Formal security analysis for software architecture design: An expressive framework to emerging architectural styles
Introduction
Security is an important non-functional requirement that software architects need to consider when they design their systems. Many security flaws can be identified by performing analysis at different stages of software development process [1]. At the design phase, security analysis can be conducted using software architecture design models. After a system has been implemented, vulnerability analysis can be conducted through penetration testing to reveal security flaws in the system implementation. Security analysis at the architectural level is essential as it helps to prevent security flaws being propagated to the implementation. Architectural-level security flaws constitute 50% of total reported vulnerabilities in the system implementation [2]. If we can minimise security flaws at the architecture design phase, less effort would be required to later fix them in the implementation.
As emerging technologies, such as blockchain, microservices and containerization, have been intensively utilised in modern software systems, new architectural styles have been proposed to support them [3] [4]. These architectural styles have specific structures and behaviours that require specialised knowledge of technologies in order to analyse them [5]. Security analysis has, therefore, become more complex. Moreover, the design of a software system often evolves when new technologies and styles become available. Hence, the analysis approach must be flexible to support new technologies and styles.
Even though a number of works have been proposed to support security analysis at the architectural level, as we discuss in Section 7, they still have limitations. First, existing approaches either focus on evaluating security metrics relating to the design or tracing attack scenarios. Both tasks are significant in analysing security measures in a software system. The analysis approach should be able to measure the overall security of a software system to support trade-off analysis. Also, when security flaws are identified, software engineers need to be able to trace how they can be attacked by adversaries and identify which components would be impacted. Second, most of the analysis approaches are not extensible to support new security metric or scenarios, because analysis logic is often hard-coded in the analysis tool. Third, many analysis approaches have been proposed for a particular architectural style and technology. There is a lack of analysis approaches that are flexible to support arbitrary architectural styles.
This paper presents an automated security analysis approach for software architecture design. Our approach supports architectural security analysis based on a formal representation of security characteristics representing metrics, security, vulnerability and attack scenarios. The analysis process is based on the ontology reasoning and model checking technique. Our approach can be used to measure the overall security of a software system and give an insightful result that helps to trace how attacks can occur. This paper presents the unique development from our previous works published at [6] and [7], which provide the concept of approach to analyse security in specific architectural style. This paper focuses on a generic approach that can be applied to support the security analysis on the architectural styles that their semantic structures and interactive behaviours can be formally described. We provide a guideline of how our technique can analyse other security vulnerabilities not addressed in this paper. The architectural patterns can be formally specified for the architectural style using the modelling presented in this paper. This paper also includes the implementation details of tools and the evaluation of our approach on real-world systems. The contributions of this paper are summarised as follows:
- 1.
Formal modelling of software architecture design is proposed to describe the structural and behavioural aspects of software architecture design.
- 2.
A set of formal descriptions of security characteristics is presented and used to identify security vulnerabilities, metrics and scenarios. A guideline are provided to define other security characteristics not addressed in this work.
- 3.
A set of formal descriptions for architectural styles is presented. This set provides structural and behavioural details of architectural styles to serve security analysis. The semantic supporting the formal descriptions is expressive to define other architectural styles in the similar way.
- 4.
The analysis tool has been developed to seamlessly support modelling, verifying and tracing security at the architectural design level.
- 5.
We have evaluated the accuracy and performance of our security analysis approach with six software systems. The results prove that our approach is efficient and effective in supporting architecture security analysis.
The rest of this paper is organised as follows. Section 2 presents the principles and concepts used in our approach. Section 3 explains the motivation for our approach. Section 4 presents how to formally define architecture designs and security characteristics. The implementation of tools to support our approach is presented in Section 5. Section 6 presents our evaluation. Section 7 discusses related work in comparison to our approach. This paper concludes in Section 8, where future research direction is also addressed.
Section snippets
Ontology Web language
Web Ontology Language is the standard ontology language proposed by the World Wide Web Consortium (W3C) to describe the ontology model, which aims to capture the structure of knowledge in a domain. OWL includes a set of standard operators such as intersection, union and negation, to logically support the definition of a model. OWL supports class hierarchies, similar to Object-Oriented Programing (OOP). An ontology class can be inherited from another class. This inheritance can be used to form a
Security in emerging architectural styles
As emerging architectural styles have been applied in modern software systems, this section presents prominent emerging architectural styles and their security challenges. These challenges urge the need for an automated approach to support security analysis.
Formal security modelling and analysis
This section presents a framework that supports analysing security at the architectural design level. The overall process can be seen in Fig. 2. First, the architecture design is formally modelled based on architectural patterns. These patterns support the design according to architectural styles. The model of architecture design can be created by a provided modeller tool. This tool allows us to automatically format the model into Ontology Web Language (OWL) and Architecture Description
Tool implementation
This section presents the implementation of the tool to support formal security analysis. We have implemented our formal approach as a software framework to support modelling and analysing the architectural design. This software framework consists of several components, as shown in Fig. 8.
Arch Modeller9 is implemented as a graphical user interface tool to support modelling of the architecture design and performing security analysis. This tool
Evaluation
This evaluation aims to answer the following research questions:
- •
RQ1: How complete and sound is the detection according to the set of formally defined security characteristics?
- •
RQ2: What are the factors that impact the computational performance of the detection process?
- •
RQ3: How effective is the scenarios generated to identify the components that have an indirect impact from the attacks?
- •
RQ4: What are the factors that impact the computational performance of attack scenarios generation?
Related work
This section discusses related work. We begin by discussing methods and techniques that have been proposed to analyse security at the level of software architecture design. We then discuss work that focuses on analysing security in systems that utilise microservice and blockchain technology.
Gennari and Garlan [39] proposed an extension to ACME Studio to support attack surface analysis in the C&C view of architecture design. Although this approach can help to reduce security flaws at design
Conclusion
In this paper, a framework is introduced to support analysing security during the software architecture design phase of software development. Our approach can automatically identify security vulnerabilities and provides insightful results that show how attacks may occur. We have evaluated the accuracy of our approach and the performance of the automated analysis process and the results demonstrate that our approach can efficiently provide accurate results to support the analysis. With the
CRediT authorship contribution statement
Nacha Chondamrongkul: Conceptualization, Methodology, Software, Validation, Writing – review & editing. Jing Sun: Supervision, Validation, Writing – review & editing. Ian Warren: Supervision, Validation, Writing – review & editing.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (56)
- et al.
Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles
J. Syst. Softw.
(2008) - et al.
Towards a secure software development lifecycle with square+r
Software Security: Building Security in
(2006)- et al.
Architectural patterns for microservices: a systematic mapping study
- et al.
The Blockchain as a Software Connector
(2016) - et al.
A security analysis of cyber-physical systems architecture for healthcare
Computers
(2016) - et al.
Automated security analysis for microservice architecture
- et al.
Formal security analysis for blockchain-based software architecture
- et al.
Pat approach to architecture behavioural verification
- et al.
Microservices: Yesterday, Today, and Tomorrow
(2017)