Measurement Framework for Software Privilege Protection Based on User Interaction Analysis

Abstract

Software security is a complex notion that has to be analyzed from several perspectives. One such perspective is the restriction and protection of software privileges. In other words, a secure software system should be able to prevent misuse of the privileges granted. Privileges are usually protected in software systems by integrating or implementing appropriate security modules or mechanisms. Knowing how system privileges are protected by security mechanisms helps software developers in reducing the security risks underlying software systems. In this paper, we propose a measurement framework to evaluate quantitatively the privilege protections of a software system at the design level. Our analysis is based on modelling and analyzing user interactions based on the so-called User System Interaction Effect (USIE) Model. Specifically we define some measurement abstractions and associated metrics for assessing software privilege protection. We evaluate our framework by conducting an empirical study based on a medical record keeping software system.