short-paper

Towards an Automated Approach for Detecting Architectural Weaknesses in Critical Systems

Authors:

Joanna C. S. Santos,

Mehdi MirakhorliAuthors Info & Claims

ICSEW'20: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops

Pages 250 - 253

https://doi.org/10.1145/3387940.3392222

Published: 25 September 2020 Publication History

Abstract

Architecture-first approaches are increasingly widely adopted for addressing resiliency requirements in critical systems. In these approaches, the system is built from the ground-up to be resilient, starting with the system's architecture design. Therefore, it is crucial to ensure that the architecture design is robust, without any flaws that could compromise the system's ability to detect, prevent, react to or recover from adverse conditions, such as cyber-attacks. In this paper, we describe our ongoing efforts in aiding software architects in designing cyber-resilient systems by automatically detecting weaknesses in their architectural models.

References

[1]

S. Al-Azzani and R. Bahsoon. SecArch: Architecture-level evaluation and testing for security. In 2012 Joint Working IEEE/IFIP Conference on Software Architecture (WICSA) and European Conference on Software Architecture (ECSA), pages 51--60. IEEE, 2012.

Digital Library

[2]

M. Almorsy, J. Grundy, and A. S. Ibrahim. Automated software architecture security risk analysis using formalized signatures. In 2013 35th International Conference on Software Engineering (ICSE), pages 662--671. IEEE, 2013.

Digital Library

[3]

L. Bass, P. Clements, and R. Kazman. Software Architecture in Practice. Addison-Wesley Professional, 3rd edition, 2012.

Digital Library

[4]

B.J. Berger, K. Sohr, and R. Koschke. Extracting and analyzing the implemented security architecture of business applications. In 17th European Conference on Software Maintenance and Reengineering (CSMR), pages 285--294. IEEE, 2013.

Digital Library

[5]

D. Bodeau and R. Graubart. Cyber resiliency design principles. MITRE, 2017.

[6]

M. Bunke and K. Sohr. An architecture-centric approach to detecting security patterns in software. In International Symposium on Engineering Secure Software and Systems, pages 156--166. Springer, 2011.

[7]

V. Cechticky, G. Montalto, A. Pasetti, and N. Salerno. The AOCS framework. European Space Agency-Publications-ESA SP, 516:535--540, 2003.

[8]

Q. Feng, R. Kazman, Y. Cai, R. Mo, and L. Xiao. Towards an architecture-centric approach to security analysis. In 13th Working IEEE/IFIP Conference on Software Architecture (WICSA), pages 221-230, 2016.

[9]

A. Gacek, J. Backes, D. Cofer, K. Slind, and M. Whalen. Resolute: An assurance case language for architecture models. In Proceedings of the 2014 ACM SIGAda Annual Conference on High Integrity Language Technology, pages 19-28, New York, NY, USA, 2014. ACM.

Digital Library

[10]

M. Hafiz, P. Adamczyk, and R. E. Johnson. Growing a pattern language (for security). In Proceedings of the ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software, Onward! 2012, pages 139-158, New York, NY, USA, 2012. ACM.

Digital Library

[11]

S. T. Halkidis, N. Tsantalis, A. Chatzigeorgiou, and G. Stephanides. Architectural risk analysis of software systems based on security patterns. IEEE Transactions on Dependable and Secure Computing, 5(3):129--142, 2008.

Digital Library

[12]

T. Heyman, R. Scandariato, and W. Joosen. Reusable formal models for secure software architectures. In 2012 Joint Working IEEE/IFIP Conference on Software Architecture (WICSA) and European Conference on Software Architecture (ECSA), pages 41--50. IEEE, 2012.

Digital Library

[13]

J. Hugues. AADLib: a library of reusable AADL models. Technical report, SAE Technical Paper, 2013.

[14]

M. Munoz. Space systems modeling using the architecture analysis & design language (AADL). In 2013 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pages 97--98. IEEE, 2013.

[15]

OpenAADL/AADLib. Library of AADL models. https://github.com/OpenAADL/AADLib. (Accessed on 01/20/2020).

[16]

J. Ryoo, R. Kazman, and P. Anand. Architectural analysis for security. IEEE Security & Privacy, (6):52--59, 2015.

Digital Library

[17]

J. C. S. Santos, A. Peruma, M. Mirakhorli, M. Galster, J. V. Vidal, and A. Sejfia. Understanding software vulnerabilities related to architectural security tactics: An empirical investigation of chromium, php and thunderbird. In 2017 IEEE International Conference on Software Architecture (ICSA), pages 69--78. IEEE, 2017.

[18]

J. C. S. Santos, K. Tarrit, and M. Mirakhorli. A catalog of security architecture weaknesses. In 2017 IEEE International Conference on Software Architecture Workshops (ICSAW), pages 220-223, April 2017.

[19]

J. C. S. Santos, K. Tarrit, A. Sejfia, M. Mirakhorli, and M. Galster. An empirical study of tactical vulnerabilities. Journal of Systems and Software, 2018.

[20]

L. Sion, K. Tuma, R. Scandariato, K. Yskout, and W. Joosen. Towards automated security design flaw detection. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW). IEEE, 2019.

[21]

D. Stewart, M. W. Whalen, D. Cofer, and M. P. Heimdahl. Architectural modeling and analysis for safety engineering. In International Symposium on Model-Based Safety and Assessment, pages 97--111. Springer, 2017.

[22]

E. Taspolatoglu and R. Heinrich. Context-based architectural security analysis. In 13th Working IEEE/IFIP Conference on Software Architecture (WICSA), pages 281-282, 2016.

[23]

E. Yuan and S. Malek. Mining software component interactions to detect security threats at the architectural level. In Software Architecture (WICSA), 2016 13th Working IEEE/IFIP Conference on, pages 211--220. IEEE, 2016.

Cited By

Catano N(2023)Program Synthesis for Cyber-ResilienceIEEE Transactions on Software Engineering10.1109/TSE.2022.316867249:3(962-972)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TSE.2022.3168672
Vergara-Vargas JRestrepo-Calle FSadou STibermacine C(2023)Sarch-Knows: A Knowledge Graph for Modeling Security Scenarios at the Software Architecture LevelSoftware Architecture. ECSA 2023 Tracks, Workshops, and Doctoral Symposium10.1007/978-3-031-66326-0_7(107-119)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-66326-0_7
Santos JSuloglu SCataño NMirakhorli M(2023)A Methodological Approach to Verify Architecture ResiliencySoftware Architecture. ECSA 2022 Tracks and Workshops10.1007/978-3-031-36889-9_22(321-336)Online publication date: 16-Jul-2023
https://doi.org/10.1007/978-3-031-36889-9_22
Show More Cited By

Index Terms

Towards an Automated Approach for Detecting Architectural Weaknesses in Critical Systems
1. Security and privacy
  1. Formal methods and theory of security
    1. Logic and verification
2. Software and its engineering

Recommendations

A Methodological Approach to Verify Architecture Resiliency
Software Architecture. ECSA 2022 Tracks and Workshops
Abstract
Architecture-first approach to address software resiliency is becoming the mainstream development method for mission-critical and software-intensive systems. In such approach, resiliency is built into the system from the ground up, starting with a ...
Modeling of Architectural Reconfiguration Case Study: Automated Teller Machine
IWAISE '12: Proceedings of the 2012 IEEE Second International Workshop on Advanced Information Systems for Enterprises

Software applications are continuing to grow at a rapid pace and became more and more complex. Thus, the use of software architectures in the development process is the ideal solution to deal with this issue. In this context, many Architecture ...
Architectural patterns to design software safety based safety-critical systems
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & Security

Safety-critical systems are embedded systems that may cause injury, loss of human life or great damage to the property if they fail. Architectural Patterns give solutions to the commonly recurring design problems in different applications and help the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSEW'20: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops

June 2020

831 pages

ISBN:9781450379632

DOI:10.1145/3387940

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
KIISE: Korean Institute of Information Scientists and Engineers
IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 September 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Conference

ICSE '20

Sponsor:

SIGSOFT
KIISE

ICSE '20: 42nd International Conference on Software Engineering

June 27 - July 19, 2020

Seoul, Republic of Korea

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
113
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)2

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Catano N(2023)Program Synthesis for Cyber-ResilienceIEEE Transactions on Software Engineering10.1109/TSE.2022.316867249:3(962-972)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TSE.2022.3168672
Vergara-Vargas JRestrepo-Calle FSadou STibermacine C(2023)Sarch-Knows: A Knowledge Graph for Modeling Security Scenarios at the Software Architecture LevelSoftware Architecture. ECSA 2023 Tracks, Workshops, and Doctoral Symposium10.1007/978-3-031-66326-0_7(107-119)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-66326-0_7
Santos JSuloglu SCataño NMirakhorli M(2023)A Methodological Approach to Verify Architecture ResiliencySoftware Architecture. ECSA 2022 Tracks and Workshops10.1007/978-3-031-36889-9_22(321-336)Online publication date: 16-Jul-2023
https://doi.org/10.1007/978-3-031-36889-9_22
Taibi DCai YWeber IMirakhorli MGodfrey MStough JPelliccione P(2023)Continuous Alignment Between Software Architecture Design and Development in CI/CD PipelinesSoftware Architecture10.1007/978-3-031-36847-9_4(69-86)Online publication date: 3-Jun-2023
https://doi.org/10.1007/978-3-031-36847-9_4
Zheng WZhang MTang HCai YChen XWu XAbdallah Semasaba A(2021)Automatically Identifying Bug Reports with Tactical Vulnerabilities by Deep Feature Learning2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE52982.2021.00043(333-344)Online publication date: Oct-2021
https://doi.org/10.1109/ISSRE52982.2021.00043

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents