Abstract
This paper describes an approach for an automated analysis of software applications and their security. Therefore a graph-based representation of the software application is generated as a directed graph. Search algorithms are applied to the directed graph algorithm in order to generate information about the security of the reviewed application. A graphical representation is generated to provide an impression about the complexity of the reviewed system. The presented work is part of an ongoing doctoral thesis and is therefore at an early research stage. The approach is explained by a practical example.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Paths of equal length are treated with the same probability. More than one shortest path may appear.
- 2.
The example shows that the security analyst needs access to the artifacts or needs at least a detailed description of the artifcats. The process of identification of potential security vulnerabilities strongly depends on this kind of information. The presented approach assumes that the security analyst has gained access to this kind of information.
- 3.
In order to generate the figure, this was explicitly stated in the model description.
- 4.
See also [15]
- 5.
Therefore a Python-based program has been written based on the public source of pefile [18]. Pefile is a script which can be used for investigation of portable executable files. The program based on pefile generates an XML file containing the GraphML description of the static dependencies between the researched program modules.
References
Chen, Y.: Software Security Economics and Threat Modeling based on Attack Path Analysis; A Stakeholder driven approach. University of Southern California, Los Angeles (2007)
Elahi, G., Yu, E., Zannone, N.: A modeling ontology for integrating vulnerabilities into security requirements conceptual foundations. In: Laender, A.H.F., Castano, S., Dayal, U., Casati, F., de Oliveira, J.P.M. (eds.) ER 2009. LNCS, vol. 5829, pp. 99–114. Springer, Heidelberg (2009)
Lund, M.S., Solhaug, B., Stolen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2011)
Ameedeen, M.A., Dordbar, B.: A Model Driven Approach to Represent Sequence Diagrams as Free Choice Petri Nets. School of Computer Science, University of Birmingham, Birmingham B15 2TT, UK (2008)
Sheyner, O., Thesis: Scenario Graphs and Attack Graphs, CMU-CS-04-122. School of Computer Science Department Carnegie Mellon University Pittsburgh, PA, 14 April 2004
Sheyner, O., et al.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, 1081–6011/02 (2002)
Sheyner, O.: Tools for generating and analyzing attack graphs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 344–371. Springer, Heidelberg (2004)
GraphML - The GraphML File Format. http://graphml.graphdrawing.org
JUNG - Java Universal Network/Graph Framework. http://jung.sourceforge.net
Tittmann, P.: Graphentheorie. Fachbuchverlag Leipzig, Leipzig (2011)
Common Criteria for Information Technology Evaluation, Part 1: Introduction and general model, September 2012. http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4.pdf
Shostack, A.: Security Briefs: Getting Started With The SDL Threat Modeling Tool, Microsoft Developer Network Magazine, January 2012. http://msdn.microsoft.com/en-us/magazine/dd347831.aspx
LeBlanc, D.: DREADful, Microsoft Developer Network Blogs, 14 August 2007. http://blogs.msdn.com/b/david_leblanc/archive/2007/08/13/dreadful.aspx
Common Vulnerabilities and Exposures Database. http://cve.mitre.org
Microsoft Portable Executable and Common Object File Format Specification, Revision 8.2, Microsoft, September 2010. http://www.microsoft.com/whdc/system/platform/formware/PECOFF.mspx
Dijkstra, E.W.: A note on two problems in connexion with graphs. Numer. Math. 1, 269–271 (1959)
Cormen, T.H., Leiserson, C., Rivest, R.L., Stein, C.: Introduction to Algorithms, 2nd edn. MIT Press, Cambridge (2001)
pefile. http://code.google.com/p/pefile
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Lunkeit, A. (2014). A Graph-Based Approach for Analysis of Software Security. In: Bauer, T., Großmann, J., Seehusen, F., Stølen, K., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2013. Lecture Notes in Computer Science(), vol 8418. Springer, Cham. https://doi.org/10.1007/978-3-319-07076-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-07076-6_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07075-9
Online ISBN: 978-3-319-07076-6
eBook Packages: Computer ScienceComputer Science (R0)