KIT | KIT-Bibliothek | Impressum | Datenschutz

Automatic Derivation of Vulnerability Models for Software Architectures

Kirschner, Yves R. ORCID iD icon 1; Walter, Maximilian ORCID iD icon 1; Bossert, Florian 2; Heinrich, Robert 1; Koziolek, Anne ORCID iD icon 1
1 Institut für Informationssicherheit und Verlässlichkeit (KASTEL), Karlsruher Institut für Technologie (KIT)
2 Karlsruher Institut für Technologie (KIT)

Abstract (englisch):

Software architectures consist of more and more connections to different components or elements. With the increased connection and exchange between different elements also the attack surface increases, since each element might contain vulnerabilities. The vulnerabilities may be harmless on their own, but attackers could develop attack paths from the combination of different vulnerabilities. For a model-based attack propagation analysis, it is useful to have an annotated components model with vulnerabilities. However, depending on the size of the system, the manual annotation of these models is very time-consuming and error-prone. In this context, we present in this paper an approach that automatically annotates vulnerability information to the components of an architectural model. The goal here is to extract security information of source artifacts and transform them into an existing architecture-based security model to enable model-based security risk assessment. We evaluate our approach using three open-source case studies to demonstrate feasibility and accuracy. The results indicate high recall reading vulnerabilities.


Postprint §
DOI: 10.5445/IR/1000158242
Veröffentlicht am 27.04.2023
Originalveröffentlichung
DOI: 10.1109/ICSA-C57050.2023.00065
Scopus
Zitationen: 3
Dimensions
Zitationen: 3
Cover der Publikation
Zugehörige Institution(en) am KIT Institut für Informationssicherheit und Verlässlichkeit (KASTEL)
Publikationstyp Proceedingsbeitrag
Publikationsmonat/-jahr 03.2023
Sprache Englisch
Identifikator ISBN: 978-1-6654-6460-4
KITopen-ID: 1000158242
HGF-Programm 46.23.03 (POF IV, LK 01) Engineering Security for Mobility Systems
Erschienen in 2023 IEEE 20th International Conference on Software Architecture Companion (ICSA-C), L'Aquila, Italy, 13-17 March 2023
Veranstaltung 20th IEEE International Conference on Software Architecture (ICSA 2023), L'Aquila, Italien, 13.03.2023 – 17.03.2023
Verlag Institute of Electrical and Electronics Engineers (IEEE)
Seiten 276–283
Nachgewiesen in Scopus
Dimensions
Relationen in KITopen
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
KITopen Landing Page