Idea: Towards Architecture-Centric Security Analysis of Software

Sohr, Karsten; Berger, Bernhard J.

doi:10.1007/978-3-642-11747-3_6

Cited by 19 publications

(8 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If we have detected a security pattern or compound, we can extract the pattern in a new view and highlight sources and sinks of the patterns. This would enhance the role-based view described by Sohr et al [25] and give the opportunity to plug in a further information flow analysis to validate the pattern's behavior. To give an example consider the communication with a database or a password manager.…”

Section: The Bauhaus Toolmentioning

confidence: 95%

“…3 Security Aspects and the RFG Sohr and Berger [25] depict some possibilities to accomplish a security analysis with the RFG. We resume on their point and discuss other security aspects that can be based upon the RFG.…”

Section: The Bauhaus Toolmentioning

confidence: 99%

“…Concerning security and software architectures, Ryoo et al [22] presented a basic approach to detecting architectural constructs and properties that make software less secure. Another idea on employing the software architecture for static security analysis was described by Sohr and Berger [25]. They use the RFG to check policies and permissions on Java EE and the Android platform.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

An Architecture-Centric Approach to Detecting Security Patterns in Software

Bunke¹,

Sohr²

2011

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Today, software security is an issue with increasing importance. Developers, software designers, end users, and enterprises have their own needs w.r.t. software security. Therefore, when designing software, security should be built in from the beginning, for example, by using security patterns. Utilizing security patterns already improves the security of software in early software development stages. In this paper, we show how to detect security patterns in code with the help of a reverse engineering tool-suite Bauhaus. Specifically, we describe an approach to detect the Single Access Point security pattern in two case studies using the hierarchical reflexion method implemented in Bauhaus.

show abstract

Section: The Bauhaus Toolmentioning

confidence: 95%

Section: The Bauhaus Toolmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

An Architecture-Centric Approach to Detecting Security Patterns in Software

Bunke¹,

Sohr²

2011

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Based on ARA, Sohr et al propose an architectural centric approach to find architectural flaws [35]. We share the same motivation in our work, but the solutions proposed differ.…”

Section: Dynamic Analysis Of Legacy Codementioning

confidence: 97%

Finding architectural flaws using constraints

Vanciu

Abi-Antoun

2013

2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

Abstract-During Architectural Risk Analysis (ARA), security architects use a runtime architecture to look for security vulnerabilities that are architectural flaws rather than coding defects. The current ARA process, however, is mostly informal and manual. In this paper, we propose Scoria, a semi-automated approach for finding architectural flaws. Scoria uses a sound, hierarchical object graph with abstract objects and dataflow edges, where edges can refer to nodes in the graph. The architects can augment the object graph with security properties, which can express security information unavailable in code. Scoria allows architects to write queries on the graph in terms of the hierarchy, reachability, and provenance of a dataflow object. Based on the query results, the architects enhance their knowledge of the system security and write expressive constraints. The expressiveness is richer than previous approaches that check only for the presence or absence of communication or do not track a dataflow as an object. To evaluate Scoria, we apply these constraints to several extended examples adapted from the CERT standard for Java to confirm that Scoria can detect injected architectural flaws. Next, we write constraints to enforce an Android security policy and find one architectural flaw in one Android application.

show abstract

“…Since access control is crucial to many platforms and applications, we can apply the task of extracting the access control policy on other platforms. For example, we extracted the access control policy of a Java enterprise application and compared that policy with the documentation employing the reflexion analysis [31].…”

Section: A Possible Architectural Viewsmentioning

confidence: 99%

An Android Security Case Study with Bauhaus

Berger

Bunke

Sohr

2011

2011 18th Working Conference on Reverse Engineering

Self Cite

View full text Add to dashboard Cite

Abstract-Software security has made great progress; code analysis tools are widely-used in industry for detecting common implementation-level security bugs. However, given the fact that we must deal with legacy code we plead to employ the techniques long been developed in the research area of program comprehension for software security. In cooperation with a security expert, we carried out a case study with the mobile phone platform Android, and employed the reverse engineering tool-suite Bauhaus for this security assessment. During the investigation we found some inconsistencies in the implementation of the Android security concepts. Based on the lessons learned from the case study, we propose several research topics in the area of reverse engineering that would support a security analyst during security assessments.

show abstract

Idea: Towards Architecture-Centric Security Analysis of Software

Cited by 19 publications

References 12 publications

An Architecture-Centric Approach to Detecting Security Patterns in Software

An Architecture-Centric Approach to Detecting Security Patterns in Software

Finding architectural flaws using constraints

An Android Security Case Study with Bauhaus

Contact Info

Product

Resources

About