面向对象的威胁建模方法

为提高软件设计的可信性,提出一种面向对象的威胁建模方法,不仅能够捕捉数据流中存在的威胁,而且能够捕捉控制流中存在的威胁。基于攻击路径,从成本效益角度更准确地评估威胁,根据评估结果制定缓和方案并确定优先级,应用缓和方案改进软件设计,有效地缓和威胁,增强系统安全性。实现一个面向对象的威胁建模工具,并以实例进行了验证。     

基于信息熵和攻击面的软件安全度量

对软件实施安全度量是开发安全的软件产品和实施软件安全改进的关键基础。基于Manadhata等(MANADHATA P K, TAN K M C, MAXION R A, et al. An approach to measuring a system's attack surface, CMU-CS-07-146. Pittsburgh: Carnegie Mellon University, 2007; MANADHATA P K, WING J M. An attack surface metric. IEEE Transactions on Software Engineering, 2011, 37(3): 371-386)提出的攻击面方法,结合信息熵理论,提出结合信息熵和攻击面的软件安全度量方法,可以有效地利用信息熵的计算方法对软件攻击面的各项资源进行威胁评估,从而提供具有针对性的威胁指标量化权值。在此基础之上,通过计算软件攻击面各项资源的指标值可以实现软件的安全度量。最后,通过具体的实例分析说明结合信息熵和攻击面的方法可以有效地应用于软件的安全开发过程和软件安全改进过程,为软件的安全设计开发指明可能存在的安全威胁,帮助提早避免软件产品中可能存在的漏洞;而对于已经开发完成待实施安全改进的软件则可以指出明确的改进方向。     

A model-based aspect-oriented framework for building intrusion-aware software systems

Security is a critical issue for software systems, especially for those systems which are connected to networks and the Internet, since most of them suffer from various malicious attacks. Intrusion detection is an approach to protect software against such attacks. However, security vulnerabilities that are exploited by intruders cut across multiple modules in software systems and are difficult to address and monitor. These kinds of concerns, called cross-cutting concerns, can be handled by aspect-oriented software development (AOSD) for better modularization. A number of works have utilized AOSD to address security issues of software systems, but none of them has employed AOSD for intrusion detection. In this paper, we propose a model-based aspect-oriented framework for building intrusion-aware software systems. We model attack scenarios and intrusion detection aspects using an aspect-oriented Unified Modeling Language (UML) profile. Based on the UML model, the intrusion detection aspects are implemented and woven into the target system. The resulting target system has the ability to detect the intrusions automatically. We present an experimental evaluation by applying this framework for some of the most common attacks included in the Web Application Security Consortium (WASC) web security threat classification. The experimental results demonstrate that the framework is effective in specifying and implementing intrusion detection and can be applied for a wide range of attacks.     

基于攻击树与Petri网的软件安全关注点建模

为了构建更加安全的软件,搭建软件开发人员和安全专家之间的桥梁,软件安全关注点的建模受到越来越多的关注。针对攻击树和Petri网各自的建模优势,提出基于攻击树的Petri网模型,旨在对软件安全关注点中的安全威胁进行建模,并利用面向方面Petri网对模型进行缓解和分析,为软件开发人员提供简单直观且便于自动化分析的模型。     

软件安全性测试方法与工具

软件的应用越来越广泛,规模和复杂度不断提高,软件中的安全缺陷与漏洞也在不断增多,软件安全性问题日益突出.软件安全性测试是保证软件安全性、降低软件安全风险的重要手段.论述了软件安全性测试的特点、内容,重点研究了国内外软件安全性测试的主要方法与工具,分析了各种方法的优缺点与适用范围,提出了一种安全性测试工具的分类方法,总结了当前研究工作并指出了未来软件安全性测试技术的研究重点与发展方向.     

Threat-driven modeling and verification of secure software using aspect-oriented Petri nets

Design-level vulnerabilities are a major source of security risks in software. To improve trustworthiness of software design, this paper presents a formal threat-driven approach, which explores explicit behaviors of security threats as the mediator between security goals and applications of security features. Security threats are potential attacks, i.e., misuses and anomalies that violate the security goals of systems' intended functions. Security threats suggest what, where, and how security features for threat mitigation should be applied. To specify the intended functions, security threats, and threat mitigations of a security design as a whole, we exploit aspect-oriented Petri nets as a unified formalism. Intended functions and security threats are modeled by Petri nets, whereas threat mitigations are modeled by Petri net-based aspects due to the incremental and crosscutting nature of security features. The unified formalism facilitates verifying correctness of security threats against intended functions and verifying absence of security threats from integrated functions and threat mitigations. As a result, our approach can make software design provably secured from anticipated security threats and, thus, reduce significant design-level vulnerabilities. We demonstrate our approach through a systematic case study on the threat-driven modeling and verification of a real-world shopping cart application.     

Automated verification of security pattern compositions

Software security becomes a critically important issue for software development when more and more malicious attacks explore the security holes in software systems. To avoid security problems, a large software system design may reuse good security solutions by applying security patterns. Security patterns document expert solutions to common security problems and capture best practices on secure software design and development. Although each security pattern describes a good design guideline, the compositions of these security patterns may be inconsistent and encounter problems and flaws. Therefore, the compositions of security patterns may be even insecure. In this paper, we present an approach to automated verification of the compositions of security patterns by model checking. We formally define the behavioral aspect of security patterns in CCS through their sequence diagrams. We also prove the faithfulness of the transformation from a sequence diagram to its CCS representation. In this way, the properties of the security patterns can be checked by a model checker when they are composed. Composition errors and problems can be discovered early in the design stage. We also use two case studies to illustrate our approach and show its capability to detect composition errors.     

Unifying design and runtime software adaptation using aspect models

Software systems are seen more and more as evolutive systems. At the design phase, software is constantly in adaptation by the building process itself, and at runtime, it can be adapted in response to changing conditions in the executing environment such as location or resources. Adaptation is generally difficult to specify because of its cross-cutting impact on software. This article introduces an approach to unify adaptation at design and at runtime based on Aspect Oriented Modeling. Our approach proposes a unified aspect metamodel and a platform that realizes two different weaving processes to achieve design and runtime adaptations. This approach is used in a Dynamic Software Product Line which derives products that can be configured at design time and adapted at runtime in order to dynamically fit new requirements or resource changes. Such products are implemented using the Service Component Architecture and Java. Finally, we illustrate the use of our approach based on an adaptive e-shopping scenario. The main advantages of this unification are: a clear separation of concerns, the self-contained aspect model that can be weaved during the design and execution, and the platform independence guaranteed by two different types of weaving.     

基于威胁模型的软件安全性测试

相对于传统测试主要关注软件的肯定需求,安全性测试则主要关注软件的否定需求。基于威胁模型的软件安全性测试是从攻击者的角度对软件进行测试。使用UML顺序图对安全威胁进行建模,从威胁模型中导出消息序列,从消息序列中导出威胁行为轨迹。程序编码完成后,对代码进行插桩以记录程序运行时的方法调用和执行的轨迹。设计测试用例,执行插桩后的程序并记录程序运行时的执行轨迹,将记录的程序执行轨迹与模型中导出的威胁行为轨迹进行比较,以确定程序中是否存在违反安全策略的威胁行为。     

面向APT家族分析的攻击路径预测方法研究

近年来,针对政府机构、工业设施、大型公司网络的攻击事件层出不穷,网络空间安全已成为事关国家稳定、社会安定和经济繁荣的全局性问题。高级持续威胁(Advanced Persistent Threat, APT)逐渐演化为各种社会工程学攻击与零日漏洞利用的综合体,已成为最严重的网络空间安全威胁之一,当前针对APT的研究侧重于寻找可靠的攻击特征并提高检测准确率,由于复杂且庞大的数据很容易将APT特征隐藏,使得获取可靠数据的工作难度大大增加,如何尽早发现APT攻击并对APT家族溯源分析是研究者关注的热点问题。基于此,本文提出一种APT攻击路径还原及预测方法。首先,参考软件基因思想,设计APT恶意软件基因模型和基因相似度检测算法构建恶意行为基因库,通过恶意行为基因库对样本进行基因检测,从中提取出可靠的恶意特征解决可靠数据获取问题;其次,为解决APT攻击路径还原和预测问题,采用隐马尔可夫模型(HMM)对APT恶意行为链进行攻击路径还原及预测,利用恶意行为基因库生成的特征构建恶意行为链并估计模型参数,进而还原和预测APT攻击路径,预测准确率可达90%以上;最后,通过HMM和基因检测两种方法对恶意软件进...     

A threat model‐based approach to security testing

Software security issues have been a major concern in the cyberspace community, so a great deal of research on security testing has been performed, and various security testing techniques have been developed. Threat modeling provides a systematic way to identify threats that might compromise security, and it has been a well‐accepted practice by the industry, but test case generation from threat models has not been addressed yet. Thus, in this paper, we propose a threat model‐based security testing approach that automatically generates security test sequences from threat trees and transforms them into executable tests. The security testing approach we consider consists of three activities in large: building threat models with threat trees; generating security test sequences from threat trees; and creating executable test cases by considering valid and invalid inputs. To support our approach, we implemented security test generation techniques, and we also conducted an empirical study to assess the effectiveness of our approach. The results of our study show that our threat tree‐based approach is effective in exposing vulnerabilities. Copyright © 2012 John Wiley & Sons, Ltd.     

Software security

Software security is the idea of engineering software so that it continues to function correctly under malicious attack. Most technologists acknowledge this undertaking's importance, but they need some help in understanding how to tackle it. The article aims to provide that help by exploring software security best practices. A central and critical aspect of the computer security problem is a software problem. Software defects with security ramifications, including implementation bugs such as buffer overflows and design flaws such as inconsistent error handling, promise to be with us for years. All too often, malicious intruders can hack into systems by exploiting software defects. Internet-enabled software applications present the most common security risk encountered today, with software's ever-expanding complexity and extensibility adding further fuel to the fire. By any measure, security holes in software are common, and the problem is growing.     

Using ontologies to perform threat analysis and develop defensive strategies for mobile security

Existing studies on the detection of mobile malware have focused mainly on static analyses performed to examine the code-structure signature of viruses, rather than the dynamic behavioral aspects. By contrast, the unidentified behavior of new mobile viruses using the self-modification, polymorphic, and mutation techniques for variants have largely been ignored. The problem of precision regarding malware variant detection has become one of the key concerns in mobile security. Accordingly, the present study proposed a threat risk analysis model for mobile viruses, using a heuristic approach incorporating both malware behavior analysis and code analysis to generate a virus behavior ontology associated with the Protégé platform. The proposed model can not only explicitly identify an attack profile in accordance with structural signature of mobile viruses, but also overcome the uncertainty regarding the probability of an attack being successful. This model is able to achieve this by extending frequent episode rules to investigate the attack profile of a given malware, using specific event sequences associated with the sandbox technique for mobile applications (apps) and hosts. For probabilistic analysis, defense evaluation metrics for each node were used to simulate the results of an attack. The simulations focused specifically on the attack profile of a botnet to assess the threat risk. The validity of the proposed approach was demonstrated numerically by using two malware cyber-attack examples. Overall, the results presented in this paper prove that the proposed scheme offers an effective countermeasure, evaluated using a set of security metrics, for mitigating network threats by considering the interaction between the attack profiles and defense needs.     

Processes for producing secure software

Summarizes work initiated at the National Cybersecurity Summit, held 2-3 December 2003 in Santa Clara, California. Attendees representing industry, academia, and the US Department of Homeland Security (DHS) formed five task forces to focus on specific topic areas. This report describes, the key problems and recommendations identified by the Software Process subgroup of the "Security Across the Software Development Lifecycle" task force. Producing secure software is a multifaceted problem of software engineering, security engineering, and management. Thus, producing secure software starts with outstanding software engineering practices, augmented with sound technical practices, and supported by management practices that promote secure software development. We discuss these practices.     

信息安全中的可信软件编程计算研究

针对IT产业迅速发展、互联网广泛应用和渗透,各种各样的威胁模式不断涌现的现状,结合传统软件质量的对比分析,提出了信息安全中的重要因素——可信软件编程计算。重点研究代码可信性分析、计算和度量方面,涵盖软件的复杂性、可用性和可靠性等质量特性及可信属性,对于软件质量保证和信息安全具有非常重要的现实意义和实用价值。     

分组密码算法SMS4的暴力破解及模拟实现

加密算法的安全性在很大程度上取决于暴力破解的不可行性。暴力破解加密算法是密码学研究的一个重要方向。该文采用分布式计算方法,设计了暴力破解SMS4加密算法的软件。在局域网内对SMS4算法的暴力破解做了模拟实现,并对软件的性能进行了测试。最后对软件及SMS4算法的暴力破解结果进行了分析,并指明了下一步的工作方向。     

Integrating security and privacy in software development

As a consequence to factors such as progress made by the attackers, release of new technologies and use of increasingly complex systems, and threats to applications security have been continuously evolving. Security of code and privacy of data must be implemented in both design and programming practice to face such scenarios. In such a context, this paper proposes a software development approach, Privacy Oriented Software Development (POSD), that complements traditional development processes by integrating the activities needed for addressing security and privacy management in software systems. The approach is based on 5 key elements (Privacy by Design, Privacy Design Strategies, Privacy Pattern, Vulnerabilities, Context). The approach can be applied in two directions forward and backward, for developing new software systems or re-engineering an existing one. This paper presents the POSD approach in the backward mode together with an application in the context of an industrial project. Results show that POSD is able to discover software vulnerabilities, identify the remediation patterns needed for addressing them in the source code, and design the target architecture to be used for guiding privacy-oriented system re-engineering.

     

Software architecture reliability analysis using failure scenarios

With the increasing size and complexity of software in embedded systems, software has now become a primary threat for the reliability. Several mature conventional reliability engineering techniques exist in literature but traditionally these have primarily addressed failures in hardware components and usually assume the availability of a running system. Software architecture analysis methods aim to analyze the quality of software-intensive system early at the software architecture design level and before a system is implemented. We propose a Software Architecture Reliability Analysis Approach (SARAH) that benefits from mature reliability engineering techniques and scenario-based software architecture analysis to provide an early software reliability analysis at the architecture design level. SARAH defines the notion of failure scenario model that is based on the Failure Modes and Effects Analysis method (FMEA) in the reliability engineering domain. The failure scenario model is applied to represent so-called failure scenarios that are utilized to derive fault tree sets (FTS). Fault tree sets are utilized to provide a severity analysis for the overall software architecture and the individual architectural elements. Despite conventional reliability analysis techniques which prioritize failures based on criteria such as safety concerns, in SARAH failure scenarios are prioritized based on severity from the end-user perspective. SARAH results in a failure analysis report that can be utilized to identify architectural tactics for improving the reliability of the software architecture. The approach is illustrated using an industrial case for analyzing reliability of the software architecture of the next release of a Digital TV.     

基于APDR信息系统安全防护体系模型的分级防护策略研究

本文在提出APDR信息系统安全防护体系模型的基础上,对信息系统中信息价值级别及其可能面临的最大威胁强度进行了划分,并针对相应的安全防护强度等级和安全防护技术等级制定出了相应的安全防护策略,这对信息系统进行安全防护体系设计具有非常重要的意义。     

Aspect-oriented modeling framework for security hardening

Aspect-oriented modeling (AOM) emerged as a promising paradigm for handling crosscutting concerns, such as security, at the software modeling level. Most existing AOM contributions are presented from a practical perspective and lack formal syntax and semantics. In this paper, we present a practical and formal AOM framework for software security hardening. Our contributions are threefold. First, we define an AOM approach for the specification of security aspects at the unified modeling language (UML) design level. Second, we design and implement the matching and the weaving processes into UML design models. Third, we elaborate formal specifications for aspect matching and weaving in UML activity diagrams. Finally, we demonstrate the viability and the relevance of our propositions using a case study. The proposed framework is supported by a tool built on top of IBM-Rational Software Modeler.