Abstract
Architectural risk analysis is an important aspect of developing software that is free of security flaws. Knowledge on architectural flaws, however, is sparse, in particular in small or medium-sized enterprises. In this paper, we propose a practical approach to architectural risk analysis that leverages Microsoft’s threat modeling. Our technique decouples the creation of a system’s architecture from the process of detecting and collecting architectural flaws. This way, our approach allows an software architect to automatically detect vulnerabilities in software architectures by using a security knowledge base. We evaluated our approach with real-world case studies, focusing on logistics applications. The evaluation uncovered several flaws with a major impact on the security of the software.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For the sake of presentation, we only give the complete names of CWE as well as CAPEC entries in the appendix.
References
Almorsy, M., Grundy, J., Ibrahim, A.S.: Automated software architecture security risk analysis using formalized signatures. In: 35th International Conference on Software Engineering (ICSE), pp. 100–109 (2013)
Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Inf. Softw. Technol. 51, 815–831 (2009)
Berger, B., Sohr, K., Koschke, R.: Extracting and analyzing the implemented security architecture of business applications. In: 2013 17th European Conference on Software Maintenance and Reengineering (CSMR), pp. 285–294 (2013)
Bunke, M., Sohr, K.: An architecture-centric approach to detecting security patterns in software. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 156–166. Springer, Heidelberg (2011)
Chess, B., West, J.: Secure Programming with Static Analysis. Addison-Wesley, Reading (2007)
Clavel, M., da Silva, V., Braga, C., Egea, M.: Model-driven security in practice: an industrial experience. In: Schieferdecker, I., Hartman, A. (eds.) ECMDA-FA 2008. LNCS, vol. 5095, pp. 326–337. Springer, Heidelberg (2008)
Criteria, C.: Common Criteria for Information Technology Security Evaluation-Part 1: Introduction and general model (2009). http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R3.pdf
Dhillon, D.: Developer-driven threat modeling: lessons learned in the trenches. IEEE Secur. Priv. 9(4), 41–47 (2011)
Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Uncover Security Design Flaws Using the STRIDE Approach. MSDN Magazine, November 2006. http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
Holzschuher, F., Peinl, R.: Performance of graph query languages: comparison of cypher, gremlin and native access in neo4j. In: Proceedings of the Joint EDBT/ICDT 2013 Workshops, EDBT 2013, NY, USA, pp. 195–204. ACM, New York (2013) http://doi.acm.org/10.1145/2457317.2457351
Jung, C., Rudolph, M., Schwarz, R.: Security evaluation of service-oriented systems with an extensible knowledge base. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 698–703 (2011)
Jürjens, J., Shabalin, P.: Automated verification of UMLsec models forsecurity requirements. In: Baar, T., Strohmeier, A., Moreira, A., Moreira, S.J. (eds.) UML 2004 - The Unified ModelingLanguage: Modeling Languages and Applications. LNCS, vol. 3273. Springer, Heidelberg (2004)
Kuhlmann, M., Sohr, K., Gogolla, M.: Comprehensive two-level analysis of static and dynamic rbac constraints with uml and ocl. In: Proceedings of the 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement, pp. 108–117. IEEE Computer Society, Washington, DC (2011)
Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Trans. Softw. Eng. 37(3), 371–386 (2011)
Mantel, H.: Preserving information flow properties under refinement. In: IEEE Symposium on Security and Privacy, p. 78 (2001).http://computer.org/proceedings/s%26p/1046/10460078abs.htm
McGraw, G.: Software Security: Building Security In. Addison-Wesley, Reading (2006)
Microsoft: Microsoft Security Development Lifecycle (SDL) - Version 5.0. https://www.microsoft.com/en-s/download/details.aspx?displaylang=en&id=12285 (2010)
Mitre: CWE/SANS Top 25 Most Dangerous Software Errors (2015). Accessed: January 15, 2015 http://cwe.mitre.org/top25
Peine, H., Jawurek, M., Mandel, S.: Security goal indicator trees: a model of software features that supports efficient security inspection. In: 11th IEEE High Assurance Systems Engineering Symposium, HASE 2008, pp. 9–18 (2008)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)
Schaad, A., Borozdin, M.: Tam2: Automated threat analysis. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, pp. 1103–1108 (2012)
Schrettner, L., Fülöp, L.J., Ferenc, R., Gyimóthy, T.: Visualization of software architecture graphs of java systems: managing propagated low level dependencies. In: Proceedings of the 8th International Conference on the Principles and Practice of Programming in Java, PPPJ 2010, pp. 148–157. ACM, New York (2010). http://doi.acm.org/10.1145/1852761.1852783
Schumacher, M.: Security Engineering with Patterns - Origins, Theoretical Models, and New Applications. LNCS, vol. 2754. Springer, Heidelberg (2003)
Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press, Redmond (2004)
Acknowledgement
This work was supported by the German Federal Ministry of Education and Research (BMBF) under the grant 16KIS0069K (ZertApps project).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A CWE and CAPEC Rules
A CWE and CAPEC Rules
-
CWE-22
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
-
CWE-78
Improper Neutralization of Special Elements used in an OS Command (’OS Command Injection’)
-
CWE-79
Improper Neutralization of Input During Web Page Generation (’Cross-site Scripting’)
-
CWE-89
Improper Neutralization of Special Elements used in an SQL Command (’SQL Injection’)
-
CWE-120
Buffer Copy without Checking Size of Input (’Classic Buffer Overflow’)
-
CWE-134
Uncontrolled Format String
-
CWE-190
Integer Overflow or Wraparound
-
CWE-288
Authentication Bypass Using an Alternate Path or Channel
-
CWE-306
Missing Authentication for Critical Function
-
CWE-311
Missing Encryption of Sensitive Data
-
CWE-319
Cleartext Transmission of Sensitive Information
-
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
-
CWE-352
Cross-Site Request Forgery (CSRF)
-
CWE-602
Client-Side Enforcement of Server-Side Security
-
CWE-759
Use of a One-Way Hash without a Salt
-
CAPEC-16
Dictionary-based Password Attack
-
CAPEC-22
Exploiting Trust in Client (aka Make the Client Invisible)
-
CAPEC-66
SQL Injection
-
CAPEC-94
Man in the Middle Attack
-
CAPEC-108
Command Line Execution through SQL Injection
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Berger, B.J., Sohr, K., Koschke, R. (2016). Automatically Extracting Threats from Extended Data Flow Diagrams. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-30806-7_4
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30805-0
Online ISBN: 978-3-319-30806-7
eBook Packages: Computer ScienceComputer Science (R0)