Abstract
Today's software systems are too complex to ensure security after the fact – security has to be built into systems by design. To this end, model-based techniques such as UMLsec support the design-time specification and analysis of security requirements by providing custom model annotations and checks. Yet, a particularly challenging type of complexity arises from the variability of software product lines. Analyzing the security of all products separately is generally infeasible. In this work, we propose SecPL, a methodology for ensuring security in a software product line. SecPL allows developers to annotate the system design model with product-line variability and security requirements. To keep the exponentially large configuration space tractable during security checks, SecPL provides a family-based security analysis. In our experiments, this analysis outperforms the naive strategy of checking all products individually. Finally, we present the results of a user study that indicates the usability of our overall methodology.
- Amir Shayan Ahmadian, Sven Peldszus, Qusai Ramadan, and Jan Jürjens. 2017. Model-based Privacy and Security Analysis with CARiSMA. In FSE. 989-993. Google Scholar
Digital Library
- Shaukat Ali, Tao Yue, Lionel C. Briand, and Suneth Walawege. 2012. A Product Line Modeling and Configuration Methodology to Support Model-Based Testing: An Industrial Case Study. In MoDELS. 726-742. Google Scholar
Digital Library
- Oracle Corporation and/or its affiliates. 2018. OpenJDK. (2018). http://openjdk.java.net/.Google Scholar
- Sven Apel, Don S. Batory, Christian Kästner, and Gunter Saake. 2013. Feature-Oriented Software Product Lines - Concepts and Implementation. Springer. Google Scholar
Digital Library
- A. Bauer and J. Jürjens. 2010. Runtime Verification of Cryptographic Protocols. Computers and Security 29, 3 (2010), 315-330. Google Scholar
Digital Library
- B. Best, J. Jürjens, and B. Nuseibeh. 2007. Model-based Security Engineering of Distributed Information Systems using UMLsec. In ICSE. ACM, 581-590. Google Scholar
Digital Library
- Marco Brambilla, Jordi Cabot, and Manuel Wimmer. 2012. Model-driven Software Engineering in Practice. Synthesis Lectures on Software Engineering 1, 1 (2012), 1-182. Google Scholar
Digital Library
- Hugo Bruneliere, Erik Burger, Jordi Cabot, and Manuel Wimmer. 2017. A feature-based survey of model view approaches. Software & Systems Modeling (2017), 1-22.Google Scholar
- Hugo Bruneliere, Jordi Cabot, Frédéric Jouault, and Frédéric Madiot. 2010. MoDisco: A Generic and Extensible Framework for Model Driven Reverse Engineering. In ASE. ACM, 173-174. Google Scholar
Digital Library
- Afredo Capozucca, Betty Cheng, Geri Georg, Nicolas Guelfi, Paul Istoan, Gunter Mussbacher, Adam Jensen, Jean-Marc Jézéquel, Jörg Kienzle, Jacques Klein, et al. 2011. Requirements Definition Document for a Software Product Line of Car Crash Management Systems. ReMoDD (2011).Google Scholar
- CARiSMA 2018. CARiSMA Tool. (2018). http://carisma.umlsec.de.Google Scholar
- Maria Christakis and Christian Bird. 2016. What Developers Want and Need from Program Analysis: An Empirical Study. In ASE. 332-343. Google Scholar
Digital Library
- Harald Cichos, Sebastian Oster, Malte Lochau, and Andy Schürr. 2011. Model-Based Coverage-Driven Test Suite Generation for Software Product Lines. Springer, 425-439. Google Scholar
Digital Library
- Krzysztof Czarnecki and Michal Antkiewicz. 2005. Mapping Features to Models: A Template Approach Based on Superimposed Variants. In GPCE. 422-437. Google Scholar
Digital Library
- Krzysztof Czarnecki and Krzysztof Pietroszek. 2006. Verifying Feature-based Model Templates Against Well-formedness OCL Constraints. In GPCE. 211-220. Google Scholar
Digital Library
- Hugo Sica de Andrade, Eduardo Santana de Almeida, and Ivica Crnkovic. 2014. Architectural bad smells in software product lines: an exploratory study. In WICSA. 12:1-12:6. Google Scholar
Digital Library
- Premkumar T Devanbu and Stuart Stubblebine. 2000. Software Engineering for Security: A Roadmap. In ICSE. ACM, 227-239. Google Scholar
Digital Library
- Tor Erlend Fægri and Svein O. Hallsteinsen. 2006. A Software Product Line Reference Architecture for Security. In Software Product Lines - Research Issues in Engineering and Management. 275-326.Google Scholar
Cross Ref
- Geri Georg, Indrakshi Ray, Kyriakos Anastasakis, Behzad Bordbar, Manachai Toahchoodee, and Siv Hilde Houmb. 2009. An Aspect-oriented Methodology for Designing Secure Applications. INFSOF 51, 5 (2009), 846-864. Google Scholar
Digital Library
- Carla P Gomes, Henry Kautz, Ashish Sabharwal, and Bart Selman. 2008. Satisfiability Solvers. Foundations of Artificial Intelligence 3 (2008), 89-134.Google Scholar
Cross Ref
- Alexander Gruler, Martin Leucker, and Kathrin Scheidemann. 2008. Modeling and Model Checking Software Product Lines. In FMOODS. Springer, 113-131. Google Scholar
Digital Library
- Constance L. Heitmeyer, Myla Archer, Elizabeth I. Leonard, and John McLean. 2008. Applying Formal Methods to a Certifiably Secure Software System. IEEE Trans. Software Eng. 34, 1 (2008), 82-98. Google Scholar
Digital Library
- Alex Hern and agencies. 2015. Apple removes malicious programs after first major attack on app store. The Guardian online. (2015). https://goo.gl/phxmRR.Google Scholar
- Martin Fagereng Johansen, Øystein Haugen, Franck Fleurey, Anne Grete Eldegard, and Torbjørn Syversen. 2012. Generating Better Partial Covering Arrays by Modeling Weights on Sub-product Lines. In MoDELS. 269-284. Google Scholar
Digital Library
- J. Jürjens. 2000. Secure Information Flow for Concurrent Processes. In CONCUR, C. Palamidessi (Ed.), Vol. 1877. 395-409. Google Scholar
Digital Library
- Jan Jürjens. 2001. Modelling Audit Security for Smart-Card Payment Schemes with UML-Sec. In Trusted Information: The New Decade Challenge, Michel Dupuy and Pierre Paradinas (Eds.). Springer, 93-107. Google Scholar
Digital Library
- Jan Jürjens. 2002. UMLsec: Extending UML for Secure Systems Development. In UML. 412-425. Google Scholar
Digital Library
- Jan Jürjens. 2005. Model-based Security Engineering with UML. In FOSAD. Springer, 42-77. Google Scholar
Digital Library
- Jan Jürjens. 2005. Secure Systems Development with UML. Springer. Google Scholar
Digital Library
- J. Jürjens, J. Schreck, and P. Bartmann. 2008. Model-based Security Analysis for Mobile Communications. In ICSE. ACM, 683-692. Google Scholar
Digital Library
- Kyo C Kang, Sholom G Cohen, James A Hess, William E Novak, and A Spencer Peterson. 1990. Feature-oriented Domain Analysis (FODA) Feasibility Study. Technical Report. DTIC Document.Google Scholar
- Christian Kästner and Sven Apel. 2009. Virtual Separation of Concernsa Second Chance for Preprocessors. Journal of Object Technology 8, 6 (2009), 59-78.Google Scholar
Cross Ref
- Christian Kästner, Sven Apel, and Martin Kuhlemann. 2008. Granularity in Software Product Lines. In ICSE. ACM, 311-320. Google Scholar
Digital Library
- Christian Kästner, Sven Apel, Thomas Thüm, and Gunter Saake. 2012. Type Checking Annotation-based Product Lines. TOSEM 21, 3, Article 14 (July 2012), 14:1-14:39 pages. Google Scholar
Digital Library
- Christian Kästner, Paolo G Giarrusso, Tillmann Rendel, Sebastian Erdweg, Klaus Ostermann, and Thorsten Berger. 2011. Variability-aware Parsing in the Presence of Lexical Macros and Conditional Compilation. ACM SIGPLAN Notices 46, 10 (2011), 805-824. Google Scholar
Digital Library
- Basel Katt, Matthias Gander, Ruth Breu, and Michael Felderer. 2011. Enhancing Model Driven Security through Pattern Refinement Techniques. In FMCO. 169-183.Google Scholar
- Remo Lachmann, Simon Beddig, Sascha Lity, Sandro Schulze, and Ina Schaefer. 2017. Risk-based integration testing of software product lines. In VaMoS. ACM, 52-59. Google Scholar
Digital Library
- Lampiro 2011. Lampiro. (2011). https://github.com/pinturic/lampiro/tree/master/lampiro.Google Scholar
- Kevin Lano, David Clark, and Kelly Androutsopoulos. 2002. Safety and Security Analysis of Object-Oriented Models. In SAFECOMP. Springer, 82-93. Google Scholar
Digital Library
- Malte Lochau, Sven Peldszus, Matthias Kowal, and Ina Schaefer. 2014. Model-based Testing. In Formal Methods for Executable Software Models. Springer, 310-342. Google Scholar
Digital Library
- Salvador Martínez, Valerio Cosentino, and Jordi Cabot. 2016. Model-based Analysis of Java EEWeb Security Configurations. In MiSE. ACM, 55-61. Google Scholar
Digital Library
- Daniel Mellado, Eduardo Fernández-Medina, and Mario Piattini. 2008. Towards Security Requirements Management for Software Product Lines: A Security Domain Requirements Engineering Process. Computer Standards & Interfaces 30, 6 (2008), 361-371. Google Scholar
Digital Library
- Daniel Mellado, Haralambos Mouratidis, and Eduardo Fernández-Medina. 2014. Secure Tropos Framework for Software Product Lines Requirements Engineering. Computer Standards & Interfaces 36, 4 (2014), 711-722. Google Scholar
Digital Library
- MobilePhoto 2008. MobilePhoto. (2008). http://homepages.dcc.ufmg.br/~figueiredo/spl/icse08/.Google Scholar
- Varvana Myllärniemi, Mikko Raatikainen, and Tomi Männistö. 2015. Representing and Configuring Security Variability in Software Product Lines. In QoSA. 1-10. Google Scholar
Digital Library
- Sarah Nadi and Stefan Krüger. 2016. Variability Modeling of Cryptographic Components: Clafer Experience Report. In VaMoS. 105-112. Google Scholar
Digital Library
- Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. 2015. The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching. In SP. IEEE, 692-708. Google Scholar
Digital Library
- Phu Hong Nguyen, Koen Yskout, Thomas Heyman, Jacques Klein, Riccardo Scandariato, and Yves Le Traon. 2015. SoSPa: A System of Security Design Patterns for Systematically Engineering Secure Systems. In MoDELS. 246-255.Google Scholar
- Object Management Group (OMG). 2011. UML 2.5 Superstructure Specification. (2011).Google Scholar
- OMG. 2017. OMG System Modeling Language. Technical Report. Object Management Group.Google Scholar
- Sebastian Oster, Florian Markert, and Philipp Ritter. 2010. Automated Incremental Pairwise Testing of Software Product Lines. In SPL. Springer, 196-210. Google Scholar
Digital Library
- Salvador Martínez Perez, Joaquín García-Alfaro, Frédéric Cuppens, Nora Cuppens-Boulahia, and Jordi Cabot. 2013. Model-Driven Extraction and Analysis of Network Security Policies. In MoDELS. Springer, 52-68. Google Scholar
Digital Library
- Jörg Pleumann, Omry Yadan, and Erik Wetterberg. 2010. Antenna Preprocessor. (2010). http://antenna.sourceforge.net/.Google Scholar
- Max Reininger. 2006. End-to-End Security in a Reinsurance Company, Remote Access to the Company Network. Master's thesis. TU Munich.Google Scholar
- Rick Salay, Michalis Famelis, Julia Rubin, Alessio Di Sandro, and Marsha Chechik. 2014. Lifting Model Transformations to Product Lines. In ICSE. ACM, 117-128. Google Scholar
Digital Library
- Laurens Sion, Dimitri Van Landuyt, Koen Yskout, and Wouter Joosen. 2016. Towards Systematically Addressing Security Variability in Software Product Lines. In SPLC. 342-343. Google Scholar
Digital Library
- SMS 2002. ISO/IEC 21989:2002: Information technology - Telecommunications and information exchange between systems - Private Integrated Services Network - Specification, functional model and information flows - Short message service. Technical Report. International Organization for Standardization, https://www.iso.org/standard/36050.html.Google Scholar
- Dieter Spaar and Fabian A. Scherschel. 2015. Beemer, Open Thyself! - Security vulnerabilities in BMW's ConnectedDrive. (2015).Google Scholar
- Harald Störrle. 2017. How are Conceptual Models used in Industrial Software Development?: A Descriptive Survey. In EASE. ACM, 160-169. Google Scholar
Digital Library
- Daniel Strüber, Timo Kehrer, Thorsten Arendt, Christopher Pietsch, and Dennis Reuling. 2016. Scalability of Model Transformations: Position Paper and Benchmark Set. In Workshop on Scalable Model Driven Engineering. 21-30.Google Scholar
- Thomas Thüm, Sven Apel, Christian Kästner, Ina Schaefer, and Gunter Saake. 2014. A Classification and Survey of Analysis Strategies for Software Product Lines. ACM Comput. Surv. 47, 1 (2014), 6:1-6:45. Google Scholar
Digital Library
- Len Wozniak and Paul Clements. 2015. How Automotive Engineering is Taking Product Line Engineering to the Extreme. In SPLC. 327-336. Google Scholar
Digital Library
- Koen Yskout, Riccardo Scandariato, and Wouter Joosen. 2015. Do Security Patterns Really Help Designers?. In ICSE. 292-302. Google Scholar
Digital Library
Index Terms
Model-based security analysis of feature-oriented software product lines
Recommendations
Model-based security analysis of feature-oriented software product lines
GPCE 2018: Proceedings of the 17th ACM SIGPLAN International Conference on Generative Programming: Concepts and ExperiencesToday's software systems are too complex to ensure security after the fact – security has to be built into systems by design. To this end, model-based techniques such as UMLsec support the design-time specification and analysis of security requirements ...
Modular feature-oriented graphical editor product lines
SPLC '18: Proceedings of the 22nd International Systems and Software Product Line Conference - Volume 1Software Product Lines (SPLs) have a long tradition and aim at reducing development costs by increasing reuse. They have been successfully applied to develop families of languages, ultimately establishing the field of Language Product Lines (LPLs). ...
Variant-preserving refactoring in feature-oriented software product lines
VaMoS '12: Proceedings of the 6th International Workshop on Variability Modeling of Software-Intensive SystemsA software product line (SPL) is an advanced concept to manage a family of programs under one umbrella. As with stand-alone programs, maintenance is an important challenge within SPL engineering. One pivotal activity during software maintenance is ...







Comments