Detecting Information Flow Security Vulnerabilities by Analysis Coupling

Security vulnerabilities originating from insecure information flows can violate the confidentiality of data, thereby negatively impacting individuals and service providers. This challenge gave rise to design-level analyses and source code analyses investigating information flow-related vulnerabilities. Architectural analysis, a type of design-level analysis, can detect security vulnerabilities by inspecting architectural models enriched with specifications of security-relevant information. However, the implementation may not comply with the architectural specification during software evolution. This non-compliance can result in the architectural analysis missing vulnerabilities. Consequently, vulnerabilities in the deployed system can be exploited, but the software engineers are left assuming the system to be secure. In this article, we address this problem of specification-related non-compliance by proposing a coupling approach that enables architectural analyses to use the values of security characteristics which are supplied from the implementation and retrieved by static source code analysis. Our coupling approach makes two contributions: a coupling process and the conditions necessary for the coupling (called integration conditions). ... mehrIn our coupling process, each process step performs transformations between the involved input and output models of the analyses. To enable the coupling, we define necessary integration conditions that must hold between the (meta)models of the analyses in the coupling. We generalize from specific analyses by specifying the integration conditions based on reference metamodels. In our evaluation, we inspect (1) the coverage of the reference metamodels by the metamodels of coupled analyses, (2) the coverage of the integration conditions by successful couplings, and (3) the accuracy of the coupled analysis in finding architectural vulnerabilities originating from a non-compliant implementation. The results of our case study show that the reference metamodels and the integration conditions are covered. We detect 60 true positive vulnerabilities and 5 false positive vulnerabilities. Upon this evidence, we conclude that the architectural analysis in the coupling is accurate in detecting vulnerabilities originating from non-compliant information flows in the implementation.