Using variability modeling to support security evaluations

Kenner, Andy; Dassow, Stephan; Lausberger, Christian; Krüger, Jacob; Leich, Thomas

doi:10.1145/3377024.3377026

Cited by 6 publications

(10 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Those exploits attempt to force a break at the vulnerable parts. As our first case study also confirmed, an attacker needs detailed information about the victim system and its environment [26]. CVE.…”

Section: Introductionsupporting

confidence: 53%

“…In our previous case study [26], we evaluated detailed information about the characteristics of vulnerabilities, their exploitation and compatible attack scenarios. We extracted this information from various database and used it to virtualize vulnerable systems in Docker containers.…”

Section: Case Study and First Resultsmentioning

confidence: 99%

“…After a vulnerability is discovered and analyzed within an additional audit process, The MITRE Corporation creates a new CVE-Identifier (CVE-ID) and assigns it [37] (see Figure 1, left). Figure 2 shows an CVE-entry CVE-2014-1511, 6 , which we used in our previous case study [26].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Model-Based Evaluation of Vulnerabilities in Software Systems

Kenner

2020

Proceedings of the 24th ACM International Systems and Software Product Line Conference - Volume B

Self Cite

View full text Add to dashboard Cite

Vulnerabilities in software systems result from faults, which occur at different stages in a software's life cycle, for example, in the design (i.e., undesired feature-interactions), the development (i.e., buffer overflows), or the operation (i.e., configuration errors). Various databases provide detailed information about vulnerabilities in software systems or the way to exploit it, but face severe limitations. The information is scattered across these databases, fluctuates in quality and granularity, and provides only an insight into a single vulnerability per entry. Even for a single software system it is challenging for any security-related stakeholder to determine the threat level, which consists of all vulnerabilities of the software system and its environment (i.e., operating system). Manual vulnerability management is feasible only to a limited extend if we want to identify all configurations that are affected by vulnerabilities, or determine a system's threat level and the resulting risk we have to deal with. For variant-rich systems, we also have to deal with variability, allowing different stakeholders to understand the threats to their particular setup. To deal with this variability, we propose vulnerability feature models, which offer a homogeneous view on all vulnerabilities of a software system. These models and the resulting analyses offer advantages in many disciplines of the vulnerability management process. In this paper, we report the research plan for our project, in which we focus on the model-based evaluation of vulnerabilities. This includes research objectives that take into account the design of vulnerability feature models, their application in the process of vulnerability management, and the impact of evolution, discovery, and verification of vulnerabilities. CCS CONCEPTS • Security and privacy → Vulnerability management; • Software and its engineering → Software product lines.

show abstract

Section: Introductionsupporting

confidence: 53%

Section: Case Study and First Resultsmentioning

confidence: 99%

See 1 more Smart Citation

Model-Based Evaluation of Vulnerabilities in Software Systems

Kenner

2020

Proceedings of the 24th ACM International Systems and Software Product Line Conference - Volume B

Self Cite

View full text Add to dashboard Cite

show abstract

“…FMs have been demonstrated very useful in the security field where they are applied to model the domain of configuration of security systems [44] and for the selection of configurations t o r educe t he security risk in the selection of configurations [50]. The idea of using FMs to represent the vulnerabilities of systems already existed in the literature [27]. The authors analyse the vulnerabilities to create synthetic attack scenarios.…”

Section: Related Workmentioning

confidence: 99%

Amadeus

Varela-Vaca

Gasca

Carmona-Fombella

et al. 2020

Proceedings of the 24th ACM Conference on Systems and Software Product Line: Volume a - Volume A

View full text Add to dashboard Cite

The proper configuration of systems has become a fundamental factor to avoid cybersecurity risks. Thereby, the analysis of cybersecurity vulnerabilities is a mandatory task, but the number of vulnerabilities and system configurations that can be threatened is extremely high. In this paper, we propose a method that uses software product line techniques to analyse the vulnerable configuration of the systems. We propose a solution, entitled AMADEUS, to enable and support the automatic analysis and testing of cybersecurity vulnerabilities of configuration systems based on feature models. AMADEUS is a holistic solution that is able to automate the analysis of the specific infrastructures in the organisations, the existing vulnerabilities, and the possible configurations extracted from the vulnerability repositories. By using this information, AMADEUS generates automatically the feature models, that are used for reasoning capabilities to extract knowledge, such as to determine attack vectors with certain features. AMADEUS has been validated by demonstrating the capacities of feature models to support the threat scenario, in which a wide variety of vulnerabilities extracted from a real repository are involved. Furthermore, we open the door to new applications where software product line engineering and cybersecurity can be empowered. CCS CONCEPTS• Software and its engineering → Software product lines.␣

show abstract

“…Other researches developed a security requirements engineering framework for CPSs, that is an extension of SREP [31]. The capacity to support the high variability in the security context though Feature Models appeared in previous papers [23], where the authors study the possible vulnerabilities to create attack scenarios, but not it does not apply to a complex scenario as the CPSs need.…”

Section: Cybersecurity and Feature Model Analysismentioning

confidence: 99%

Definition and Verification of Security Configurations of Cyber-Physical Systems

et al. 2020

View full text Add to dashboard Cite

The proliferation of Cyber-Physical Systems (CPSs) is raising serious security challenges. These are complex systems, integrating physical elements into automated networked systems, often containing a variety of devices, such as sensors and actuators, and requiring complex management and data storage. This makes the construction of secure CPSs a challenge, requiring not only an adequate specification of security requirements and needs related to the business domain but also an adaptation and concretion of these requirements to define a security configuration of the CPS where all its components are related. Derived from the complexity of the CPS, their configurations can be incorrect according to the requirements, and must be verified. In this paper, we propose a grammar for specifying business domain security requirements based on the CPS components. This will allow the definition of security requirements that, through a defined security feature model, will result in a configuration of services and security properties of the CPS, whose correctness can be verified. For this last stage, we have created a catalogue of feature models supported by a tool that allows the automatic verification of security configurations. To illustrate the results, the proposal has been applied to automated verification of requirements in a hydroponic system scenario.

show abstract

Using variability modeling to support security evaluations

Cited by 6 publications

References 14 publications

Model-Based Evaluation of Vulnerabilities in Software Systems

Model-Based Evaluation of Vulnerabilities in Software Systems

Amadeus

Definition and Verification of Security Configurations of Cyber-Physical Systems

Contact Info

Product

Resources

About