Idea: Towards Architecture-Centric Security Analysis of Software

12 years 2 months ago
Idea: Towards Architecture-Centric Security Analysis of Software
Static security analysis of software has made great progress over the last years. In particular, this applies to the detection of lowlevel security bugs such as buffer overflows, Cross-Site Scripting and SQL injection vulnerabilities. Complementarily to commercial static code review tools, we present an approach to the static security analysis which is based upon the software architecture using a reverse engineering tool suite called Bauhaus. This allows one to analyze software on a more abstract level, and a more focused analysis is possible, concentrating on software modules regarded as security-critical. In addition, certain security flaws can be detected at the architectural level such as the circumvention of APIs or incomplete enforcement of access control. We discuss our approach in the context of a business application and Android’s Java-based middleware.
Karsten Sohr, Bernhard Berger
Added 17 Mar 2010
Updated 17 Mar 2010
Type Conference
Year 2010
Authors Karsten Sohr, Bernhard Berger
Comments (0)