A model-driven formal methods approach to software architectural security vulnerabilities specification and verification

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Systems and Software Pub Date : 2024-09-16 DOI:10.1016/j.jss.2024.112219

Quentin Rouland , Brahim Hamid , Jason Jaskolka

{"title":"A model-driven formal methods approach to software architectural security vulnerabilities specification and verification","authors":"Quentin Rouland , Brahim Hamid , Jason Jaskolka","doi":"10.1016/j.jss.2024.112219","DOIUrl":null,"url":null,"abstract":"<div><div>Detecting and addressing security vulnerabilities in software designs is crucial for ensuring the reliable and safe operation of systems. Existing approaches for vulnerability specification lack the necessary flexibility for practical use. To tackle this issue, we propose an integrated model-driven approach for vulnerability detection and treatment during software architecture design. The approach involves specifying vulnerabilities as properties of a modeled system in a technology-independent language, expressing conditions for vulnerability detection using a language supported by automated tools, and recommending security requirements to mitigate detected vulnerabilities. Formalized vulnerabilities and security requirements are presented as model libraries to facilitate reuse. Our methodology employs first-order and modal logic as a technology-independent formalism, with Alloy as the tool-supported language for modeling and software development. We have developed a Model-Driven Engineering (MDE) tool to implement this approach. To validate our work, we apply it to representative vulnerabilities based on the Common Weakness Enumeration (CWE) classifications within the context of secure component-based software architecture development.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"219 ","pages":"Article 112219"},"PeriodicalIF":3.7000,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0164121224002632","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Detecting and addressing security vulnerabilities in software designs is crucial for ensuring the reliable and safe operation of systems. Existing approaches for vulnerability specification lack the necessary flexibility for practical use. To tackle this issue, we propose an integrated model-driven approach for vulnerability detection and treatment during software architecture design. The approach involves specifying vulnerabilities as properties of a modeled system in a technology-independent language, expressing conditions for vulnerability detection using a language supported by automated tools, and recommending security requirements to mitigate detected vulnerabilities. Formalized vulnerabilities and security requirements are presented as model libraries to facilitate reuse. Our methodology employs first-order and modal logic as a technology-independent formalism, with Alloy as the tool-supported language for modeling and software development. We have developed a Model-Driven Engineering (MDE) tool to implement this approach. To validate our work, we apply it to representative vulnerabilities based on the Common Weakness Enumeration (CWE) classifications within the context of secure component-based software architecture development.

查看原文本刊更多论文

软件架构安全漏洞规范与验证的模型驱动形式方法

检测和解决软件设计中的安全漏洞对于确保系统的可靠和安全运行至关重要。现有的漏洞规范方法缺乏实际应用所需的灵活性。为了解决这个问题，我们提出了一种综合的模型驱动方法，用于在软件架构设计过程中检测和处理漏洞。该方法包括用一种技术独立的语言将漏洞指定为建模系统的属性，用一种自动工具支持的语言表达漏洞检测的条件，并推荐安全要求以减少检测到的漏洞。形式化的漏洞和安全要求以模型库的形式呈现，便于重复使用。我们的方法采用一阶逻辑和模态逻辑作为与技术无关的形式主义，并使用 Alloy 作为建模和软件开发的工具支持语言。我们开发了一种模型驱动工程（MDE）工具来实现这种方法。为了验证我们的工作，我们在基于组件的安全软件架构开发中，将其应用于基于常见弱点枚举（CWE）分类的代表性漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.