Abstract
Static security analysis of software has made great progress over the last years. In particular, this applies to the detection of low-level security bugs such as buffer overflows, Cross-Site Scripting and SQL injection vulnerabilities. Complementarily to commercial static code review tools, we present an approach to the static security analysis which is based upon the software architecture using a reverse engineering tool suite called Bauhaus. This allows one to analyze software on a more abstract level, and a more focused analysis is possible, concentrating on software modules regarded as security-critical. In addition, certain security flaws can be detected at the architectural level such as the circumvention of APIs or incomplete enforcement of access control. We discuss our approach in the context of a business application and Android’s Java-based middleware.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
American National Standards Institute Inc. Role Based Access Control, ANSI-INCITS 359-2004 (2004)
Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information and Software Technology 51, 815–831 (2009)
CERT/CC. CERT statistics (2008), http://www.cert.org/stats/
Chen, H., Wagner, D.: MOPS: an infrastructure for examining security properties of software. In: ACM Conference on Computer and Communications Security, pp. 235–244 (2002)
Chess, B.: Improving Computer Security Using Extended Static Checking. In: IEEE Symposium on Security and Privacy, p. 160 (2002)
Cok, D.R., Kiniry, J.: ESC/Java2: Uniting ESC/Java and JML. Technical report, University of Nijmegen (2004); NIII Technical Report NIII-R0413
Coverity. Coverity Prevent (2009), http://www.coverity.com
Czeranski, J., Eisenbarth, T., Kienle, H., Koschke, R., Simon, D.: Analyzing xfig Using the Bauhaus Tool. In: Working Conference on Reverse Engineering, pp. 197–199. IEEE Computer Society Press, Los Alamitos (2000)
Dennis, G., Yessenov, K., Jackson, D.: Bounded Verification of Voting Software. In: Shankar, N., Woodcock, J. (eds.) VSTTE 2008. LNCS, vol. 5295, pp. 130–145. Springer, Heidelberg (2008)
Enck, W., Ongtang, M., McDaniel, P.: Understanding Android Security. IEEE Security and Privacy 7(1), 50–57 (2009)
Fortify Software. Fortify Source Code Analyzer (2009), http://www.fortify.com/products/
Garey, M.R., Johnson, D.S.: Computers and Intractability. Freeman, San Francisco (1979)
Jürjens, J., Shabalin, P.: Automated verification of UMLsec models for security requirements. In: Baar, T., Strohmeier, A., Moreira, A., Mellor, S.J. (eds.) UML 2004. LNCS, vol. 3273, pp. 365–379. Springer, Heidelberg (2004)
Ashcraft, K., Engler, D.-R.: Using Programmer-Written Compiler Extensions to Catch Security Holes. In: IEEE Symposium on Security and Privacy, pp. 143–159 (2002)
Koschke, R., Simon, D.: Hierarchical Reflexion Models. In: Working Conference on Reverse Engineering, pp. 36–45. IEEE Computer Society Press, Los Alamitos (2003)
Livshits, V.B., Lam, M.S.: Finding Security Vulnerabilities in Java Applications Using Static Analysis. In: Proceedings of the 14th USENIX Security Symposium (August 2005)
McGraw, G.: Software Security: Building Security In. Addison-Wesley, Reading (2006)
Ounce Labs Inc. Website (2009), http://www.ouncelabs.com/
Raza, A., Vogel, G., Plödereder, E.: Bauhaus - A Tool Suite for Program Analysis and Reverse Engineering. In: Pinho, L.M., González Harbour, M. (eds.) Ada-Europe 2006. LNCS, vol. 4006, pp. 71–82. Springer, Heidelberg (2006)
Sun Microsystems. The Java EE 5 Tutorial (2008), http://java.sun.com/javaee/5/docs/tutorial/doc/bnclz.html
Universitaet Stuttgart. Project Bauhaus—Software Architecture, Software Reengineering, and Program Understanding (2009), http://www.bauhaus-stuttgart.de/bauhaus/index-english.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sohr, K., Berger, B. (2010). Idea: Towards Architecture-Centric Security Analysis of Software. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-11747-3_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11746-6
Online ISBN: 978-3-642-11747-3
eBook Packages: Computer ScienceComputer Science (R0)