Department of Computer Science and Information Technology, BRAINS Institute, Peshawar, Pakistan.
Faculty of Computing, Riphah International University, Islamabad, Pakistan.
PLoS One. 2022 Jul 6;17(7):e0270702. doi: 10.1371/journal.pone.0270702. eCollection 2022.
The modeling of security threats is equally important as the modeling of functional requirements at the design stage of software engineering. However, unlike functional requirements modeling, the modeling of security threats is neglected, which consequently introduces software defects during the early stages of software engineering. Hence, there is a need to mitigate these threats at the design stage. Security threats, specifically authentication threats, crosscut other functional and non-functional requirements when modeled using the object-oriented paradigm. This not only makes the design complex but also results in tangling and scattering problems. We therefore model authentication threats using the aspect-oriented modeling (AOM) technique since it separates crosscutting concerns and localizes them as separate units called aspects. Our main research aim is to remove scattering and tangling in security threats modeling using all the core features of the aspect-oriented technique. In this paper, we propose a research approach to model security threats and their mitigation in mal sequence diagram. Using this approach, our contribution makes a clear difference from previous work. Our first contribution is the modeling of authentication threats in the mal sequence diagram using the security profile and AOM profile. Our second contribution is the mathematical verification of the aspect-oriented mal sequence woven model in terms of correctness and completeness. Using the proposed approach, the scattering and tangling from the resultant woven model are successfully removed at the design stage. Thus, the complexity of models and the time and effort required for future modifications of design models are reduced.
在软件工程的设计阶段,对安全威胁进行建模与对功能需求进行建模同样重要。然而,与功能需求建模不同的是,安全威胁建模往往被忽视,这导致软件在早期设计阶段就引入了缺陷。因此,需要在设计阶段减轻这些威胁。当使用面向对象的范例对安全威胁(特别是身份验证威胁)建模时,这些威胁会与其他功能和非功能需求交叉,这不仅使设计变得复杂,还会导致纠缠和分散的问题。因此,我们使用面向方面的建模 (AOM) 技术对身份验证威胁进行建模,因为它可以分离横切关注点,并将其本地化到称为方面的单独单元中。我们的主要研究目标是使用面向方面技术的所有核心功能消除安全威胁建模中的分散和纠缠问题。在本文中,我们提出了一种在恶意序列图中对安全威胁及其缓解进行建模的研究方法。使用这种方法,我们的贡献与之前的工作有明显的区别。我们的第一个贡献是使用安全配置文件和 AOM 配置文件在恶意序列图中对身份验证威胁进行建模。我们的第二个贡献是从正确性和完整性方面对面向方面的恶意序列编织模型进行数学验证。使用所提出的方法,可以在设计阶段成功消除从生成的编织模型中产生的分散和纠缠问题。因此,减少了模型的复杂性以及设计模型未来修改所需的时间和精力。
