Automatic detection of architectural security flaws

Abstract

Software systems are increasingly interconnected, and more and more devices have a permanent connection to the worldwide web. While this is convenient for end-users and desired by companies whose revenue is increased through more information on their customers, it results in an attractive attack vector not only for criminals trying to scam people but also for industrial espionage. Therefore, software security and data privacy are essential topics nowadays. While there is plenty of research in the area of implementation-level security flaws, up until now, research has been lacking ideas to automate architectural security flaw detection.

This thesis presents the ArchSec approach, which investigates how architectural security flaws can be detected automatically. ArchSec uses static analyses to extract extended dataflow diagrams. An extended dataflow diagram is an extension to traditional dataflow diagrams adding types and attributes to them. The extracted diagrams are then converted into property graphs and checked for architectural security flaws using a knowledge base containing security anti-patterns and security patterns. Parts of the property graph matching an anti-pattern correspond to potential security flaws if no matching security pattern is found to mitigate it. Therefore, the detection process reduces to a subgraph isomorphism problem.

Several case studies demonstrate the feasibility of the ArchSec approach. Each case study shows transferable knowledge base rules and describes the found security flaws and applied mitigations in the context of the case study's applications. The case study applications contain Android apps, hybrid Android apps, and JavaEE applications. ArchSec identified different security flaws, such as authentication problems, authorisation problems, and cryptography-related problems. Consequently, it detected violations of most information security's protection goals. The detected flaws in real-world applications would have allowed attackers to spy on transmitted and processed data, circumvent existing authorisation constraints, and execute attacker-written code.

Combining a predefined knowledge base and an automatic extraction and detection process simplifies the threat modelling approach significantly and makes it feasible even for small and midsized companies. Decreasing the necessary effort for a professional architectural security assessment will hopefully result in more secure software systems and improve the general state of data protection.