Visible to the public Biblio

Filters: Author is Peldszus, Sven  [Clear All Filters]
2019-12-30
Peldszus, Sven, Strüber, Daniel, Jürjens, Jan.  2018.  Model-Based Security Analysis of Feature-Oriented Software Product Lines. Proceedings of the 17th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences. :93-106.
Today's software systems are too complex to ensure security after the fact – security has to be built into systems by design. To this end, model-based techniques such as UMLsec support the design-time specification and analysis of security requirements by providing custom model annotations and checks. Yet, a particularly challenging type of complexity arises from the variability of software product lines. Analyzing the security of all products separately is generally infeasible. In this work, we propose SecPL, a methodology for ensuring security in a software product line. SecPL allows developers to annotate the system design model with product-line variability and security requirements. To keep the exponentially large configuration space tractable during security checks, SecPL provides a family-based security analysis. In our experiments, this analysis outperforms the naive strategy of checking all products individually. Finally, we present the results of a user study that indicates the usability of our overall methodology.
2018-05-24
Ahmadian, Amir Shayan, Peldszus, Sven, Ramadan, Qusai, Jürjens, Jan.  2017.  Model-Based Privacy and Security Analysis with CARiSMA. Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. :989–993.

We present CARiSMA, a tool that is originally designed to support model-based security analysis of IT systems. In our recent work, we added several new functionalities to CARiSMA to support the privacy of personal data. Moreover, we introduced a mechanism to assist the system designers to perform a CARiSMA analysis by automatically initializing an appropriate CARiSMA analysis concerning security and privacy requirements. The motivation for our work is Article 25 of Regulation (EU) 2016/679, which requires appropriate technical and organizational controls must be implemented for ensuring that, by default, the processing of personal data complies with the principles on processing of personal data. This implies that initially IT systems must be analyzed to verify if such principles are respected. System models allow the system developers to handle the complexity of systems and to focus on key aspects such as privacy and security. CARiSMA is available at http://carisma.umlsec.de and our screen cast at https://youtu.be/b5zeHig3ARw.