Info: Zenodo’s user support line is staffed on regular business days between Dec 23 and Jan 5. Response times may be slightly longer than normal.

Published October 27, 2021 | Version v1
Conference paper Open

Threat Modeling Knowledge for the Maritime Community

  • 1. University of Bremen, Bremen, Germany

Description

Architectural risk analysis is a manual technique to identify architectural security flaws that undermine a software system’s security concept. The Architectural Security Tool Suite ArchSec automates this process by applying static analyses to automatically extract architectural security views and employing a knowledge base to automatically detect application-independent architectural security flaws. This paper presents how ArchSec was extended to check existing BPMN diagrams for applicationdependent security flaws. Therefore, a model-driven approach is used to generate a knowledge base automatically. This generated knowledge base hosts rules checking an authorisation policy raised for a port community system (PCS). Then, the application-independent and the application-specific knowledge base were applied to BPMN diagrams of the mentioned PCS. The check successfully identified problems within the analysed system. Nevertheless, the generated knowledge base is application-specific, but it is transferable to other software systems interacting with the PCS system, creating a first domain-specific knowledge base for the port community.

Files

Threat Modeling Knowledge for the Maritime Community.pdf

Files (153.5 kB)

Additional details

References

  • F. Swiderski and W. Snyder, Threat Modeling. USA: Microsoft Press, 2004.
  • M. Howard and S. Lipner, The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, May 2006.
  • S. Rehman and K. Mustafa, "Research on Software Design Level Security Vulnerabilities," SIGSOFT Softw. Eng. Notes, vol. 34, no. 6, pp. 1–5, Dec. 2009. [Online]. Available: https://doi.org/10.1145/1640162.1640171
  • M. Almorsy, J. Grundy, and A. S. Ibrahim, "Automated Software Architecture Security Risk Analysis Using Formalized Signatures," in Proceedings of the 2013 International Conference on Software Engineering, ser. ICSE '13. IEEE Press, 2013, pp. 662–671. [Online]. Available: https://doi.org/10.1109/ICSE.2013.6606612
  • E. Khalaj, R. Vanciu, and M. Abi-Antoun, "Is There Value in Reasoning about Security at the Architectural Level: A Comparative Evaluation," in Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, ser. HotSoS '14. New York, NY, USA: Association for Computing Machinery, 2014. [Online]. Available: https://doi.org/10.1145/2600176.2600206
  • A. Shostack, Threat Modeling: Designing for Security, 1st ed. Wiley Publishing, 2014.
  • B. J. Berger, K. Sohr, and R. Koschke, "The Architectural Security Tool Suite — ARCHSEC," in 19th International Working Conference on Source Code Analysis and Manipulation, SCAM 2019, Cleveland, OH, USA, September 30 - October 1, 2019. IEEE, 2019, pp. 250–255. [Online]. Available: https://doi.org/10.1109/SCAM.2019.00035
  • "Automatically Extracting Threats from Extended Data Flow Diagrams," in Engineering Secure Software and Systems - 8th International Symposium, ESSoS 2016, London, UK, April 6-8, 2016. Proceedings, ser. Lecture Notes in Computer Science, J. Caballero, E. Bodden, and E. Athanasopoulos, Eds., vol. 9639. Springer, 2016, pp. 56–71. [Online]. Available: https://doi.org/10.1007/978-3-319-30806-7\_4
  • M. Abi-Antoun and J. M. Barnes, "Analyzing Security Architectures," in Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, ser. ASE '10. New York, NY, USA: Association for Computing Machinery, 2010, pp. 3–12. [Online]. Available: https://doi.org/10.1145/1858996.1859001
  • R. Vanciu and M. Abi-Antoun, "Finding Architectural Flaws in Android Apps is Easy," in Proceedings of the 2013 Companion Publication for Conference on Systems, Programming, & Applications: Software for Humanity, ser. SPLASH '13. New York, NY, USA: Association for Computing Machinery, 2013, pp. 21–22. [Online]. Available: https://doi.org/10.1145/2508075.2514574
  • "Finding Architectural Flaws Using Constraints," in Proceedings of the 28th IEEE/ACM International Conference on Automated Software Engineering, ser. ASE'13. IEEE Press, 2013, pp. 334–344. [Online]. Available: https://doi.org/10.1109/ASE.2013.6693092
  • P. Antonino, S. Duszynski, C. Jung, and M. Rudolph, "Indicator-Based Architecture-Level Security Evaluation in a Service-Oriented Environment," in Proceedings of the Fourth European Conference on Software Architecture: Companion Volume, ser. ECSA '10. New York, NY, USA: Association for Computing Machinery, 2010, pp. 221–228. [Online]. Available: https://doi.org/10.1145/1842752.1842795
  • K. Tuma, D. Hosseini, K. Malamas, and R. Scandariato, "Inspection Guidelines to Identify Security Design Flaws," in Proceedings of the 13th European Conference on Software Architecture - Volume 2, ser. ECSA '19. New York, NY, USA: Association for Computing Machinery, 2019, pp. 116–122. [Online]. Available: https://doi.org/10.1145/3344948.3344995
  • L. Sion, K. Tuma, R. Scandariato, K. Yskout, and W. Joosen, "Towards Automated Security Design Flaw Detection," in 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW), 2019, pp. 49–56. [Online]. Available: https://doi.org/10.1109/ASEW.2019.00028