Semi-Automatic Software Security Model Extraction: Semi-Automatic Extraction of Security Relevant Information from Source Code for Formally Based Security Models
Ladda ner
Publicerad
Författare
Typ
Examensarbete för masterexamen
Program
Modellbyggare
Tidskriftstitel
ISSN
Volymtitel
Utgivare
Sammanfattning
As society becomes increasingly integrated and dependant on software systems, software
security is more relevant than ever before. In order to ensure that software
applications are secure, different threat modelling techniques are employed. However,
many of these rely a great deal on the availability of a security expert and
require significant manual effort, often resulting in high time consumption. This
thesis describes the development of a tool which automatically extracts a formally
specified representation of the software architecture with extended security annotations.
The extracted architectural model is known as a “SecDFD”, which is a
graph-like representation of software architecture populated with security relevant
information from source code, which in turn allows for automated analysis of information
flow properties. The SecDFD extraction tool performs semi-automatic
extraction of architectural security information from the implementation by processing
textual representation of call-graphs together with the source code of the
project under analysis. The tool was evaluated by black box testing, and controlled
empirical experiments. Our evaluation shows that, while the tool requires further
work, it holds potential for use in threat modelling activities.
Beskrivning
Ämne/nyckelord
Software, Security, Automation, Extraction, eDFD, Threat Modeling