[10]  Radu Vanciu,et al.  Ownership Object Graphs with Dataflow Edges , 2012, 2012 19th Working Conference on Reverse Engineering.

[11]  Yves Le Traon,et al.  Automatically securing permission-based software by reducing the attack surface: an application to Android , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[12]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[13]  André Spiegel,et al.  Automatic distribution of object oriented programs , 2002 .

[14]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[15]  David Notkin,et al.  Software Reflexion Models: Bridging the Gap between Design and Implementation , 2001, IEEE Trans. Software Eng..

[16]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[17]  Stéphane Ducasse,et al.  Taking an object-centric view on dynamic information with object flow analysis , 2009, Comput. Lang. Syst. Struct..

[18]  Martin Gogolla,et al.  Object Constraint Language , 2009, Encyclopedia of Database Systems.

[19]  Daniel Jackson,et al.  Lightweight extraction of object models from bytecode , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[20]  M. E. Kabay,et al.  Writing Secure Code , 2015 .

[21]  Erhard Plödereder,et al.  Bauhaus - A Tool Suite for Program Analysis and Reverse Engineering , 2006, Ada-Europe.

[22]  Martin Gogolla,et al.  Object Constraint Language , 2009, Encyclopedia of Database Systems.

[23]  Karsten Sohr,et al.  Extracting and Analyzing the Implemented Security Architecture of Business Applications , 2013, 2013 17th European Conference on Software Maintenance and Reengineering.

[24]  Karsten Sohr,et al.  Idea: Towards Architecture-Centric Security Analysis of Software , 2010, ESSoS.

[25]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[26]  John Grundy,et al.  Automated software architecture security risk analysis using formalized signatures , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[27]  Jan Jürjens,et al.  Automated Verification of UMLsec Models for Security Requirements , 2004, UML.

[28]  Marwan Abi-Antoun,et al.  Static extraction and conformance analysis of hierarchical runtime architectural structure using annotations , 2009, OOPSLA '09.

[29]  Jacques Klein,et al.  Highly precise taint analysis for Android applications , 2013 .

[30]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[31]  Peter Torr,et al.  Demystifying the threat modeling process , 2005, IEEE Security & Privacy Magazine.

[32]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[33]  Ondrej Lhoták,et al.  The Soot framework for Java program analysis: a retrospective , 2011 .

[34]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[35]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[36]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[37]  Robert C. Seacord,et al.  The Cert Oracle Secure Coding Standard for Java , 2011 .

[38]  John Grundy,et al.  Supporting automated vulnerability analysis using formalized vulnerability signatures , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[39]  César Sánchez,et al.  Abstracting runtime heaps for program understanding , 2013, IEEE Transactions on Software Engineering.

[40]  Marwan Abi-Antoun,et al.  Analyzing security architectures , 2010, ASE.

[41]  David Notkin,et al.  ArchJava: connecting software architecture to implementation , 2002, ICSE '02.