More Web Proxy on the site http://driver.im/

research-article

Modeling security attacks with statecharts

Authors:

Dianxiang XuAuthors Info & Claims

QoSA-ISARCS '11: Proceedings of the joint ACM SIGSOFT conference -- QoSA and ACM SIGSOFT symposium -- ISARCS on Quality of software architectures -- QoSA and architecting critical systems -- ISARCS

Pages 123 - 132

https://doi.org/10.1145/2000259.2000281

Published: 20 June 2011 Publication History

Abstract

Software security is becoming a key quality concern as software applications are increasingly being used in untrustworthy computing environments such as the internet. Software is designed with the mindset of its functionalities and cost, where the focus is on the operational behavior while security concerns are neglected or marginally considered. As a result, software engineers build the software while lacking the knowledge about security and its effect on the system. This paper presents an approach for modeling the behavior of security threats using statecharts. The proposed approach introduces modular design for representing threats through the use of components and reusability. Through the focus on the behavior of an attack, software engineers can clearly define and understand security concerns as the application is being designed and developed. In addition, modeling security threats with statecharts makes it convenient to build a consistent semantic link between functional behaviors and security concerns.

References

[1]

Xu, D. 2009. Software Security. In Wiley Encyclopedia of Computer Science and Engineering. John Wiley & Sons.

[2]

Torr, P. 2005. Demystifying the Threat-Modeling Process. IEEE Security and Privacy, 03, 5, 66--70.

Digital Library

[3]

Howard, M. and LeBlanc, D. 2003. Writing Secure Code. Microsoft Press.

Digital Library

[4]

Swiderski, F. and Snyder, W. 2004. Threat Modeling. Microsoft Press.

Digital Library

[5]

Schneier, B. 1999. Attack Trees. Dr. Dobb's Journal of Software Tools, 24, 12, 21--29.

[6]

Mauw, S. and Oostdijk, M. 2005. Foundations of Attack Trees. ICISC 2005' Springer Lecture Notes in Computer Science, 3935, 186--198.

Digital Library

[7]

McDermott, J. 2000. Attack Net Penetration Testing. In The 2000 New Security Paradigms Workshop (ACM SIGSAC), ACM Press, 15--22.

Digital Library

[8]

Weissman, C. 1994. Penetration Testing. In Information Security Essays. IEEE Computer Society Press.

[9]

Stefan, J. and Schumacher, M. 2002. Collaborative attack modeling. In Proc. SAC 2002, ACM, 253--259.

Digital Library

[10]

Tidwell, T., Larson, R., Fitch, K., and Hale, J. 2001. Modeling internet attacks. In Proc. Of the 2001 IEEE Workshop on Information Assurance and Security.

[11]

Helmer, G., et al. 2002. A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System. Requirements Eng., 7, 4, 177--220.

[12]

U.S. NUCLEAR REGULATORY COMMISSION. 1981. Fault Tree Handbook. NUREG-0492, Washington.

[13]

Ruiu, D. 1999. Cautionary Tales: Stealth Coordinated Attack HOWTO, http://althing.cs.dartmouth.edu/secref/local/stealth-co-ordinated-attack.txt.

[14]

Phillips, C. and Swiler, L.P. 1998. A graph-based system for network vulnerability analysis. In Proc. of the 1998 Workshop on New Security paradigms, 71--79.

Digital Library

[15]

Helmer, G., et al. 2007. Software fault tree and coloured Petri net-based specification, design and implementation of agent-based intrusion detection systems. Int. J. Information and Computer Security, 1, 1/2, 109--142.

Digital Library

[16]

Jurjens, J. 2002. Using UMLsec and goal trees for secure systems development. In Proceedings of the 2002 ACM symposium on Applied computing (SAC '02).

Digital Library

[17]

Xu, D. and Nygard, K.E. 2005. A Threat-Driven Approach to Modeling and Verifying Secure Software. Proc. of the 2005 IEEE/ACM International Conference on Automated Software Engineering (ASE'05).

Digital Library

[18]

Xu, D. and Nygard, K. E. 2006. Threat-Driven Modeling and Verification of Secure Software Using Aspect-Oriented Petri Nets. IEEE Transactions on Software Engineering, 32, 4, 265--278.

Digital Library

[19]

Kong, J. and Xu, D. 2008. A UML-Based Framework for Design and Analysis of Dependable Software. In Proc. of COMPSAC'08, IEEE Computer Society, 28--31.

Digital Library

[20]

Harel, D. 1987. Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8, 231--274.

Digital Library

[21]

Harel, D. and Naamad, A. 1996. The STATEMATE Semantics of Statecharts. ACM Trans. on Software Eng. Method, 5, 4, 293--333.

Digital Library

[22]

Berry, G. and Gonthier, G. 1992. The Esterel synchronous programming language: Design, semantics, implementation. Science of Computer Programming, 19, 2, 87--152.

Digital Library

[23]

Beeck, M. v. 1994. A Comparison of Statecharts Variants. In Proceedings of Formal Techniques and Real Time Fault Tolerant Syst. (LNCS), Springer-Verlag, 128--148.

Digital Library

[24]

Kargl, F., Maier, J., and Weber, M. Protecting web servers from distributed denial of service attacks. (2001), In Proc. of the 10th international Conference on World Wide Web.

Digital Library

[25]

Markoff, J. (2008, Nov.) The New York Times. {Online}. http://www.nytimes.com/2008/11/10/technology/internet/10attacks.html?_r=2

[26]

Brenner, B. (2010, Jan.) CSO. {Online}. http://www.csoonline.com/article/515614/ddos-attacks-are-back-and-bigger-than-before-

[27]

Goodin, D. (2008, Jan.) The Register. {Online}. http://www.theregister.co.uk/2008/01/04/changing_face_of_ddos/

Cited By

Salva SRegainia L(2019)An approach for guiding developers in the choice of security solutions and in the generation of concrete test casesSoftware Quality Journal10.1007/s11219-018-9438-227:2(675-701)Online publication date: 18-Jul-2019
https://dl.acm.org/doi/10.1007/s11219-018-9438-2
Barabanov AMarkov AGrishin MTsirlov V(2018)Current Taxonomy of Information Security Threats in Software Development Life Cycle2018 IEEE 12th International Conference on Application of Information and Communication Technologies (AICT)10.1109/ICAICT.2018.8747065(1-6)Online publication date: Oct-2018
https://doi.org/10.1109/ICAICT.2018.8747065
Bijani SRobertson D(2018)A review of attacks and security approaches in open multi-agent systemsArtificial Intelligence Review10.1007/s10462-012-9343-142:4(607-636)Online publication date: 28-Dec-2018
https://dl.acm.org/doi/10.1007/s10462-012-9343-1
Show More Cited By

Index Terms

Modeling security attacks with statecharts

Recommendations

Towards an Enhanced Design Level Security: Integrating Attack Trees with Statecharts
SSIRI '11: Proceedings of the 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement

Software security has become more and more critical as we are increasingly depending on the Internet, an untrustworthy computing environment. Software functionality and security are tightly related to each other, vulnerabilities due to design errors, ...
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Threat-Driven Modeling and Verification of Secure Software Using Aspect-Oriented Petri Nets

Design-level vulnerabilities are a major source of security risks in software. To improve trustworthiness of software design, this paper presents a formal threat-driven approach, which explores explicit behaviors of security threats as the mediator ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

QoSA-ISARCS '11: Proceedings of the joint ACM SIGSOFT conference -- QoSA and ACM SIGSOFT symposium -- ISARCS on Quality of software architectures -- QoSA and architecting critical systems -- ISARCS

June 2011

206 pages

ISBN:9781450307246

DOI:10.1145/2000259

General Chairs:
Ivica Crnkovic
Mälardalen University, Västerås, Sweden
,
Judith A. Stafford
Tufts University, Boston, USA
,
Program Chairs:
Dorina Petriu
Carleton University, Canada
,
Jens Happe
SAP Research Karlsruhe, Germany
,
Paola Inverardi
University of L'Aquila, Italy

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 June 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

Comparch '11

Sponsor:

SIGSOFT

Comparch '11: Federated Events on Component-Based Software Engineering and Software Architecture

June 20 - 24, 2011

Colorado, Boulder, USA

Acceptance Rates

Overall Acceptance Rate 46 of 131 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
453
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Salva SRegainia L(2019)An approach for guiding developers in the choice of security solutions and in the generation of concrete test casesSoftware Quality Journal10.1007/s11219-018-9438-227:2(675-701)Online publication date: 18-Jul-2019
https://dl.acm.org/doi/10.1007/s11219-018-9438-2
Barabanov AMarkov AGrishin MTsirlov V(2018)Current Taxonomy of Information Security Threats in Software Development Life Cycle2018 IEEE 12th International Conference on Application of Information and Communication Technologies (AICT)10.1109/ICAICT.2018.8747065(1-6)Online publication date: Oct-2018
https://doi.org/10.1109/ICAICT.2018.8747065
Bijani SRobertson D(2018)A review of attacks and security approaches in open multi-agent systemsArtificial Intelligence Review10.1007/s10462-012-9343-142:4(607-636)Online publication date: 28-Dec-2018
https://dl.acm.org/doi/10.1007/s10462-012-9343-1
Ariss OXu D(2012)System Modeling with UML State MachinesHandbook of Finite State Based Models and Applications10.1201/b13055-19(371-386)Online publication date: 29-Nov-2012
https://doi.org/10.1201/b13055-19

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents