In our modern world, the ever-expanding exchange of data and the increased complexity of interconnected software systems make software security challenging. Ideally, security concerns are already addressed early, as discussed with security by design. Here, architecture-based modeling enables the analysis of security threats such as confidentiality violations or targeted attacks. Such analyses leverage the structural properties of software architecture and information about the system context like deployment and usage. However, this requires security-specific model annotations and adapted propagation rules. In this paper, we present two architectural propagation analyses that extend the concept of change impact analysis for security analysis. Both analyses build on the architecture modeling language PCM. The former propagates uncertainty in software architectures and predicts its impact on the system’s confidentiality. The latter identifies attack paths using vulnerabilities and access control properties in attacker propagation.
Zur Publikation