Skip to main content
SpringerLink
Log in

A Graph-Based Approach for Analysis of Software Security

  • Conference paper
  • First Online:
Risk Assessment and Risk-Driven Testing (RISK 2013)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 8418))

Included in the following conference series:

  • 724 Accesses

Abstract

This paper describes an approach for an automated analysis of software applications and their security. Therefore a graph-based representation of the software application is generated as a directed graph. Search algorithms are applied to the directed graph algorithm in order to generate information about the security of the reviewed application. A graphical representation is generated to provide an impression about the complexity of the reviewed system. The presented work is part of an ongoing doctoral thesis and is therefore at an early research stage. The approach is explained by a practical example.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Paths of equal length are treated with the same probability. More than one shortest path may appear.

  2. 2.

    The example shows that the security analyst needs access to the artifacts or needs at least a detailed description of the artifcats. The process of identification of potential security vulnerabilities strongly depends on this kind of information. The presented approach assumes that the security analyst has gained access to this kind of information.

  3. 3.

    In order to generate the figure, this was explicitly stated in the model description.

  4. 4.

    See also [15]

  5. 5.

    Therefore a Python-based program has been written based on the public source of pefile [18]. Pefile is a script which can be used for investigation of portable executable files. The program based on pefile generates an XML file containing the GraphML description of the static dependencies between the researched program modules.

References

  1. Chen, Y.: Software Security Economics and Threat Modeling based on Attack Path Analysis; A Stakeholder driven approach. University of Southern California, Los Angeles (2007)

    Google Scholar 

  2. Elahi, G., Yu, E., Zannone, N.: A modeling ontology for integrating vulnerabilities into security requirements conceptual foundations. In: Laender, A.H.F., Castano, S., Dayal, U., Casati, F., de Oliveira, J.P.M. (eds.) ER 2009. LNCS, vol. 5829, pp. 99–114. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  3. Lund, M.S., Solhaug, B., Stolen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2011)

    Book  Google Scholar 

  4. Ameedeen, M.A., Dordbar, B.: A Model Driven Approach to Represent Sequence Diagrams as Free Choice Petri Nets. School of Computer Science, University of Birmingham, Birmingham B15 2TT, UK (2008)

    Google Scholar 

  5. Sheyner, O., Thesis: Scenario Graphs and Attack Graphs, CMU-CS-04-122. School of Computer Science Department Carnegie Mellon University Pittsburgh, PA, 14 April 2004

    Google Scholar 

  6. Sheyner, O., et al.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, 1081–6011/02 (2002)

    Google Scholar 

  7. Sheyner, O.: Tools for generating and analyzing attack graphs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 344–371. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  8. GraphML - The GraphML File Format. http://graphml.graphdrawing.org

  9. JUNG - Java Universal Network/Graph Framework. http://jung.sourceforge.net

  10. Tittmann, P.: Graphentheorie. Fachbuchverlag Leipzig, Leipzig (2011)

    Book  Google Scholar 

  11. Common Criteria for Information Technology Evaluation, Part 1: Introduction and general model, September 2012. http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4.pdf

  12. Shostack, A.: Security Briefs: Getting Started With The SDL Threat Modeling Tool, Microsoft Developer Network Magazine, January 2012. http://msdn.microsoft.com/en-us/magazine/dd347831.aspx

  13. LeBlanc, D.: DREADful, Microsoft Developer Network Blogs, 14 August 2007. http://blogs.msdn.com/b/david_leblanc/archive/2007/08/13/dreadful.aspx

  14. Common Vulnerabilities and Exposures Database. http://cve.mitre.org

  15. Microsoft Portable Executable and Common Object File Format Specification, Revision 8.2, Microsoft, September 2010. http://www.microsoft.com/whdc/system/platform/formware/PECOFF.mspx

  16. Dijkstra, E.W.: A note on two problems in connexion with graphs. Numer. Math. 1, 269–271 (1959)

    Article  MATH  MathSciNet  Google Scholar 

  17. Cormen, T.H., Leiserson, C., Rivest, R.L., Stein, C.: Introduction to Algorithms, 2nd edn. MIT Press, Cambridge (2001)

    MATH  Google Scholar 

  18. pefile. http://code.google.com/p/pefile

Download references

Author information

Authors and Affiliations

  1. OpenLimit SignCubes AG, Baar, Switzerland

    Armin Lunkeit

Authors
  1. Armin Lunkeit
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Armin Lunkeit .

Editor information

Editors and Affiliations

  1. Fraunhofer IESE, Kaiserslautern, Germany

    Thomas Bauer

  2. Fraunhofer Institut FOKUS, Berlin, Germany

    Jürgen Großmann

  3. SINTEF ICT, Oslo, Norway

    Fredrik Seehusen

  4. SINTEF ICT, Oslo, Norway

    Ketil Stølen

  5. Fraunhofer Institut FOKUS, Berlin, Germany

    Marc-Florian Wendland

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Lunkeit, A. (2014). A Graph-Based Approach for Analysis of Software Security. In: Bauer, T., Großmann, J., Seehusen, F., Stølen, K., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2013. Lecture Notes in Computer Science(), vol 8418. Springer, Cham. https://doi.org/10.1007/978-3-319-07076-6_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-07076-6_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-07075-9

  • Online ISBN: 978-3-319-07076-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation