Semi-Automatic Software Security Model Extraction: Semi-Automatic Extraction of Security Relevant Information from Source Code for Formally Based Security Models

Typ
Examensarbete för masterexamen
Program
Publicerad
2019
Författare
FARHAND, NEDA
Modellbyggare
Tidskriftstitel
ISSN
Volymtitel
Utgivare
Sammanfattning
As society becomes increasingly integrated and dependant on software systems, software security is more relevant than ever before. In order to ensure that software applications are secure, different threat modelling techniques are employed. However, many of these rely a great deal on the availability of a security expert and require significant manual effort, often resulting in high time consumption. This thesis describes the development of a tool which automatically extracts a formally specified representation of the software architecture with extended security annotations. The extracted architectural model is known as a “SecDFD”, which is a graph-like representation of software architecture populated with security relevant information from source code, which in turn allows for automated analysis of information flow properties. The SecDFD extraction tool performs semi-automatic extraction of architectural security information from the implementation by processing textual representation of call-graphs together with the source code of the project under analysis. The tool was evaluated by black box testing, and controlled empirical experiments. Our evaluation shows that, while the tool requires further work, it holds potential for use in threat modelling activities.
Beskrivning
Ämne/nyckelord
Software, Security, Automation, Extraction, eDFD, Threat Modeling
Citation
Arkitekt (konstruktör)
Geografisk plats
Byggnad (typ)
Byggår
Modelltyp
Skala
Teknik / material