Semi-Automatic Software Security Model Extraction: Semi-Automatic Extraction of Security Relevant Information from Source Code for Formally Based Security Models

Publicerad

Författare

Typ

Examensarbete för masterexamen

Program

Modellbyggare

Tidskriftstitel

ISSN

Volymtitel

Utgivare

Sammanfattning

As society becomes increasingly integrated and dependant on software systems, software security is more relevant than ever before. In order to ensure that software applications are secure, different threat modelling techniques are employed. However, many of these rely a great deal on the availability of a security expert and require significant manual effort, often resulting in high time consumption. This thesis describes the development of a tool which automatically extracts a formally specified representation of the software architecture with extended security annotations. The extracted architectural model is known as a “SecDFD”, which is a graph-like representation of software architecture populated with security relevant information from source code, which in turn allows for automated analysis of information flow properties. The SecDFD extraction tool performs semi-automatic extraction of architectural security information from the implementation by processing textual representation of call-graphs together with the source code of the project under analysis. The tool was evaluated by black box testing, and controlled empirical experiments. Our evaluation shows that, while the tool requires further work, it holds potential for use in threat modelling activities.

Beskrivning

Ämne/nyckelord

Software, Security, Automation, Extraction, eDFD, Threat Modeling

Citation

Arkitekt (konstruktör)

Geografisk plats

Byggnad (typ)

Byggår

Modelltyp

Skala

Teknik / material

Index

item.page.endorsement

item.page.review

item.page.supplemented

item.page.referenced