Skip to main content
SpringerLink
Log in

Reusable Formal Models for Threat Specification, Detection, and Treatment

  • Conference paper
  • First Online:
Reuse in Emerging Software Engineering Practices (ICSR 2020)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12541))

Included in the following conference series:

Abstract

One of the main challenges in engineering secure software systems is the formalization of threats for the automation of security architecture threat detection, analysis, and mitigation. On top of that, there is a growing need for the development of reusable security solutions to support secure systems engineering at early stages of development. We address this challenge by proposing an integrated approach for threat specification, detection, and treatment in component-based software architecture models via reusable security threat and requirement formal model libraries. Our solution is based on metamodeling techniques that enable the specification of the software architecture structure and on formal techniques for the purposes of precise specification and verification of security aspects as properties of a modeled system. To validate our work, we explore a set of representative threats from categories based on Microsoft’s STRIDE threat classification in the context of secure component-based software architecture development. In addition, we use model-driven engineering techniques for the development of a tool suite to support our approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    STRIDE classifies threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

  2. 2.

    https://eclipse.org/modeling/emft/.

  3. 3.

    DREAD is a risk assessment model for risk rating security threats using five categories: Damage, Reproducibility, Exploitability, Affected users, and Discoverability.

References

  1. Alloy Analyzer. http://alloytools.org/. Accessed Apr 2019

  2. Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development: Coq’Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science, An EATCS Series. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-662-07964-5

    Book  MATH  Google Scholar 

  3. Bettini, L.: Implementing Domain Specific Languages with Xtext and Xtend, 2nd edn. Packt Publishing, Birmingham (2016)

    Google Scholar 

  4. Bowen, J.P., Hinchey, M.G.: Ten commandments of formal methods. Computer 28(4), 56–63 (1995)

    Article  Google Scholar 

  5. Bowen, J.P., Hinchey, M.G.: Ten commandments of formal methods... ten years later. Computer 39(1), 40–48 (2006)

    Article  Google Scholar 

  6. Crnkovic, I.: Component-based software engineering for embedded systems. In: Proceedings of the 27th International Conference on Software Engineering, ICSE 2005, pp. 712–713. ACM (2005)

    Google Scholar 

  7. European Union Agency for Network and Information Security (ENISA): Threat Taxonomy (2016). https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view. Accessed Nov 2018

  8. Ezran, M., Morisio, M., Tully, C.: Practical Software Reuse. Springer, Heidelberg (2002). https://doi.org/10.1007/978-1-4471-0141-3

    Book  MATH  Google Scholar 

  9. Frakes, W., Kang, K.: Software reuse research: status and future. IEEE Trans. Softw. Eng. 31(7), 529–536 (2005)

    Article  Google Scholar 

  10. Hamid, B.: A model repository description language - MRDL. In: Kapitsaki, G.M., Santana de Almeida, E. (eds.) ICSR 2016. LNCS, vol. 9679, pp. 350–367. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-35122-3_23

    Chapter  Google Scholar 

  11. Heitmeyer, C.: Applying practical formal methods to the specification and analysis of security properties. In: Gorodetski, V.I., Skormin, V.A., Popyack, L.J. (eds.) MMM-ACNS 2001. LNCS, vol. 2052, pp. 84–89. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45116-1_11

    Chapter  Google Scholar 

  12. Hussain, S., Erwin, H., Dunne, P.: Threat modeling using formal methods: a new approach to develop secure web applications. In: Proceedings of the 7th International Conference on Emerging Technologies, pp. 1–5 (September 2011)

    Google Scholar 

  13. Jackson, D.: Software Abstractions: Logic, Language, and Analysis. The MIT Press, Cambridge (2006)

    Google Scholar 

  14. Jackson, D.: Alloy: a language and tool for exploring software designs. Commun. ACM 62(9), 66–76 (2019). https://doi.org/10.1145/3338843

    Article  Google Scholar 

  15. Khosravi, R., Sirjani, M., Asoudeh, N., Sahebi, S., Iravanchi, H.: Modeling and analysis of Reo connectors using alloy. In: Lea, D., Zavattaro, G. (eds.) COORDINATION 2008. LNCS, vol. 5052, pp. 169–183. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68265-3_11

    Chapter  Google Scholar 

  16. Kruchten, P.: Architectural blueprints - the “4+ 1” view model of software architecture. IEEE Softw. 12(6), 42–50 (1995)

    Article  Google Scholar 

  17. Krueger, C.: Software reuse. ACM Comput. Surv. 24(2), 131–183 (1992)

    Article  Google Scholar 

  18. Mana, A., Pujol, G.: Towards formal specification of abstract security properties. In: Proceedings of the Third International Conference on Availability, Reliability and Security, pp. 80–87 (March 2008)

    Google Scholar 

  19. Microsoft: The STRIDE Threat Model. Microsoft Corporation, Redmond (2009)

    Google Scholar 

  20. OMG: Unified modeling language (UML), Version 2.5 (2015). https://www.omg.org/spec/UML/2.5. Accessed July 2020

  21. OMG: Unified component model for distributed, real-time and embedded systems, Version 1.2 (2020). https://www.omg.org/spec/UCM/1.2. Accessed July 2020

  22. Periyasamy, K., Chidambaram, J.: Software reuse using formal specification of requirements. In: Proceedings of the 1996 Conference of the Centre for Advanced Studies on Collaborative Research, CASCON 1996, p. 31. IBM Press (1996)

    Google Scholar 

  23. Rivera, J.: Cyber security via formal methods: a framework for implementing formal methods. In: 2017 International Conference on Cyber Conflict (CyCon U.S.), pp. 76–81 (November 2017)

    Google Scholar 

  24. Selic, B.: The pragmatics of model-driven development. IEEE Softw. 20(5), 19–25 (2003)

    Article  Google Scholar 

  25. Steinberg, D., Budinsky, F., Paternostro, M., Merks, E.: EMF: Eclipse Modeling Framework 2.0, 2nd edn. Addison-Wesley, Boston (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IRIT, University of Toulouse, Toulouse, France

    Quentin Rouland & Brahim Hamid

  2. Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada

    Jason Jaskolka

Authors
  1. Quentin Rouland
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Brahim Hamid
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jason Jaskolka
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Brahim Hamid .

Editor information

Editors and Affiliations

  1. Manouba University, Tunis, Tunisia

    Sihem Ben Sassi

  2. University of Lille, Inria, CNRS, Lille, France

    Stéphane Ducasse

  3. Université du Québec à Montréal, Montréal, QC, Canada

    Hafedh Mili

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rouland, Q., Hamid, B., Jaskolka, J. (2020). Reusable Formal Models for Threat Specification, Detection, and Treatment. In: Ben Sassi, S., Ducasse, S., Mili, H. (eds) Reuse in Emerging Software Engineering Practices. ICSR 2020. Lecture Notes in Computer Science(), vol 12541. Springer, Cham. https://doi.org/10.1007/978-3-030-64694-3_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64694-3_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64693-6

  • Online ISBN: 978-3-030-64694-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation