Advertisement

An Architecture-Centric Approach to Detecting Security Patterns in Software

  • Michaela Bunke
  • Karsten Sohr
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6542)

Abstract

Today, software security is an issue with increasing importance. Developers, software designers, end users, and enterprises have their own needs w.r.t. software security. Therefore, when designing software, security should be built in from the beginning, for example, by using security patterns. Utilizing security patterns already improves the security of software in early software development stages. In this paper, we show how to detect security patterns in code with the help of a reverse engineering tool-suite Bauhaus. Specifically, we describe an approach to detect the Single Access Point security pattern in two case studies using the hierarchical reflexion method implemented in Bauhaus.

Keywords

Protect System Design Pattern Software Architecture Reverse Engineering Program Comprehension 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Austrem, P.G.: Runtime mix’n and match design pattern. In: Proc. of the 15th Pattern Languages of Programs, pp. 1–8. ACM, New York (2008)Google Scholar
  2. 2.
    Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., Stal, M.: Pattern-Oriented Software Architecture: A System of Patterns. Wiley, Chichester (1996)Google Scholar
  3. 3.
    Chess, B., McGraw, G.: Static analysis for security. IEEE Security and Privacy 2, 76–79 (2004)CrossRefGoogle Scholar
  4. 4.
    Ernst, A.M.: Enterprise architecture management patterns. In: Proc. of the 15th Pattern Languages of Programs, pp. 1–20. ACM, New York (2008)Google Scholar
  5. 5.
    Fortify Software. Fortify source code analyser (2009), http://www.fortify.com/products
  6. 6.
    Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Object-Oriented Software. Addison Wesley, Reading (1995)zbMATHGoogle Scholar
  7. 7.
    Google Inc. Android development (2010), http://developer.android.com/index.html
  8. 8.
    Hafiz, M., Adamczyk, P., Johnson, R.E.: Organizing security patterns. IEEE Software 24, 52–60 (2007)CrossRefGoogle Scholar
  9. 9.
    Hafiz, M., Johnson, R.: Security patterns and their classification schemes. Technical report, Technical Report for Microsoft’s Patterns and Practices Group (September 2006)Google Scholar
  10. 10.
    Halkidis, S.T., Chatzigeorgiou, A., Stephanides, G.: A qualitative analysis of software security patterns. Computers & Security 25(5), 379–392 (2006)CrossRefzbMATHGoogle Scholar
  11. 11.
    Hammer, C.: Experiences with pdg-based ifc. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 44–60. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. 12.
    Heyman, T., Yskout, K., Scandariato, R., Joosen, W.: An analysis of the security patterns landscape. In: Proc. of 3rd International Workshop on Software Engineering for Secure Systems. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  13. 13.
    Jive Software. Spark - project page (2010), http://www.igniterealtime.org/projects/spark/index.jsp
  14. 14.
    Jürjens, J., Shabalin, P.: Automated verification of uMLsec models for security requirements. In: Baar, T., Strohmeier, A., Moreira, A., Mellor, S.J. (eds.) UML 2004. LNCS, vol. 3273, pp. 365–379. Springer, Heidelberg (2004)Google Scholar
  15. 15.
    Koschke, R.: Incremental reflexion analysis. In: European Conference on Software Maintenance and Reengineering. IEEE Computer Society Press, Los Alamitos (2010)Google Scholar
  16. 16.
    Koschke, R., Simon, D.: Hierarchical reflexion models. In: Proc. of 10th Working Conference on Reverse Engineering, pp. 36–45 (November 2003)Google Scholar
  17. 17.
    Mermerkaya, A.O.: Simple android instant messaging application - project page (2010), http://code.google.com/p/simple-android-instant-messaging-application/
  18. 18.
    Murphy, G.C., Notkin, D., Sullivan, K.J.: Software reflexion models: Bridging the gap between design and implementation. IEEE Transactions on Software Engineering 27(4), 364–380 (2001)CrossRefGoogle Scholar
  19. 19.
    Niere, J., Schäfer, W., Wadsack, J.P., Wendehals, L., Welsh, J.: Towards pattern-based design recovery. In: Proc. of the 24th International Conference on Software Engineering, pp. 338–348. ACM, New York (2002)Google Scholar
  20. 20.
    Ounce Labs Inc. (2010), http://www.ouncelabs.com/
  21. 21.
    Raza, A., Vogel, G., Plödereder, E.: Bauhaus – A tool suite for program analysis and reverse engineering. In: Pinho, L.M., González Harbour, M. (eds.) Ada-Europe 2006. LNCS, vol. 4006, pp. 71–82. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Ryoo, J., Laplante, P., Kazman, R.: In search of architectural patterns for software security. Computer 42, 98–100 (2009)CrossRefGoogle Scholar
  23. 23.
    Schumacher, M.: Merging security patterns. In: Proc. of 6th European Conference on Pattern Languages of Programs (2001), http://www.voelter.de/data/workshops/europlop2001/merging_security_patterns.pdf
  24. 24.
    Schumacher, M., Fernandez, E., Hybertson, D., Buschmann, F.: Security Patterns: Integrating Security and Systems Engineering. John Wiley & Sons, Chichester (2005)Google Scholar
  25. 25.
    Sohr, K., Berger, B.: Towards architecture-centric security analysis of software. In: Proc. of International Symposium on Engineering Secure Software and Systems. Springer, Heidelberg (2010)Google Scholar
  26. 26.
    The H Security. Number of critical, but unpatched, vulnerabilities is rising (2010), http://www.h-online.com/security/news/item/Number-of-critical-but-unpatched-vulnerabilities-is-rising-1067495.html
  27. 27.
    Van Hilst, M., Fernandez, E.B.: Reverse engineering to detect security patterns in code. In: Proc. of 1st International Workshop on Software Patterns and Quality. Information Processing Society of Japan (December 2007)Google Scholar
  28. 28.
    Washizaki, H., Fernandez, E.B., Maruyama, K., Kubo, A., Yoshioka, N.: Improving the classification of security patterns. In: Workshop on International Conference on Database and Expert Systems Applications, pp. 165–170 (2009)Google Scholar
  29. 29.
    Yoder, J., Barcalow, J.: Architectural patterns for enabling application security. In: Proc. of 4th Pattern Languages of Programs, Monticello/IL (1997)Google Scholar
  30. 30.
    Yoshioka, N., Washizaki, H., Maruyma, K.: A survey on security patterns. Progress in Informatics 5, 35–47 (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Michaela Bunke
    • 1
  • Karsten Sohr
    • 1
  1. 1.Technologie-Zentrum InformatikBremenGermany

Personalised recommendations