Consistency Management for Security Annotations for Continuous Verification

Analyses on the architecture of systems can yield valuable insights into a system even before it is built. The applicability of the results of these design time analyses to the system requires the system to be built according to its specification, i.e., to not violate constraints defined on the architecture. The conformance of the results of static code analyses and design time analyses ensures the system is built according to its specification. The first step for conforming results of these analyses is to ensure that the system and its specification is represented consistently in the input of the design time analysis and static code analysis, i.e., they comprise corresponding system elements and specifications for them. To achieve conforming inputs, we used consistency specifications between architecture and code models and implemented them between annotation models that enrich the architecture description with security annotations on the architecture level, as well as security annotations on the code level. This allows the continuous conformance checking during implementation and later during evolution of the system. We implemented the consistency specifications in the Vitruvius framework for an ADL and Java and tested it on case studies.