Efficiency and Automation in Threat Analysis of Software Systems

Katja, Tuma

Abstract

Context: Security is a growing concern in many organizations. Industries developing software systems plan for security early-on to minimize expensive code refactorings after deployment. In the design phase, teams of experts routinely analyze the system architecture and design to find potential security threats and flaws. After the system is implemented, the source code is often inspected to determine its compliance with the intended functionalities. Objective: The goal of this thesis is to improve on the performance of security design analysis techniques (in the design and implementation phases) and support practitioners with automation and tool support. Method: We conducted empirical studies for building an in-depth understanding of existing threat analysis techniques (Systematic Literature Review, controlled experiments). We also conducted empirical case studies with industrial participants to validate our attempt at improving the performance of one technique. Further, we validated our proposal for automating the inspection of security design flaws by organizing workshops with participants (under controlled conditions) and subsequent performance analysis. Finally, we relied on a series of experimental evaluations for assessing the quality of the proposed approach for automating security compliance checks. Findings: We found that the eSTRIDE approach can help focus the analysis and produce twice as many high-priority threats in the same time frame. We also found that reasoning about security in an automated fashion requires extending the existing notations with more precise security information. In a formal setting, minimal model extensions for doing so include security contracts for system nodes handling sensitive information. The formally-based analysis can to some extent provide completeness guarantees. For a graph-based detection of flaws, minimal required model extensions include data types and security solutions. In such a setting, the automated analysis can help in reducing the number of overlooked security flaws. Finally, we suggested to define a correspondence mapping between the design model elements and implemented constructs. We found that such a mapping is a key enabler for automatically checking the security compliance of the implemented system with the intended design. The key for achieving this is two-fold. First, a heuristics-based search is paramount to limit the manual effort that is required to define the mapping. Second, it is important to analyze implemented data flows and compare them to the data flows stipulated by the design.

Parts of work

Tuma, K., Çalikli, G., & Scandariato, R. (2018). Threat analysis of software systems: A systematic literature review. Journal of Systems and Software, 144, 275-294. ::doi:: 10.1016/j.jss.2018.06.073

Tuma, K., & Scandariato, R. (2018). Two architectural threat analysis techniques compared. In Proceedings of the European Conference on Software Architecture (pp. 347-363). :: doi :: 10.1007/978-3-030-00761-4_23

Tuma, K., Scandariato, R., Widman, M., & Sandberg, C. (2017). Towards security threats that matter. In Proceedings of the Computer Security: International Workshop on the Security of Industrial Control Systems & of Cyber-Physical Systems (CyberICPS) (pp. 47-62). :: doi :: 10.1007/978-3-319-72817-9_4

K. Tuma, C. Sandberg, U. Thorsson, M. Widman, T. Herpel, and R. Scandariato (2020). Finding Security Threats That Matter: Two Industrial Case Studies. In submission to JSS

Tuma, K., Scandariato, R., & Balliu, M. (2019). Flaws in flows: Unveiling design flaws via information flow analysis. In Proceedings of the International Conference on Software Architecture (ICSA) (pp. 191-200). :: doi :: 10.1109/ICSA.2019.00028

Tuma, K., Hosseini, D., Malamas, K., & Scandariato, R. (2019). Inspection guidelines to identify security design flaws. In Proceedings of the European Conference on Software Architecture-Volume 2 (pp. 116-122). :: doi :: 10.1145/3344948.3344995

Tuma, K., Sion, L., Scandariato, R., & Yskout, K. (2020). Automating the early detection of security design flaws. In Proceedings of the International Conference on Model Driven Engineering Languages and Systems (MODELS) (pp. 332-342). :: doi :: 10.1145/3365438.3410954

Peldszus, S., Tuma, K., Strüber, D., Jürjens, J., & Scandariato, R. (2019). Secure Data-Flow Compliance Checks between Models and Code based on Automated Mappings. In Proceedings of the International Conference on Model Driven Engineering Languages and Systems (MODELS) (pp. 23-33). ::doi:: 10.1109/MODELS.2019.00-18

K.Tuma, S. Peldszus, R. Scandariato, D. Strüber, and J. Jürjens (2020). Checking Security Compliance between Models and Code. In submission to SoSyM.

Degree

Doctor of Philosophy

University

Göteborgs universitet. IT-fakulteten

Institution

Department of Computer Science and Engineering ; Institutionen för data- och informationsteknik

Disputation

Måndagen den 11 januari 2021, kl. 14.15, Rum Jupiter 473, Göteborgs Universitet, Campus Lindholmen, Hörselgången 5

Date of defence

2021-01-11

E-mail

katja.tuma@cse.gu.se

URI

http://hdl.handle.net/2077/66967

Collections

View/Open

Cover (653.7Kb)

Abstract (86.83Kb)

Thesis frame (1.561Mb)

Date

2020-12-04

Author

Katja, Tuma

Keywords

Secure Software Design, Threat Analysis (Modeling), Automation, Security Compliance

Publication type

Doctoral thesis

ISBN

978-91-8009-155-8(PDF)

978-91-8009-154-1(PRINT)

ISSN

1652-876X

Series/Report no.

http://hdl.handle.net/2077/66967

191D

Language

eng

Metadata

Show full item record