Software Security: A Threat-Driven Approach

Software is a major source of security risks. Sufficient protection of software applications from attacks is beyond the capabilities of network-level and operating system-level security approaches (e.g. cryptography, firewall, and intrusion detection, to name a few) because they lack knowledge of application semantics. While software engineering principles have suggested software security be treated in the early phases of software development, rigorous, well-structured methodologies for engineering secure software remain to be seen.

Our research explores the threat-driven approach for addressing various issues of software security engineering. At the core of this approach is the identification and mitigation of security threats, which are potential misuses and anomalies that violate security goals or policies. Security threats determine where and how to apply security features or assurance techniques. Different from traditional security modeling and analysis methods that rely on the formalization of security properties, the threat-driven approach explicitly identifies the behaviors of security threats. The following article is an introduction to threat-driven software security.
  1. Dianxiang Xu, Software Security, Wiley Encyclopedia of Computer Science and Engineering, B. W. Wah (Editor-In-Chief) and F. B. Bastani (Area Editor), John Wiley & Sons, Inc., To appear.
Threat-Driven Modeling of Secure Software

This research aims at a formal approach to threat-driven modeling and verification of secure software using aspect-oriented Petri nets. Based on the behavior model of intended functions of a system, we build formal models of security threats. Mitigations for the identified threats are further modeled in an aspect-oriented paradigm due to their crosscutting nature. Taking Petri nets as a formal basis for modeling system behaviors, threats, and mitigations as a whole, we can verify properties of and consistency between intended behaviors and threats, and absence of identified threats from the integrated model of intended functions and threat mitigations. This makes it possible to achieve a security design that is provably resistant to the anticipated threats.
  1. Dianxiang Xu and Kendall E. Nygard. Threat-Driven Modeling and Verification of Secure Software Using Aspect-Oriented Petri Nets. IEEE Transactions on Software Engineering. Vol. 32, No. 4, pp. 265-278, April 2006. (expanded version of the ASE'05 paper)
  2. Dianxiang Xu and Kendall Nygard. A Threat-Driven Approach to Modeling and Verifying Secure Software. In Proc. of the 2005 IEEE/ACM International Conference on Automated Software Engineering (ASE 2005), pp. 342-346, November 7-11, 2005. California, USA.
Threat-Driven Design of Secure Software Architecture

This research treats identification of security threats as part of requirements elicitation and model them with misuse cases. UML sequence diagrams are exploited to describe the decision-making process an attacker would go through to compromise or misuse the system. On the other hand, we drive architecture design by dealing with the identified security threats in the process of application decomposition (as apposed to determining and mitigating security threats after the decomposition in the threat modeling approach). According to the security threats modeled by misuse cases, we evaluate whether or not a proposed candidate architecture can be resistant to the security threats and what constraints should be imposed on the choices of implementation techniques in order to mitigate the threats.
  1. Dianxiang Xu and Joshua Pauli. Threat-Driven Design and Analysis of Secure Software Architectures. Journal of Information Assurance and Security, Vol.1, No. 3, pp. 171-180, 2006.
  2. Joshua Pauli and Dianxiang Xu. Misuse Case-based Analysis of Secure Software Architecture, Proc. of ITCC'05, April 2005.
  3. Joshua Pauli and Dianxiang Xu. Threat-Driven Architectural Design of Secure Information Systems. Proc. of ICEIS’05, Miami, May 2005.
Threat-Driven Security  Requirements
  1. Dianxiang Xu, Vivek Goel, Kendall Nygard, and W. Eric Wong. Aspect-Oriented Specification of Threat-Driven Security Requirements, International Journal of Computer Applications in Technology, Special Issue on Concern Oriented Software Evolution. To appear. 
  2. Dianxiang Xu, Vivek Goel, and Kendall Nygard. An Aspect-Oriented Approach to Security Requirements Analysis. Proc. of COMPSAC'06.  
  3. Josh Pauli and Dianxiang Xu. Integrating Functional and Security Requirements with Use Case Decomposition. In Proc. of the 11th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS’06), USA, August 2006.
  4. Josh Pauli and Dianxiang Xu. Ensuring Consistent Use/Misuse Case Decomposition for Secure Systems. Proc. of the 18th International Conference on Software Engineering and Knowledge Engineering (SEKE'06), CA., USA, July 2006.
  5. Josh Pauli and Dianxiang Xu. Trade-off Analysis of Misuse Case-based Secure Software Architectures: A Case Study. In Proc. of the 3rd International Workshop on Modeling, Simulation, Verification and Validation of Enterprise Information Systems (MSVVEIS’05).
Threat-Driven Testing of Secure Software
  1. Linzhang Wang, W. Eric Wong, and Dianxiang Xu. A Threat Model Driven Approach for Security Testing, The 3rd International Workshop on Software Engineering for Secure Systems (SESS'07), in conjunction with ICSE’07. May 2007, Minneapolis.