More Web Proxy on the site http://driver.im/

research-article

AMADEUS: towards the AutoMAteD secUrity teSting

Authors:

Ángel Jesús Varela-Vaca,

Rafael M. Gasca,

Jose Antonio Carmona-Fombella,

María Teresa Gómez-LópezAuthors Info & Claims

SPLC '20: Proceedings of the 24th ACM Conference on Systems and Software Product Line: Volume A - Volume A

Article No.: 11, Pages 1 - 12

https://doi.org/10.1145/3382025.3414952

Published: 19 October 2020 Publication History

Abstract

The proper configuration of systems has become a fundamental factor to avoid cybersecurity risks. Thereby, the analysis of cybersecurity vulnerabilities is a mandatory task, but the number of vulnerabilities and system configurations that can be threatened is extremely high. In this paper, we propose a method that uses software product line techniques to analyse the vulnerable configuration of the systems. We propose a solution, entitled AMADEUS, to enable and support the automatic analysis and testing of cybersecurity vulnerabilities of configuration systems based on feature models. AMADEUS is a holistic solution that is able to automate the analysis of the specific infrastructures in the organisations, the existing vulnerabilities, and the possible configurations extracted from the vulnerability repositories. By using this information, AMADEUS generates automatically the feature models, that are used for reasoning capabilities to extract knowledge, such as to determine attack vectors with certain features. AMADEUS has been validated by demonstrating the capacities of feature models to support the threat scenario, in which a wide variety of vulnerabilities extracted from a real repository are involved. Furthermore, we open the door to new applications where software product line engineering and cybersecurity can be empowered.

References

[1]

2020. Common Platform Enumeration. Available from MITRE. https://cpe.mitre.org/

[2]

2020. Common Vulnerability Exposure. Available from MITRE. http://cve.mitre.org/

[3]

2020. Common Vulnerability Scoring System SIG. Available from FIRST. https://www.first.org/cvss/

[4]

2020. Internet security systems x-force security threats. Available from IBM. https://exchange.xforce.ibmcloud.com/

[5]

2020. Lynis Audit Tool. Available from CISOFY. https://cisofy.com/lynis/

[6]

2020. National Vulnerability Database. Available from NIST. https://nvd.nist.gov/

[7]

2020. NMAP The Network Mapper. Available from NMAP. https://nmap.org/

[8]

2020. OWASP Top Ten. Available from OWASP. https://owasp.org/www-project-top-ten/

[9]

2020. The CommunityDriven Vulnerability Database. Available from VULDB. https://vuldb.com/

[10]

2020. Vulnerability notes database. Available from US-CERT. https://www.kb.cert.org/vuls/

[11]

M Acher, A Cleve, G Perrouin, P Heymans, C Vanbeneden, P Collet, and P.c Lahire. 2012. On extracting feature models from product descriptions. In VAMOS. 45--54.

Digital Library

[12]

Adedayo Oyelakin Adetoye, Sadie Creese, and Michael Goldsmith. 2012. Reasoning about Vulnerabilities in Dependent Information Infrastructures: A Cyber Range Experiment. In Critical Information Infrastructures Security - 7th International Workshop, CRITIS 2012, Lillehammer, Norway, September 17--18, 2012, Revised Selected Papers (Lecture Notes in Computer Science), Bernhard M. Hämmerli, Nils Kalstad Svendsen, and Javier López (Eds.), Vol. 7722. Springer, 155--167.

[13]

Ra'Fat Al-Msie'deen, Marianne Huchard, Abdelhak Seriai, Christelle Urtado, and Sylvain Vauttier. 2014. Reverse Engineering Feature Models from Software Configurations using Formal Concept Analysis. In Proceedings of the Eleventh International Conference on Concept Lattices and Their Applications, Košice, Slovakia, October 7--10, 2014 (CEUR Workshop Proceedings), Karell Bertet and Sebastian Rudolph (Eds.), Vol. 1252. CEUR-WS.org, 95--106. http://ceur-ws.org/Vol-1252/cla2014_submission_13.pdf

[14]

Michael Backes, Jörg Hoffmann, Robert Künnemann, Patrick Speicher, and Marcel Steinmetz. 2017. Simulated Penetration Testing and Mitigation Analysis. CoRR abs/1705.05088 (2017). arXiv:1705.05088 http://arxiv.org/abs/1705.05088

[15]

Don Batory. 2005. Feature models, grammars, and propositional formulas. In International Conference on Software Product Lines. Springer, 7--20.

Digital Library

[16]

David Benavides, Sergio Segura, and Antonio Ruiz Cortés. 2010. Automated analysis of feature models 20 years later: A literature review. Inf. Syst. 35, 6 (2010), 615--636.

Digital Library

[17]

David Benavides, Pablo Trinidad, Antonio Ruiz Cortés, and Sergio Segura. 2013. FaMa. Springer Berlin Heidelberg, Chapter FaMa, 163--171.

[18]

Krzysztof Czarnecki and Andrzej Wasowski. 2007. Feature diagrams and logics: There and back again. In 11th International Software Product Line Conference (SPLC 2007). IEEE, 23--34.

[19]

B. O. Emeka and S. Liu. 2018. Assessing and extracting software security vulnerabilities in SOFL formal specifications. In 2018 International Conference on Electronics, Information, and Communication (ICEIC). 1--4.

[20]

Patrick Engebretson. 2013. The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Elsevier.

[21]

José A. Galindo, David Benavides, Pablo Trinidad, Antonio-Manuel Gutiérrez-Fernández, and Antonio Ruiz-Cortés. 2018. Automated analysis of feature models: Quo vadis? Computing (11 Aug 2018).

Digital Library

[22]

Evelyn Nicole Haslinger, Roberto E Lopez-Herrejon, and Alexander Egyed. 2011. Reverse engineering feature models from programs' feature sets. In 2011 18th Working Conference on Reverse Engineering. IEEE, 308--312.

Digital Library

[23]

Evelyn Nicole Haslinger, Roberto Erick Lopez-Herrejon, and Alexander Egyed. 2013. On extracting feature models from sets of valid feature combinations. In FASE. Springer, 53--67.

Digital Library

[24]

Yan Jia, Yulu Qi, Huaijun Shang, Rong Jiang, and Aiping Li. 2018. A Practical Approach to Constructing a Knowledge Graph for Cybersecurity. Engineering 4, 1 (2018), 53 -- 60. Cybersecurity.

[25]

Matthieu Jimenez, Renaud Rwemalika, Mike Papadakis, Federica Sarro, Yves Le Traon, and Mark Harman. 2019. The importance of accounting for real-world labelling when predicting software vulnerabilities. In Proceedings of the ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/SIGSOFT FSE 2019, Tallinn, Estonia, August 26--30, 2019, Marlon Dumas, Dietmar Pfahl, Sven Apel, and Alessandra Russo (Eds.). ACM, 695--705.

Digital Library

[26]

Ahmet Serkan Karataş, Halit Oğuztüzün, and Ali Doğru. 2013. From extended feature models to constraint logic programming. Science of Computer Programming 78, 12 (2013), 2295 -- 2312. Special Section on International Software Product Line Conference 2010 and Fundamentals of Software Engineering (selected papers of FSEN 2011).

[27]

Andy Kenner, Stephan Dassow, Christian Lausberger, Jacob Krüger, and Thomas Leich. 2020. Using variability modeling to support security evaluations: virtualizing the right attack scenarios. In VaMoS '20: 14th International Working Conference on Variability Modelling of Software-Intensive Systems, Magdeburg Germany, February 5--7, 2020. 10:1--10:9.

Digital Library

[28]

Xiaowei Li and Yuan Xue. 2014. A Survey on Server-Side Approaches to Securing Web Applications. ACM Comput. Surv. 46, 4, Article Article 54 (March 2014), 29 pages.

Digital Library

[29]

R.E Lopez-Herrejon, L Linsbauer, J.A Galindo, J.A Parejo, D Benavides, S Segura, and A.a Egyed. 2015. An assessment of search-based techniques for reverse engineering feature models. JSS 103 (2015), 353--369.

Digital Library

[30]

Roberto Erick Lopez-Herrejon, José A. Galindo, David Benavides, Sergio Segura, and Alexander Egyed. 2012. Reverse Engineering Feature Models with Evolutionary Algorithms: An Exploratory Study. In Search Based Software Engineering, Gordon Fraser and Jerffeson Teixeira de Souza (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 168--182.

[31]

Hari Madduri, Shepherd S. B. Shi, Ron Baker, Naga Ayachitula, Laura Shwartz, Maheswaran Surendra, Carole Corley, Messaoud Benantar, and Sushma Patel. 2007. A configuration management database architecture in support of IBM Service Management. IBM Syst. J. 46, 3 (2007), 441--458.

Digital Library

[32]

V. Mulwad, W. Li, A. Joshi, T. Finin, and K. Viswanathan. 2011. Extracting Information about Security Vulnerabilities from Web Text. In 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology, Vol. 3. 257--260.

[33]

David Méndez-Acuña, José A. Galindo, Benoît Combemale, Arnaud Blouin, and Benoît Baudry. 2017. Reverse engineering language product lines from existing DSL variants. Journal of Systems and Software 133 (2017), 145 -- 158.

[34]

Alex Oyler and Hossein Saiedian. 2016. Security in automotive telematics: a survey of threats and risk mitigation strategies to counter the existing and emerging attack vectors. Security and Communication Networks 9, 17 (2016), 4330--4340.

Digital Library

[35]

Salvador Martínez Perez, Valerio Cosentino, and Jordi Cabot. 2017. Model-based analysis of Java EE web security misconfigurations. Comput. Lang. Syst. Struct. 49 (2017), 36--61.

Digital Library

[36]

Luis Alberto Benthin Sanguino and Rafael Uetz. 2017. Software Vulnerability Analysis Using CPE and CVE. arXiv:cs.CR/1705.05347

[37]

Christoph Seidl, Tim Winkelmann, and Ina Schaefer. 2016. A software product line of feature modeling notations and cross-tree constraint languages. In Modellierung 2016, Andreas Oberweis and Ralf Reussner (Eds.). Gesellschaft für Informatik e.V., Bonn, 157--172.

[38]

Sugandh Shah and Babu M. Mehtre. 2015. An overview of vulnerability assessment and penetration testing techniques. J. Comput. Virol. Hacking Tech. 11, 1 (2015), 27--49.

[39]

S She, R Lotufo, T Berger, A Waşowski, and K.a Czarnecki. 2011. Reverse engineering feature models, In ICSE. ICSE, 461--470.

Digital Library

[40]

Edgar H. Sibley, P. Gerard Scallan, and Eric K. Clemons. 1981. The software configuration management database. In American Federation of Information Processing Societies: 1981 National Computer Conference, 4--7 May 1981, Chicago, Illinois, USA (AFIPS Conference Proceedings), Vol. 50. AFIPS Press, 249--255.

Digital Library

[41]

Florian Skopik, Roman Fiedler, and Otmar Lendl. 2014. Cyber Attack Information Sharing. Datenschutz und Datensicherheit 38, 4 (2014), 251--256.

[42]

Pierantonia Sterlini, Fabio Massacci, Natalia Kadenko, Tobias Fiebig, and Michel van Eeten. 2020. Governance Challenges for European Cybersecurity Policies: Stakeholder Views. IEEE Secur. Priv. 18, 1 (2020), 46--54.

[43]

Thammasak Thianniwet. 2016. SPL-XFactor: A framework for reverse engineering feature models. (01 2016).

[44]

Ángel Jesús Varela-Vaca, Rafael M. Gasca, Rafael Ceballos, María Teresa Gómez-López, and Pedro Bernáldez Torres. 2019. CyberSPL: A Framework for the Verification of Cybersecurity Policy Compliance of System Configurations Using Software Product Lines. Applied Sciences 9, 24 (2019).

[45]

Shuai Wang, David Buchmann, Shaukat Ali, Arnaud Gotlieb, Dipesh Pradhan, and Marius Liaaen. 2014. Multi-Objective Test Prioritization in Software Product Line Testing: An Industrial Case Study. In Proceedings of the 18th International Software Product Line Conference - Volume 1 (SPLC '14). Association for Computing Machinery, New York, NY, USA, 32--41.

Digital Library

[46]

Sachini S. Weerawardhana, Subhojeet Mukherjee, Indrajit Ray, and Adele E. Howe. 2014. Automated Extraction of Vulnerability Information for Home Computer Security. In FPS.

[47]

Nathan Weston, Ruzanna Chitchyan, and Awais Rashid. 2009. A framework for constructing semantically composable feature models from natural language requirements. In Proceedings of the 13th International Software Product Line Conference. 211--220.

Digital Library

[48]

Hiroshi Yamada, Takeshi Yada, and Hiroto Nomura. 2013. Developing network configuration management database system and its application - data federation for network management. Telecommunication Systems 52, 2 (2013), 993--1000.

Digital Library

[49]

B. Zhang and M. Becker. 2014. Reverse Engineering Complex Feature Correlations for Product Line Configuration Improvement. In 2014 40th EUROMICRO Conference on Software Engineering and Advanced Applications. 320--327.

[50]

Ángel Jesús Varela-Vaca and Rafael M. Gasca. 2013. Towards the automatic and optimal selection of risk treatments for business processes using a constraint programming approach. Information & Software Technology 55, 11 (2013), 1948--1973.

Digital Library

Cited By

Salman ACreese SGoldsmith M(2024)Position Paper: Leveraging Large Language Models for Cybersecurity Compliance2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00061(496-503)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00061
Márquez GGalindo JVarela-Vaca ÁLópez MBenavides DFelfernig AFuentes L(2022)AdvisoryProceedings of the 26th ACM International Systems and Software Product Line Conference - Volume B10.1145/3503229.3547058(99-102)Online publication date: 12-Sep-2022
https://dl.acm.org/doi/10.1145/3503229.3547058
Stewart H(2022)Security versus Compliance: An Empirical Study of the Impact of Industry Standards Compliance on Application SecurityInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402250015232:03(363-393)Online publication date: 21-Apr-2022
https://doi.org/10.1142/S0218194022500152
Show More Cited By

Index Terms

AMADEUS: towards the AutoMAteD secUrity teSting
1. Software and its engineering
  1. Software creation and management
    1. Software development techniques
      1. Reusability
        Software product lines

Recommendations

Feature models to boost the vulnerability management process
Abstract
Vulnerability management is a critical and very challenging process that allows organisations to design a procedure to identify potential vulnerabilities, assess the level of risk, and define remediation mechanisms to address threats. ...
Highlights
- AMADEUS-Exploit is proposed as a solution for vulnerability management based on feature models.
A threat pattern for the "cross-site scripting (XSS)" attack
PLoP '15: Proceedings of the 22nd Conference on Pattern Languages of Programs

We present a threat pattern that describes cross-site scripting (XSS) attacks. In this attack attackers insert scripts in web applications that will lead to misuses in a target web application. Cross-Site Scripting is listed as number three risk on the ...
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
Abstract
Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SPLC '20: Proceedings of the 24th ACM Conference on Systems and Software Product Line: Volume A - Volume A

October 2020

323 pages

ISBN:9781450375696

DOI:10.1145/3382025

General Chair:
Roberto Erick Lopez-Herrejon
École de technologie supérieure, Canada

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Junta de Andalucía
Ministerio de Ciencia e Innovación

Conference

SPLC '20

Sponsor:

SIGSOFT

SPLC '20: 24th ACM International Systems and Software Product Line Conference

October 19 - 23, 2020

Quebec, Montreal, Canada

Acceptance Rates

SPLC '20 Paper Acceptance Rate 17 of 49 submissions, 35%;

Overall Acceptance Rate 167 of 463 submissions, 36%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
197
Total Downloads

Downloads (Last 12 months)40
Downloads (Last 6 weeks)4

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Salman ACreese SGoldsmith M(2024)Position Paper: Leveraging Large Language Models for Cybersecurity Compliance2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00061(496-503)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00061
Márquez GGalindo JVarela-Vaca ÁLópez MBenavides DFelfernig AFuentes L(2022)AdvisoryProceedings of the 26th ACM International Systems and Software Product Line Conference - Volume B10.1145/3503229.3547058(99-102)Online publication date: 12-Sep-2022
https://dl.acm.org/doi/10.1145/3503229.3547058
Stewart H(2022)Security versus Compliance: An Empirical Study of the Impact of Industry Standards Compliance on Application SecurityInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402250015232:03(363-393)Online publication date: 21-Apr-2022
https://doi.org/10.1142/S0218194022500152
Kenner AMay RKrüger JSaake GLeich TMousavi MSchobbens P(2021)Safety, security, and configurable software systemsProceedings of the 25th ACM International Systems and Software Product Line Conference - Volume A10.1145/3461001.3471147(148-159)Online publication date: 6-Sep-2021
https://dl.acm.org/doi/10.1145/3461001.3471147
Varela-Vaca ÁRosado DSánchez LGómez-López MGasca RFernández-Medina E(2021)CARMENComputers in Industry10.1016/j.compind.2021.103524132:COnline publication date: 1-Nov-2021
https://dl.acm.org/doi/10.1016/j.compind.2021.103524

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents