Research On Methods Of Threat Model Driven Software Security Evaluation And Testing

Poor-quality software has many vulnerbalities and it has been recognized as the root cause of the exponentially increasing computer security problems. Researchers pay extra attention to the methods and techniques of ensureing software security during the software development process. For the purpose of improving the trustworthiness of software, developers should consider the security problems as early as possible in the software development lifecycle. Specifically, how to ensure software security via evaluation and testing methods become the critical issues for secure software development.Under the support of the Project of National Science Foundation of China"Attack Pattern Based Trustworthy Software Modeling, Evaluation, and Verification", we researched on the key techniques of methods of threat model driven software security evaluation and testing, including threat representation and modeling, threat model driven software security evaluation and testing, attack pattern repository for assisting software security evaluation and testing. The major contributions of this paper are listed as follows:(1) We researched on the threat representation and modeling methods. We proposed a unified threat model that formally represents the threats to software systems based on AND/OR trees, models the potential attack approaches that adopted by the attackers to realize the threats, forms a basis of the methods of threat model driven software security evaluation and testing. The unified threat model provides a threat representation, narrows the gaps between the software function model and mitigation measures, bridges the relationship between software function models and threat models, and facilitates the collaboration of secure software development between developers and security expert.(2) We researched on the software security evaluation techniques. We proposed a method of unified threat model driven software security evaluation, which quantitatively evaluates the software security based on attack paths from the threat perspective of security. We implemented a prototype tool to support the presented method. We performed a case study on online bankging systems. The case study results indicate that the presented method can be used to design threat-resistant and high-quality software by means of detecting and mitigating design-level vulnerabilities in the early software design stage. The unified threat model is superior to the traditional threat tree model in the accuracy of evaluating results, prioritizing mitigation measures, and guiding security testing.(3) We researched on the software security testing techniques. We proposed a method of attack scenario model driven software security testing. First, we performed functional testing to ensure that software behaves as it is supposed to. Second, we performed threat-oriented security testing to ensure that software is robust against potential attacks. We implemented two prototype tools to support the presented method. We conducted an experiment to validate the feasibility and effectiveness of the proposed method.(4) We researched on the mothod of improving the efficiency of software security evaluation and testing. We proposed an attack pattern description language and an attack pattern reuse technique. This technique abstracts the well-known attack approaches and their mitigation measures into a high-level representation. The high-level representation excludes details that make the attack approach specific to the system. Attack pattern repository is constructed based on the presented technique, and then attack pattern is reused to model threats related to diverse systems. We conducted a group of comparable experiments to demonstrate the process of attack pattern reuse and to validate the feasibility and effectiveness of the proposed method.