Checking threat modeling data flow diagrams for implementation conformance and security

Abi-Antoun, Marwan; Wang, Daniel; Torr, Peter

doi:10.1145/1321631.1321692

Cited by 30 publications

(17 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Threats in a system have been modeled by several approaches, which include attack trees [2], data flow diagrams [3], and UML-based modeling [4,5,6]. Attack trees in [2] provide an approach to modeling and analyzing the threats of systems, and the threats are analyzed in terms of attacker's capabilities.…”

Section: Related Workmentioning

confidence: 99%

“…Attack trees in [2] provide an approach to modeling and analyzing the threats of systems, and the threats are analyzed in terms of attacker's capabilities. The design models in [3] are specified with data flow diagram, and the threats to the models are identified and analyzed using scenarios of each function in a system. Several threat modeling approaches, such as misuse cases [4], abuse cases [5], and HAZOP (Hazard and Operability Analysis) [6], have been developed for object-oriented software systems.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Security Requirements for Tolerating Security Failures

Shin

Pathirage²

2017

International Conferences on Software Engineering and Knowledge Engineering

View full text Add to dashboard Cite

Abstract-This paper describes security failure-tolerant requirements, which tolerate the failures of security services that protect applications from security attacks. A security service, such as authentication, confidentiality or integrity security service, can be always broken down as advanced attack skills are coined. There is no security service that is forever secure. This paper describes an approach to developing the security failure-tolerant use case that specifies the security requirements for tolerating the breaches of security services. A security failure-tolerant use case is modeled along with application use case and security use case, and specified with application use case description. Threats to applications are identified and modeled to develop security failure-tolerant requirements. Online shopping system is used for illustrating security failure-tolerant requirements.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Security Requirements for Tolerating Security Failures

Shin

Pathirage²

2017

International Conferences on Software Engineering and Knowledge Engineering

View full text Add to dashboard Cite

show abstract

“…Also in earlier work [5], Abi-Antoun, Wang and Torr defined a model for reasoning about security at the architectural-level, following the STRIDE methodology commonly used in threat modeling. The previous security model and checker were implemented using custom code.…”

Section: Related Workmentioning

confidence: 99%

Analyzing security architectures

Abi-Antoun

Barnes

2010

Proceedings of the IEEE/ACM International Conference on Automated Software Engineering

Self Cite

View full text Add to dashboard Cite

We present a semi-automated approach, Secoria, for analyzing a security runtime architecture for security and for conformance to an object-oriented implementation. Typecheckable annotations describe architectural intent within the code, enabling a static analysis to extract a hierarchical object graph that soundly reflects all runtime objects and runtime relations between them. In addition, the annotations can describe modular, code-level policies. A separate analysis establishes traceability between the extracted object graph and a target architecture documented in an architecture description language. Finally, architectural types, properties, and logic predicates describe global constraints on the target architecture, which will also hold in the implementation. We validate the Secoria approach by analyzing a 3,000-line pedagogical Java implementation and a runtime architecture designed by a security expert.

show abstract

“…When a security expert asks a developer to build a security architecture for a system under study, the developer typically produces a diagram mostly from his recollection of how the system works, with little tool support to extract such an architecture from the code. Then, during the security review, the experts study the architecture, assign to the components different architectural properties such as trustLevel [2] or privacyLevel, and enumerate all possible communication between the more trusted and the less trusted components of the system. But if the architecture does not show all the communication that is present in the system, the results of an architectural-level analysis may be incorrect.…”

Section: Performing Organization Name(s) and Address(es)mentioning

confidence: 99%

“…Architectural properties In previous work, we defined element-level properties, such as trustLevel, to support an architectural-level analysis to identify spoofing or tampering [2].…”

Section: Architectural Constraintsmentioning

confidence: 99%

Enforcing Conformance between Security Architecture and Implementation

Abi-Antoun¹,

Barnes²

2009

Self Cite

View full text Add to dashboard Cite

Analysis at the level of a runtime architecture matches the way experts reason about security or privacy better than a purely code-based strategy. However, the architecture must still be correctly realized in the implementation.We previously developed Scholia to analyze, at compile time, communication integrity between arbitrary object-oriented code, and a rich, hierarchical intended runtime architecture, using typecheckable annotations. This paper applies Scholia to security runtime architectures. Having established traceability between the target architecture and the code, we extend Scholia to enforce structural architectural constraints. At the code level, annotations enforce local, modular constraints. At the architectural level, predicates enforce global constraints. We validate the end-to-end approach in practice using a real 3,000-line Java implementation, and enforce its conformance to a security architecture designed by an expert.Abi-Antoun was supported in part by DARPA grant #HR00110710019, NSF grant CCF-0546550, and Army Research Office grant #DAAD19-02-1-0389 entitled "Perpetually Available and Secure Information Systems."Barnes was supported in part by the Office of Naval Research (ONR), United States Navy, N000140811223 as part of the HSCB project under OSD, by the US Army Research Office (ARO) under grant numbers DAAD19-02-1-0389 ("Perpetually Available and Secure Information Systems") to Carnegie Mellon University's CyLab and DAAD19-01-1-0485, and by the Software Engineering Institute at CMU. The views and conclusions described here are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of any funding agency, the US government, or any other entity. Report Documentation PageForm Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number.

show abstract

Checking threat modeling data flow diagrams for implementation conformance and security

Cited by 30 publications

References 16 publications

Security Requirements for Tolerating Security Failures

Security Requirements for Tolerating Security Failures

Analyzing security architectures

Enforcing Conformance between Security Architecture and Implementation

Contact Info

Product

Resources

About