Semi-Automatic Software Security Model Extraction: Semi-Automatic Extraction of Security Relevant Information from Source Code for Formally Based Security Models

Abstract

As society becomes increasingly integrated and dependant on software systems, software security is more relevant than ever before. In order to ensure that software applications are secure, different threat modelling techniques are employed. However, many of these rely a great deal on the availability of a security expert and require significant manual effort, often resulting in high time consumption. This thesis describes the development of a tool which automatically extracts a formally specified representation of the software architecture with extended security annotations. The extracted architectural model is known as a “SecDFD”, which is a graph-like representation of software architecture populated with security relevant information from source code, which in turn allows for automated analysis of information flow properties. The SecDFD extraction tool performs semi-automatic extraction of architectural security information from the implementation by processing textual representation of call-graphs together with the source code of the project under analysis. The tool was evaluated by black box testing, and controlled empirical experiments. Our evaluation shows that, while the tool requires further work, it holds potential for use in threat modelling activities.