Identifying and resolving least privilege violations in software architectures

Proceedings - International Conference on Availability, Reliability and Security, ARES 2009

Volumn , Issue , 2009, Pages 232-239

  Buyens, Koen ^a   De Win, Bart ^a   Joosen, Wouter ^a  

^a Distrinet Katholieke Universiteit Leuven   (Belgium)

Author keywords

[No Author keywords available]

Indexed keywords

ARCHITECTURAL TRANSFORMATION; BODY OF KNOWLEDGE; LEAST PRIVILEGE; SECURITY LEVEL; SECURITY PRINCIPLES; SECURITY PROPERTIES; SOFTWARE SYSTEMS;

COMPUTER SOFTWARE;

SOFTWARE ARCHITECTURE;

EID: 70349694735     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ARES.2009.48     Document Type: Conference Paper

References (35)

1. Anurag Acharya and Mandar Raje. Mapbox: Using parameterized behavior classes to confine applications. Technical report, Santa Barbara, CA, USA, 1999.
2. Albert Alexandrov, Paul Kmiec, and Klaus Schauser. Consh: A confined execution environment for internet computations. USENIX Annual Technical Conference, 1999.
3. Deepak Alur, Dan Malks, John Crupi, Grady Booch, and Martin Fowler. Core J2EE Patterns (Core Design Series): Best Practices and Design Strategies. Sun Microsystems, Inc. Mountain View, CA, USA, 2003.
4. Daniel Julius Bernstein. Qmail home page. http://cr.yp.to/qmail.html.
5. Barry W. Boehm. Software Engineering Economics. Prentice-Hall Englewood Cliffs, NJ, 1981.
6. David Brumley and Dawn Song. Privtrans: Automatically partitioning programs for privilege separation. In Proceedings of the 13th USENIX Security Symposium, August 2004.
7. Koen Buyens, Bart De Win, and Wouter Joosen. Identifying and resolving least privilege violations in software architectures. Technical report, Katholieke Universiteit Leuven, 2008, to be published.
8. Suresh N. Chari and Pau-Chen Cheng. Bluebox: A policy-driven, hostbased intrusion detection system. ACM Trans. Inf. Syst. Secur., 6(2):173-200, 2003.
9. Chris Evans. Comments on the Overall Architecture of Vsftpd, from a Security Standpoint. Internet, February 2001.
10. Paul Clements, David Garlan, Len Bass, Judith Stafford, Robert Nord, James Ivers, and Reed Little. Documenting Software Architectures: Views and Beyond. Pearson Education, 2002.
11. Eric Dashofy, Hazel Asuncion, Scott Hendrickson, Girish Suryanarayana, John Georgas, and Richard Taylor. Archstudio 4: An architecture-based meta-modeling environment. In ICSE COMPANION '07: Companion to the proceedings of the 29th International Conference on Software Engineering, pages 67-68, Washington, DC, USA, 2007. IEEE Computer Society.
12. Thuong Doan, Steven Demurjian, T. C. Ting, and Andreas Ketterl. Mac and uml for secure software design. In FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 75-85, New York, NY, USA, 2004. ACM.
13. Martin Fowler, Kent Beck, John Brant, William Opdyke, and Don Roberts. Refactoring: Improving the Design of Existing Code. Addison-Wesley Professional, June 1999.
14. S. Höhn and J. Jürjens. Rubacon: automated support for modelbased compliance engineering. In Proceedings of the 13th international conference on Software engineering, pages 875-878. ACM New York, NY, USA, 2008.
15. Michael Howard and Steve Lipner. The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, 2006.
16. Igor Ivkovic and Kostas Kontogiannis. A Framework for Software Architecture Refactoring using Model Transformations and Semantic Annotations. Software Maintenance and Reengineering. Proceedings of the 10th European Conference on, 2006.
17. K. Jain and R. Sekar. User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. In In ISOC Network and Distributed System Security, 2000.
18. Jan Jürjens. Secure Systems Development With UML. Springer, 2005.
19. Douglas Kilpatrick. Privman: A library for partitioning applications. In USENIX Annual Technical Conference, FREENIX Track, pages 273-284, 2003.
20. Dimitri Van Landuyt, Johan Gregoire, Sam Michiels, Eddy Truyen, and Wouter Joosen. Architectural design of a digital publishing system. Technical report, October 2006.
21. Mikael Lindvall, Roseanne T. Tvedt, and Patricia Costa. An empiricallybased process for software architecture evaluation. Empirical Software Engineering, 8(1):83-108, March 2003.
22. Pratyusa K. Manadhata, Dilsun K. Kaynar, and Jeannette M. Wing. A formal model for a systems attack surface. Technical Report CMU-CS- 07-144, Carnegie Mellon University, 2007.
23. Thomas J. McCabe. A complexity measure. In ICSE '76: Proceedings of the 2nd international conference on Software engineering, page 407, Los Alamitos, CA, USA, 1976. IEEE Computer Society Press.
24. Tom Mens and Tom Tourwé. A survey of software refactoring. IEEE Transactions of Software Engineering, 30(2):126-139, 2004.
25. Mirko Morandini, Duy Cu Nguyen, Anna Perini, Alberto Siena, and Angelo Susi. Tool-supported development with tropos: The conference management system case study. In Michael Luck and Lin Padgham, editors, Agent Oriented Software Engineering VIII, volume 4951 of LNCS, pages 182-196. Springer, 2008.
26. David S. Peterson, Matt Bishop, and Raju Pandey. A flexible containment mechanism for executing untrusted code. In Proceedings of the 11th USENIX Security Symposium, pages 207-225, Berkeley, CA, USA, 2002. USENIX Association.
27. Niels Provos. Systrace - interactive policy generation for system calls.
28. Jie Ren. A connector-centric approach to architectural access control. PhD thesis, Long Beach, CA, USA, 2006. Adviser-Richard N. Taylor.
29. Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278- 1308, September 1975.
30. Ravi S. Sandhu and Pierangela Samarati. Access control: Principles and practice. IEEE Communications Magazine, 32:40-48, 1994.
31. Fred B. Schneider. Enforceable security policies. ACM Trans. Inf. Syst. Secur., 3(1):30-50, 2000.
32. Wietse Zweitze Venema. Postfix home page. http://www.postfix.org.
33. David A. Wagner. Janus: an approach for confinement of untrusted applications. Technical Report CSD-99-1056, 12, 1999.
34. Kenneth M. Walker, Daniel F. Sterne, M. Lee Badger, Michael J. Petkac, David L. Sherman, and Karen A. Oostendorp. Confining root programs with domain and type enforcement (dte). In SSYM'96: Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, pages 3-3, Berkeley, CA, USA, 1996. USENIX Association.
35. Sherif M. Yacoub and Hany H. Ammar. A methodology for architecturelevel reliability risk analysis. IEEE Transactions on Software Engineering, 28(6):529-547, June 2002.