Abstract
Static security analysis of software has made great progress over the last years. In particular, this applies to the detection of low-level security bugs such as buffer overflows, Cross-Site Scripting and SQL injection vulnerabilities. Complementarily to commercial static code review tools, we present an approach to the static security analysis which is based upon the software architecture using a reverse engineering tool suite called Bauhaus. This allows one to analyze software on a more abstract level, and a more focused analysis is possible, concentrating on software modules regarded as security-critical. In addition, certain security flaws can be detected at the architectural level such as the circumvention of APIs or incomplete enforcement of access control. We discuss our approach in the context of a business application and Android’s Java-based middleware.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
American National Standards Institute Inc. Role Based Access Control, ANSI-INCITS 359-2004 (2004)
Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information and Software Technology 51, 815–831 (2009)
CERT/CC. CERT statistics (2008), http://www.cert.org/stats/
Chen, H., Wagner, D.: MOPS: an infrastructure for examining security properties of software. In: ACM Conference on Computer and Communications Security, pp. 235–244 (2002)
Chess, B.: Improving Computer Security Using Extended Static Checking. In: IEEE Symposium on Security and Privacy, p. 160 (2002)
Cok, D.R., Kiniry, J.: ESC/Java2: Uniting ESC/Java and JML. Technical report, University of Nijmegen (2004); NIII Technical Report NIII-R0413
Coverity. Coverity Prevent (2009), http://www.coverity.com
Czeranski, J., Eisenbarth, T., Kienle, H., Koschke, R., Simon, D.: Analyzing xfig Using the Bauhaus Tool. In: Working Conference on Reverse Engineering, pp. 197–199. IEEE Computer Society Press, Los Alamitos (2000)
Dennis, G., Yessenov, K., Jackson, D.: Bounded Verification of Voting Software. In: Shankar, N., Woodcock, J. (eds.) VSTTE 2008. LNCS, vol. 5295, pp. 130–145. Springer, Heidelberg (2008)
Enck, W., Ongtang, M., McDaniel, P.: Understanding Android Security. IEEE Security and Privacy 7(1), 50–57 (2009)
Fortify Software. Fortify Source Code Analyzer (2009), http://www.fortify.com/products/
Garey, M.R., Johnson, D.S.: Computers and Intractability. Freeman, San Francisco (1979)
JĂ¼rjens, J., Shabalin, P.: Automated verification of UMLsec models for security requirements. In: Baar, T., Strohmeier, A., Moreira, A., Mellor, S.J. (eds.) UML 2004. LNCS, vol. 3273, pp. 365–379. Springer, Heidelberg (2004)
Ashcraft, K., Engler, D.-R.: Using Programmer-Written Compiler Extensions to Catch Security Holes. In: IEEE Symposium on Security and Privacy, pp. 143–159 (2002)
Koschke, R., Simon, D.: Hierarchical Reflexion Models. In: Working Conference on Reverse Engineering, pp. 36–45. IEEE Computer Society Press, Los Alamitos (2003)
Livshits, V.B., Lam, M.S.: Finding Security Vulnerabilities in Java Applications Using Static Analysis. In: Proceedings of the 14th USENIX Security Symposium (August 2005)
McGraw, G.: Software Security: Building Security In. Addison-Wesley, Reading (2006)
Ounce Labs Inc. Website (2009), http://www.ouncelabs.com/
Raza, A., Vogel, G., Plödereder, E.: Bauhaus - A Tool Suite for Program Analysis and Reverse Engineering. In: Pinho, L.M., GonzĂ¡lez Harbour, M. (eds.) Ada-Europe 2006. LNCS, vol. 4006, pp. 71–82. Springer, Heidelberg (2006)
Sun Microsystems. The Java EE 5 Tutorial (2008), http://java.sun.com/javaee/5/docs/tutorial/doc/bnclz.html
Universitaet Stuttgart. Project Bauhaus—Software Architecture, Software Reengineering, and Program Understanding (2009), http://www.bauhaus-stuttgart.de/bauhaus/index-english.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sohr, K., Berger, B. (2010). Idea: Towards Architecture-Centric Security Analysis of Software. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-11747-3_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11746-6
Online ISBN: 978-3-642-11747-3
eBook Packages: Computer ScienceComputer Science (R0)