Detecting Encryption Vulnerabilities By Coupling Architectural Analyses and Source Code Analyses

Architectural security analyses calculate security vulnerabilities by evaluating architectural security design models comprising the system architecture and security-related information. The architectural analysis is performed before the implementation phase to avoid implementing a vulnerable system. Consequentially, the architectural vulnerabilities are calculated based on the assumption that the implementation complies with the specified system. When the implementation does not comply with the security design models, the architectural analysis may miss vulnerabilities in the final system. We address this problem by presenting an approach for analysis coupling, which allows the architectural analysis to be performed with information about security weaknesses regarding data encryption in the implementation detected by a source code analysis searching for predefined patterns. We perform a case study-based evaluation of the accuracy to detect architectural vulnerabilities arising from weaknesses in the implementation. In this evaluation, we apply the coupling approach to couple an architectural analysis with three source code analyses and apply them to three systems containing encryption-related weaknesses. ... mehrOur evaluation shows that the coupling enables the detection of architectural vulnerabilities that are not detectable when performing the architectural analysis in isolation. However, the evaluation shows negative impacts of our coupling approach by missing existing vulnerabilities or reporting not existing vulnerabilities.