Abstract
One of the main challenges in engineering secure software systems is the formalization of threats for the automation of security architecture threat detection, analysis, and mitigation. On top of that, there is a growing need for the development of reusable security solutions to support secure systems engineering at early stages of development. We address this challenge by proposing an integrated approach for threat specification, detection, and treatment in component-based software architecture models via reusable security threat and requirement formal model libraries. Our solution is based on metamodeling techniques that enable the specification of the software architecture structure and on formal techniques for the purposes of precise specification and verification of security aspects as properties of a modeled system. To validate our work, we explore a set of representative threats from categories based on Microsoft’s STRIDE threat classification in the context of secure component-based software architecture development. In addition, we use model-driven engineering techniques for the development of a tool suite to support our approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
STRIDE classifies threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
- 2.
- 3.
DREAD is a risk assessment model for risk rating security threats using five categories: Damage, Reproducibility, Exploitability, Affected users, and Discoverability.
References
Alloy Analyzer. http://alloytools.org/. Accessed Apr 2019
Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development: Coq’Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science, An EATCS Series. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-662-07964-5
Bettini, L.: Implementing Domain Specific Languages with Xtext and Xtend, 2nd edn. Packt Publishing, Birmingham (2016)
Bowen, J.P., Hinchey, M.G.: Ten commandments of formal methods. Computer 28(4), 56–63 (1995)
Bowen, J.P., Hinchey, M.G.: Ten commandments of formal methods... ten years later. Computer 39(1), 40–48 (2006)
Crnkovic, I.: Component-based software engineering for embedded systems. In: Proceedings of the 27th International Conference on Software Engineering, ICSE 2005, pp. 712–713. ACM (2005)
European Union Agency for Network and Information Security (ENISA): Threat Taxonomy (2016). https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view. Accessed Nov 2018
Ezran, M., Morisio, M., Tully, C.: Practical Software Reuse. Springer, Heidelberg (2002). https://doi.org/10.1007/978-1-4471-0141-3
Frakes, W., Kang, K.: Software reuse research: status and future. IEEE Trans. Softw. Eng. 31(7), 529–536 (2005)
Hamid, B.: A model repository description language - MRDL. In: Kapitsaki, G.M., Santana de Almeida, E. (eds.) ICSR 2016. LNCS, vol. 9679, pp. 350–367. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-35122-3_23
Heitmeyer, C.: Applying practical formal methods to the specification and analysis of security properties. In: Gorodetski, V.I., Skormin, V.A., Popyack, L.J. (eds.) MMM-ACNS 2001. LNCS, vol. 2052, pp. 84–89. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45116-1_11
Hussain, S., Erwin, H., Dunne, P.: Threat modeling using formal methods: a new approach to develop secure web applications. In: Proceedings of the 7th International Conference on Emerging Technologies, pp. 1–5 (September 2011)
Jackson, D.: Software Abstractions: Logic, Language, and Analysis. The MIT Press, Cambridge (2006)
Jackson, D.: Alloy: a language and tool for exploring software designs. Commun. ACM 62(9), 66–76 (2019). https://doi.org/10.1145/3338843
Khosravi, R., Sirjani, M., Asoudeh, N., Sahebi, S., Iravanchi, H.: Modeling and analysis of Reo connectors using alloy. In: Lea, D., Zavattaro, G. (eds.) COORDINATION 2008. LNCS, vol. 5052, pp. 169–183. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68265-3_11
Kruchten, P.: Architectural blueprints - the “4+ 1” view model of software architecture. IEEE Softw. 12(6), 42–50 (1995)
Krueger, C.: Software reuse. ACM Comput. Surv. 24(2), 131–183 (1992)
Mana, A., Pujol, G.: Towards formal specification of abstract security properties. In: Proceedings of the Third International Conference on Availability, Reliability and Security, pp. 80–87 (March 2008)
Microsoft: The STRIDE Threat Model. Microsoft Corporation, Redmond (2009)
OMG: Unified modeling language (UML), Version 2.5 (2015). https://www.omg.org/spec/UML/2.5. Accessed July 2020
OMG: Unified component model for distributed, real-time and embedded systems, Version 1.2 (2020). https://www.omg.org/spec/UCM/1.2. Accessed July 2020
Periyasamy, K., Chidambaram, J.: Software reuse using formal specification of requirements. In: Proceedings of the 1996 Conference of the Centre for Advanced Studies on Collaborative Research, CASCON 1996, p. 31. IBM Press (1996)
Rivera, J.: Cyber security via formal methods: a framework for implementing formal methods. In: 2017 International Conference on Cyber Conflict (CyCon U.S.), pp. 76–81 (November 2017)
Selic, B.: The pragmatics of model-driven development. IEEE Softw. 20(5), 19–25 (2003)
Steinberg, D., Budinsky, F., Paternostro, M., Merks, E.: EMF: Eclipse Modeling Framework 2.0, 2nd edn. Addison-Wesley, Boston (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Rouland, Q., Hamid, B., Jaskolka, J. (2020). Reusable Formal Models for Threat Specification, Detection, and Treatment. In: Ben Sassi, S., Ducasse, S., Mili, H. (eds) Reuse in Emerging Software Engineering Practices. ICSR 2020. Lecture Notes in Computer Science(), vol 12541. Springer, Cham. https://doi.org/10.1007/978-3-030-64694-3_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-64694-3_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64693-6
Online ISBN: 978-3-030-64694-3
eBook Packages: Computer ScienceComputer Science (R0)