TL;DR
This paper presents a semi-automatic method to verify that security mechanisms designed at the model level are correctly implemented in code, reducing manual effort and errors in security compliance checks.
Contribution
It introduces the first semi-automatic technique for security compliance verification between design models and code, using heuristic-based mappings and static analysis.
Findings
Effective in identifying security compliance violations
Automated mappings facilitate security analysis
Validated on open source Java projects
Abstract
It is challenging to verify that the planned security mechanisms are actually implemented in the software. In the context of model-based development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semi-automatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a design-level model (SecDFD, provided by humans) and a code-level representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence potential security flaws in the code. These mappings enable an automated, and project-specific static analysis of the implementation with respect…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
