Model-based security analysis of feature-oriented software product lines
- 7 April 2020
- journal article
- research article
- Published by Association for Computing Machinery (ACM) in ACM SIGPLAN Notices
- Vol. 53 (9), 93-106
- https://doi.org/10.1145/3393934.3278126
Abstract
Today's software systems are too complex to ensure security after the fact – security has to be built into systems by design. To this end, model-based techniques such as UMLsec support the design-time specification and analysis of security requirements by providing custom model annotations and checks. Yet, a particularly challenging type of complexity arises from the variability of software product lines. Analyzing the security of all products separately is generally infeasible. In this work, we propose SecPL, a methodology for ensuring security in a software product line. SecPL allows developers to annotate the system design model with product-line variability and security requirements. To keep the exponentially large configuration space tractable during security checks, SecPL provides a family-based security analysis. In our experiments, this analysis outperforms the naive strategy of checking all products individually. Finally, we present the results of a user study that indicates the usability of our overall methodology.Keywords
Funding Information
- Deutsche Forschungsgemeinschaft (221328183)
This publication has 15 references indexed in Scilit:
- Towards systematically addressing security variability in software product linesPublished by Association for Computing Machinery (ACM) ,2016
- How automotive engineering is taking product line engineering to the extremePublished by Association for Computing Machinery (ACM) ,2015
- A Classification and Survey of Analysis Strategies for Software Product LinesACM Computing Surveys, 2014
- Secure Tropos framework for software product lines requirements engineeringComputer Standards & Interfaces, 2014
- Feature-Oriented Software Product LinesPublished by Springer Science and Business Media LLC ,2013
- Type checking annotation-based product linesACM Transactions on Software Engineering and Methodology, 2012
- Virtual Separation of Concerns - A Second Chance for Preprocessors.The Journal of Object Technology, 2009
- Towards security requirements management for software product lines: A security domain requirements engineering processComputer Standards & Interfaces, 2008
- Chapter 2 Satisfiability SolversPublished by Elsevier BV ,2008
- A Software Product Line Reference Architecture for SecurityPublished by Springer Science and Business Media LLC ,2006