Deakin University

File(s) under permanent embargo

Automated software architecture security risk analysis using formalized signatures

conference contribution
posted on 2013-10-30, 00:00 authored by M Almorsy, John Grundy, Amani Ibrahim
Reviewing software system architecture to pinpoint potential security flaws before proceeding with system development is a critical milestone in secure software development lifecycles. This includes identifying possible attacks or threat scenarios that target the system and may result in breaching of system security. Additionally we may also assess the strength of the system and its security architecture using well-known security metrics such as system attack surface, Compartmentalization, least-privilege, etc. However, existing efforts are limited to specific, predefined security properties or scenarios that are checked either manually or using limited toolsets. We introduce a new approach to support architecture security analysis using security scenarios and metrics. Our approach is based on formalizing attack scenarios and security metrics signature specification using the Object Constraint Language (OCL). Using formal signatures we analyse a target system to locate signature matches (for attack scenarios), or to take measurements (for security metrics). New scenarios and metrics can be incorporated and calculated provided that a formal signature can be specified. Our approach supports defining security metrics and scenarios at architecture, design, and code levels. We have developed a prototype software system architecture security analysis tool. To the best of our knowledge this is the first extensible architecture security risk analysis tool that supports both metric-based and scenario-based architecture security analysis. We have validated our approach by using it to capture and evaluate signatures from the NIST security principals and attack scenarios defined in the CAPEC database.



Software Engineering. International Conference (35th : 2013 : San Francisco, California)


662 - 671




San Francisco, Calif.

Place of publication

Piscataway, N.J.

Start date


End date








Publication classification

E Conference publication; E1.1 Full written paper - refereed

Copyright notice

2013, IEEE

Title of proceedings

ICSE 2013 : Proceedings of the 35th International Conference on Software Engineering