Model-based security analysis of feature-oriented software product lines

Sven Matthias Peldszus; Daniel Strüber; Jan Jürjens

doi:10.1145/3278122.3278126

Model-based security analysis of feature-oriented software product lines

Sven Matthias Peldszus
, Daniel Strüber
, Jan Jürjens

University of Koblenz

Research output: Conference Article in Proceeding or Book/Report chapter › Article in proceedings › Research › peer-review

Abstract

Today's software systems are too complex to ensure security after the fact – security has to be built into systems by design. To this end, model-based techniques such as UMLsec support the design-time specification and analysis of security requirements by providing custom model annotations and checks. Yet, a particularly challenging type of complexity arises from the variability of software product lines. Analyzing the security of all products separately is generally infeasible. In this work, we propose SecPL, a methodology for ensuring security in a software product line. SecPL allows developers to annotate the system design model with product-line variability and security requirements. To keep the exponentially large configuration space tractable during security checks, SecPL provides a family-based security analysis. In our experiments, this analysis outperforms the naive strategy of checking all products individually. Finally, we present the results of a user study that indicates the usability of our overall methodology.

Original language	English
Title of host publication	Proceedings of the 17th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences - GPCE 2018
Place of Publication	New York, USA
Publisher	Association for Computing Machinery
Publication date	2018
Pages	93 - 106
ISBN (Print)	9781450360456, 9781450360456
DOIs	https://doi.org/10.1145/3278122.3278126
Publication status	Published - 2018
Externally published	Yes
Event	International Conference on Generative Programming: Concepts and Experiences - Boston, United States Duration: 5 Nov 2018 → 6 Nov 2018 Conference number: 17 https://searchworks.stanford.edu/view/14195785

Conference

Conference	International Conference on Generative Programming: Concepts and Experiences
Number	17
Country/Territory	United States
City	Boston
Period	05/11/2018 → 06/11/2018
Internet address	https://searchworks.stanford.edu/view/14195785

Keywords

Security
Software Product Lines
OCL
UML

Access to Document

10.1145/3278122.3278126Licence: Unspecified

Cite this

@inproceedings{0ab53d03d76041dc9138d73c228ca95a,

title = "Model-based security analysis of feature-oriented software product lines",

abstract = "Today's software systems are too complex to ensure security after the fact – security has to be built into systems by design. To this end, model-based techniques such as UMLsec support the design-time specification and analysis of security requirements by providing custom model annotations and checks. Yet, a particularly challenging type of complexity arises from the variability of software product lines. Analyzing the security of all products separately is generally infeasible. In this work, we propose SecPL, a methodology for ensuring security in a software product line. SecPL allows developers to annotate the system design model with product-line variability and security requirements. To keep the exponentially large configuration space tractable during security checks, SecPL provides a family-based security analysis. In our experiments, this analysis outperforms the naive strategy of checking all products individually. Finally, we present the results of a user study that indicates the usability of our overall methodology.",

keywords = "Security, Software Product Lines, OCL, UML",

author = "Peldszus, \{Sven Matthias\} and Daniel Str{\"u}ber and Jan J{\"u}rjens",

year = "2018",

doi = "10.1145/3278122.3278126",

language = "English",

isbn = "9781450360456",

pages = "93 -- 106",

booktitle = "Proceedings of the 17th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences - GPCE 2018",

publisher = "Association for Computing Machinery",

address = "United States",

note = "International Conference on Generative Programming: Concepts and Experiences , GPCE ; Conference date: 05-11-2018 Through 06-11-2018",

url = "https://searchworks.stanford.edu/view/14195785",

}

Peldszus, SM, Strüber, D & Jürjens, J 2018, Model-based security analysis of feature-oriented software product lines. in Proceedings of the 17th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences - GPCE 2018. Association for Computing Machinery, New York, USA , pp. 93 - 106, International Conference on Generative Programming: Concepts and Experiences , Boston, Massachusetts, United States, 05/11/2018. https://doi.org/10.1145/3278122.3278126

Model-based security analysis of feature-oriented software product lines. / Peldszus, Sven Matthias; Strüber, Daniel; Jürjens, Jan.
Proceedings of the 17th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences - GPCE 2018. New York, USA : Association for Computing Machinery, 2018. p. 93 - 106.

Research output: Conference Article in Proceeding or Book/Report chapter › Article in proceedings › Research › peer-review

TY - GEN

T1 - Model-based security analysis of feature-oriented software product lines

AU - Peldszus, Sven Matthias

AU - Strüber, Daniel

AU - Jürjens, Jan

N1 - Conference code: 17

PY - 2018

Y1 - 2018

N2 - Today's software systems are too complex to ensure security after the fact – security has to be built into systems by design. To this end, model-based techniques such as UMLsec support the design-time specification and analysis of security requirements by providing custom model annotations and checks. Yet, a particularly challenging type of complexity arises from the variability of software product lines. Analyzing the security of all products separately is generally infeasible. In this work, we propose SecPL, a methodology for ensuring security in a software product line. SecPL allows developers to annotate the system design model with product-line variability and security requirements. To keep the exponentially large configuration space tractable during security checks, SecPL provides a family-based security analysis. In our experiments, this analysis outperforms the naive strategy of checking all products individually. Finally, we present the results of a user study that indicates the usability of our overall methodology.

AB - Today's software systems are too complex to ensure security after the fact – security has to be built into systems by design. To this end, model-based techniques such as UMLsec support the design-time specification and analysis of security requirements by providing custom model annotations and checks. Yet, a particularly challenging type of complexity arises from the variability of software product lines. Analyzing the security of all products separately is generally infeasible. In this work, we propose SecPL, a methodology for ensuring security in a software product line. SecPL allows developers to annotate the system design model with product-line variability and security requirements. To keep the exponentially large configuration space tractable during security checks, SecPL provides a family-based security analysis. In our experiments, this analysis outperforms the naive strategy of checking all products individually. Finally, we present the results of a user study that indicates the usability of our overall methodology.

KW - Security

KW - Software Product Lines

KW - OCL

KW - UML

UR - http://dx.doi.org/10.1145/3278122.3278126

U2 - 10.1145/3278122.3278126

DO - 10.1145/3278122.3278126

M3 - Article in proceedings

SN - 9781450360456

SP - 93

EP - 106

BT - Proceedings of the 17th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences - GPCE 2018

PB - Association for Computing Machinery

CY - New York, USA

T2 - International Conference on Generative Programming: Concepts and Experiences

Y2 - 5 November 2018 through 6 November 2018

ER -

Model-based security analysis of feature-oriented software product lines

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this