Software architecture plays a fundamental role in addressing security requirements by enforcing the necessary authentication, authorization, confidentiality, data integrity, privacy, accountability, availability and non-repudiation requirements, even when the system is under attack. Therefore, a design flaw in a software system's architecture could lead to attacks with enormous consequences. Most of the research, techniques, and tools that address security focus on secure coding. However, it is difficult to achieve a high level of security (and other quality attributes) by focusing solely at the coding level. Architectural design flaws can overwhelm even the most heroic coding efforts, and ignoring such issues can result in backdoors into systems and severe software vulnerabilities. This project presents the transformative notion of a Common Architectural Weakness Enumeration (CAWE), defined as a catalog of commonly-occurring flaws in the design and implementation of a system's security architecture that can result in severe vulnerabilities and security breaches. Additionally, this work will develop a novel approach for automating the detection of common architectural weaknesses. It combines concepts and techniques from the software reflexion model, program analysis, as well as pattern matching techniques to develop new algorithms for mapping CAWEs to an application's source code and detecting potential architectural vulnerability. In this project, software vulnerabilities will be extracted from the National Vulnerability Database (NVD) and large scale empirical studies will be conducted to investigate relationships between architectural flaws and software vulnerabilities. This project is expected to advance software security knowledge on the theoretical foundation, concepts, and automated tools to (1) characterize architectural vulnerabilities and security design flaws that can result in severe security breaches, and (2) automatically identify architectural weaknesses in the source code of a system and suggest appropriate mitigation techniques to fix them. The results of the project will contribute towards enhancing the state of practice for software assurance and cyber security. The CAWE catalog will provide the tool development sector of software security industry with benchmarks to assess existing software assurance tools. Our automated technique to detect architectural weaknesses will complement existing static and dynamic source code analysis techniques. Ongoing research opportunities will be provided for a diverse group of undergraduate and graduate students. Research and pedagogical materials will be developed and made publicly available for use in a variety of courses in software architecture and software security.
SaTC: CORE: Small: Characterizing Architectural Vulnerabilities