Automatic Derivation of Vulnerability Models for Software Architectures

Software architectures consist of more and more connections to different components or elements. With the increased connection and exchange between different elements also the attack surface increases, since each element might contain vulnerabilities. The vulnerabilities may be harmless on their own, but attackers could develop attack paths from the combination of different vulnerabilities. For a model-based attack propagation analysis, it is useful to have an annotated components model with vulnerabilities. However, depending on the size of the system, the manual annotation of these models is very time-consuming and error-prone. In this context, we present in this paper an approach that automatically annotates vulnerability information to the components of an architectural model. The goal here is to extract security information of source artifacts and transform them into an existing architecture-based security model to enable model-based security risk assessment. We evaluate our approach using three open-source case studies to demonstrate feasibility and accuracy. The results indicate high recall reading vulnerabilities.