威胁模型驱动的软件安全评估与测试方法的研究
|
摘要
存在诸多漏洞的低质量软件成为计算机安全问题急速增长的主要原因之一。因此,如何在软件开发中保证其安全性已经成为广泛关注的研究问题。为了更加有效地开发安全可信的软件,应该在软件开发生命周期中尽早考虑安全问题。其中,如何通过评估与测试方法保障软件安全性成为亟待解决的关键问题。
本文结合国家自然科学基金课题“基于攻击模式的可信软件的建模、度量与验证”,对威胁模型驱动的软件安全评估与测试方法的关键技术,包括威胁的表示与建模,威胁模型驱动的软件安全评估与测试,以及辅助软件安全评估与测试的攻击模式知识库,进行了深入的研究,主要研究成果包括以下几个方面:
(1)研究了威胁表示和建模方法,提出一种统一威胁模型,采用AND/OR树形式化地表示针对计算机系统的威胁,建模了攻击者实现威胁的潜在攻击方法,奠定了威胁模型驱动的软件安全评估与测试方法的基础。统一威胁模型提供了一种通用的威胁表示法,缩小了功能模型和缓和方案之间的差距,建立起软件功能和安全之间的桥梁,利于开发人员和安全人员协同开发安全的软件。
(2)研究了软件安全评估技术,提出了一种统一威胁模型驱动的软件安全评估方法,从威胁的角度基于攻击路径对软件安全进行定量评估。实现了一个支持该方法原型工具。案例研究表明,该方法能够尽早地发现并缓和设计层次的漏洞,从而设计出能够防御威胁的安全软件。相比于传统的威胁树模型,统一威胁模型在评估结论的准确性、确定缓和方案的优先级和指导安全测试方面更优。
(3)研究了软件安全测试技术,提出了一种攻击场景模型驱动的软件安全测试方法,通过功能测试以确保软件的实际行为符合设计的期望,并通过面向威胁的安全测试以确保软件足够健壮能够抵御潜在的攻击。实现了两个支持该方法的原型工具,并通过实验验证了所提出的方法的可行性与有效性。
(4)研究了提高软件安全评估与测试效率的方法,提出了一种攻击模式描述语言和攻击模式复用技术,将已知的攻击方法及其相应的缓和方案抽象成与特定系统无关的攻击模式,构建攻击模式知识库,并在建模针对不同系统的威胁模型时复用攻击模式。通过一组对比实验阐明了复用攻击模式的具体流程,验证了所提出的方法的可行性与有效性。
Poor-quality software has many vulnerbalities and it has been recognized as the root cause of the exponentially increasing computer security problems. Researchers pay extra attention to the methods and techniques of ensureing software security during the software development process. For the purpose of improving the trustworthiness of software, developers should consider the security problems as early as possible in the software development lifecycle. Specifically, how to ensure software security via evaluation and testing methods become the critical issues for secure software development.
Under the support of the Project of National Science Foundation of China“Attack Pattern Based Trustworthy Software Modeling, Evaluation, and Verification”, we researched on the key techniques of methods of threat model driven software security evaluation and testing, including threat representation and modeling, threat model driven software security evaluation and testing, attack pattern repository for assisting software security evaluation and testing. The major contributions of this paper are listed as follows:
(1) We researched on the threat representation and modeling methods. We proposed a unified threat model that formally represents the threats to software systems based on AND/OR trees, models the potential attack approaches that adopted by the attackers to realize the threats, forms a basis of the methods of threat model driven software security evaluation and testing. The unified threat model provides a threat representation, narrows the gaps between the software function model and mitigation measures, bridges the relationship between software function models and threat models, and facilitates the collaboration of secure software development between developers and security expert.
(2) We researched on the software security evaluation techniques. We proposed a method of unified threat model driven software security evaluation, which quantitatively evaluates the software security based on attack paths from the threat perspective of security. We implemented a prototype tool to support the presented method. We performed a case study on online bankging systems. The case study results indicate that the presented method can be used to design threat-resistant and high-quality software by means of detecting and mitigating design-level vulnerabilities in the early software design stage. The unified threat model is superior to the traditional threat tree model in the accuracy of evaluating results, prioritizing mitigation measures, and guiding security testing.
(3) We researched on the software security testing techniques. We proposed a method of attack scenario model driven software security testing. First, we performed functional testing to ensure that software behaves as it is supposed to. Second, we performed threat-oriented security testing to ensure that software is robust against potential attacks. We implemented two prototype tools to support the presented method. We conducted an experiment to validate the feasibility and effectiveness of the proposed method.
(4) We researched on the mothod of improving the efficiency of software security evaluation and testing. We proposed an attack pattern description language and an attack pattern reuse technique. This technique abstracts the well-known attack approaches and their mitigation measures into a high-level representation. The high-level representation excludes details that make the attack approach specific to the system. Attack pattern repository is constructed based on the presented technique, and then attack pattern is reused to model threats related to diverse systems. We conducted a group of comparable experiments to demonstrate the process of attack pattern reuse and to validate the feasibility and effectiveness of the proposed method.
本文结合国家自然科学基金课题“基于攻击模式的可信软件的建模、度量与验证”,对威胁模型驱动的软件安全评估与测试方法的关键技术,包括威胁的表示与建模,威胁模型驱动的软件安全评估与测试,以及辅助软件安全评估与测试的攻击模式知识库,进行了深入的研究,主要研究成果包括以下几个方面:
(1)研究了威胁表示和建模方法,提出一种统一威胁模型,采用AND/OR树形式化地表示针对计算机系统的威胁,建模了攻击者实现威胁的潜在攻击方法,奠定了威胁模型驱动的软件安全评估与测试方法的基础。统一威胁模型提供了一种通用的威胁表示法,缩小了功能模型和缓和方案之间的差距,建立起软件功能和安全之间的桥梁,利于开发人员和安全人员协同开发安全的软件。
(2)研究了软件安全评估技术,提出了一种统一威胁模型驱动的软件安全评估方法,从威胁的角度基于攻击路径对软件安全进行定量评估。实现了一个支持该方法原型工具。案例研究表明,该方法能够尽早地发现并缓和设计层次的漏洞,从而设计出能够防御威胁的安全软件。相比于传统的威胁树模型,统一威胁模型在评估结论的准确性、确定缓和方案的优先级和指导安全测试方面更优。
(3)研究了软件安全测试技术,提出了一种攻击场景模型驱动的软件安全测试方法,通过功能测试以确保软件的实际行为符合设计的期望,并通过面向威胁的安全测试以确保软件足够健壮能够抵御潜在的攻击。实现了两个支持该方法的原型工具,并通过实验验证了所提出的方法的可行性与有效性。
(4)研究了提高软件安全评估与测试效率的方法,提出了一种攻击模式描述语言和攻击模式复用技术,将已知的攻击方法及其相应的缓和方案抽象成与特定系统无关的攻击模式,构建攻击模式知识库,并在建模针对不同系统的威胁模型时复用攻击模式。通过一组对比实验阐明了复用攻击模式的具体流程,验证了所提出的方法的可行性与有效性。
Poor-quality software has many vulnerbalities and it has been recognized as the root cause of the exponentially increasing computer security problems. Researchers pay extra attention to the methods and techniques of ensureing software security during the software development process. For the purpose of improving the trustworthiness of software, developers should consider the security problems as early as possible in the software development lifecycle. Specifically, how to ensure software security via evaluation and testing methods become the critical issues for secure software development.
Under the support of the Project of National Science Foundation of China“Attack Pattern Based Trustworthy Software Modeling, Evaluation, and Verification”, we researched on the key techniques of methods of threat model driven software security evaluation and testing, including threat representation and modeling, threat model driven software security evaluation and testing, attack pattern repository for assisting software security evaluation and testing. The major contributions of this paper are listed as follows:
(1) We researched on the threat representation and modeling methods. We proposed a unified threat model that formally represents the threats to software systems based on AND/OR trees, models the potential attack approaches that adopted by the attackers to realize the threats, forms a basis of the methods of threat model driven software security evaluation and testing. The unified threat model provides a threat representation, narrows the gaps between the software function model and mitigation measures, bridges the relationship between software function models and threat models, and facilitates the collaboration of secure software development between developers and security expert.
(2) We researched on the software security evaluation techniques. We proposed a method of unified threat model driven software security evaluation, which quantitatively evaluates the software security based on attack paths from the threat perspective of security. We implemented a prototype tool to support the presented method. We performed a case study on online bankging systems. The case study results indicate that the presented method can be used to design threat-resistant and high-quality software by means of detecting and mitigating design-level vulnerabilities in the early software design stage. The unified threat model is superior to the traditional threat tree model in the accuracy of evaluating results, prioritizing mitigation measures, and guiding security testing.
(3) We researched on the software security testing techniques. We proposed a method of attack scenario model driven software security testing. First, we performed functional testing to ensure that software behaves as it is supposed to. Second, we performed threat-oriented security testing to ensure that software is robust against potential attacks. We implemented two prototype tools to support the presented method. We conducted an experiment to validate the feasibility and effectiveness of the proposed method.
(4) We researched on the mothod of improving the efficiency of software security evaluation and testing. We proposed an attack pattern description language and an attack pattern reuse technique. This technique abstracts the well-known attack approaches and their mitigation measures into a high-level representation. The high-level representation excludes details that make the attack approach specific to the system. Attack pattern repository is constructed based on the presented technique, and then attack pattern is reused to model threats related to diverse systems. We conducted a group of comparable experiments to demonstrate the process of attack pattern reuse and to validate the feasibility and effectiveness of the proposed method.
引文
[1]陈火旺,王戟,董威.高可信软件工程技术.电子学报, 2003, 31(12A): 1933-1938.
[2] Michael H, David L. Writing Secure Code. 2nd edition, Redmond, Washington: Microsoft Press, 2003.
[3] M. Howard, S. Lipner. The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, 2006.
[4] Inc.WebCohort. Only 10% of web applications are secured against common hacking techniques. 2004.
[5] Cenzic. Application security trends report Q1 2008. Available at: http://www.cenzic.com.
[6] Web Application Security Consortium: Threat Classification V1.0, Available at: http://www.webappsec.org/.
[7] J. Wing, A symbiotic relationship between formal methods and security, Proc. of NSF Workshop on Computer Security, Fault Tolerance, and Software Assurance: From Needs to Solution, 1998, pp. 26–38.
[8] OWASP CLASP. Comprehensive, lightweight application security process. Available at: http://www.owasp.org.
[9]王怀民,尹刚,网络时代的软件可信演化,中国计算机学会通讯,第6卷,第2期, 2010年2月, 28-34.
[10]刘克,单志广,王戟,何积丰,张兆田,秦玉文,“可信软件基础研究”重大研究计划综述,中国科学基金, 2008年第3期, 145-151.
[11] F. Swiderski, W. Snyder. Threat Modeling. Microsoft Press, 2004.
[12] Richard, J.R. Analysis techniques for mechanical reliability. Reliability Analysis Center, A DoD Information Analysis Center, 1985.
[13] Amoroso, E. G. Fundamentals of computer security technology. Englewood Cliffs. NJ: Prentice Hall PTR, 1994.
[14] Schneier, B. Attack trees. Dr. Dobb's Journal of Software Tools, 24(12), 21-29, 1999.
[15] Moore, A. P., Ellison, R. J., Linger, R. C. Attack modeling for information security and survivability. Technical Note CMU/SEI-2001-TN-001, 2001.
[16] McDermott, J. Attack net penetration testing, Proceedings of the 2000 Workshop on New Security Paradigms (pp. 15-21). ACM, 2000.
[17] Dalton, G. C., Mills, R. F., Colombi, J. M., & Raines, R. A. Analyzing attack trees using generalized stochastic Petri nets, Information Assurance Workshop (pp. 116– 123). IEEE, 2006.
[18] Xu, D., & Nygard, K. E. Threat-driven modeling and verification of secure software using aspect oriented Petri nets. IEEE Transactions on Software Engineering, 32(4), 265-278, 2006.
[19] Xu, D., & Nygard, K. E. A threat-driven approach to modeling and verifying secure software, Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (pp. 342-346). ASE 2005.
[20] Phillips C, Swiler LP. A graph-based system for network vulnerability analysis. In: Proceedings of the 1998 workshop on new security paradigms. ACM, pp 71–79, 1998.
[21] Sheyner, O., & Wing, J. M. Tools for generating and analyzing attack graphs, Proceedings of Formal Methods for Components and Objects, (Lecture Notes in Computer Science 3188, pp. 344–371). Springer Berlin, 2004.
[22] Wang L, Wong W, Xu D. A threat model driven approach for security testing. In: The 3rd International Workshop on Software Engineering for Secure Systems, May 2007.
[23] Genrich, H. J. Predicate/Transition nets, in Petri Nets: Central Models and Their Properties, Brauer, W., Resig, W., & Rozenberg, G. (Eds.), (pp. 207-247). New York: Springer Verlag, 1987.
[24] Xu, D., Volz, R. A., Joerger, T. R. & Yen, J. Modeling and analyzing multi-agent behaviors using Predicate/Transition nets. International Journal of Software Engineering and Knowledge Engineering, 13(1), 103-124, 2003.
[25] Xu, D., Yin, J., Deng, Y., & Ding, J. A formal architectural model for logical agent mobility. IEEE Transactions on Software Engineering, 29(1), 31-45, 2003.
[26] Chen, H., Dean, D., & Wagner, D. Model checking one million lines of C code, Proceedings of the 11th Annual Network and Distributed System Security Symposium (pp. 171-185). NDSS 2004.
[27] Boehm, B. W. Software risk management: principles and practices. IEEE Software, 8(1), 32-41, 1991.
[28] Trusted Computer System Evaluation Criteria (TCSEC). Department of Defense, DOD 5200.28-STD, December 1985.
[29] Information Technology Security Evaluation Criteria, Version 1.2. Commission of the European Communities, 1991.
[30] Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model, Version 2.1, CCIMB-99-031. National Institute of Standards and Technology, August 1999.
[31] Common Criteria for Information Technology Security Evaluation, Part 2: Security Function Requirements, Version 2.1, CCIMB-99-031. National Institute of Standards and Technology, August 1999.
[32] Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Requirements, Version 2.1, CCIMB-99-031. National Institute of Standards and Technology, August 1999.
[33] R. Hefner, Lessons Learned with the Systems Security Engineering Capablity Maturity Model, Proceedings of the 1997 International Conference on Software Engineering, pp. 566-567, May 1997.
[34] R. Hefner, A Process Standard for System Security Engineering: Development Experiences and Pilot Results, Proceedings of the IEEE International Symposium on Software Engineering Standards, pp. 217-221, June 1997.
[35] C. Kormos, L. Gallagher, N. Givans, N. Bartol, Using Security Metrics to Assess Risk Management Capabilities, Proceeds of the 22nd National Information Systems Security Conference, pp. 370-388. October 1999.
[36] Systems Security Engineering Capability Maturity Model (SSE-CMM), Version 2.0. Systems Security Engineering Capability Maturity Model Project, April 1999.
[37] Braber F, Hogganvik I, Lund MS, Stolen K, Vraalsen F. Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol J 25(1):101–117, 2007.
[38] Braber F, Dimitrakos T, Gran BA, Lund MS, Stolen K, Aagedal JO. The CORAS methodology: model-based risk assessment using UML and UP. In: UML and the unified process. IGI Publishing, Hershey, PA, pp 332–357, 2003.
[39] Hogganvik, I., St?len, K. A graphical approach to risk identification, motivated by empirical investigations, 9th International Conference on Model Driven Engineering Languages and Systems, (Lecture Notes in Computer Science 4199, pp. 574-588), Springer Berlin, 2006.
[40] Goseva-Popstojanova, K., Hassan, A., Guedem, A., Abdelmoez, W., Nassar, D. E., Ammar, H., & Mili, A. Architectural-level risk analysis using UML. IEEE Transactions on Software Engineering, 29(10), 946-960, 2003.
[41] S. Yacoub, H. Ammar. A Methodology for Architectural-Level Reliability Risk Analysis,”IEEE Transaction on Software Engineering, 28(6), 529-547, 2002.
[42] Heninger, K. L. Specifying software requirements for complex systems: new techniques and their application. IEEE Transaction on Softwere Engineering, 6(1), 2-13, 1980.
[43] Dardenne A, van Lamsweerde A, Fickas S. Goal-directed requirements acquisition. Science of Computer Programming, 20:3–50, 1993.
[44] van Lamsweerde A, Letier E. Handling obstacles in goaloriented requirements engineering. IEEE Transaction on Software Engineering, 26(10):978–1005, 2000.
[45] van Lamsweerde A. Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th international conference on software engineering. IEEE Computer Society, pp 148–157, 2004.
[46] Kelly, T. P., & Weaver, R. A. The goal structuring notation - a safety argument notation. Proceedings of the Dependable Systems and Networks 2004 Workshop on Assurance Cases. DSN 2004.
[47] Yu E. S. K. Modeling strategic relationships for process reengineering. PhD thesis, University of Toronto, 1995.
[48] Yu, E. S. K. Towards modeling and reasoning support for early-phase requirements engineering. Proceedings of the 3rd IEEE International Symposium on Requirements Engineering (pp. 226–235). RE 1997.
[49] J. Mylopoulos, A. Borgida, M.Jarke M. Koubarakis, Telos: Representing Knowledge about Information Systems, ACM Transaction on Information System, 8 (4), 1991.
[50] Liu L, Yu E, Mylopoulos J. Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE international conference on requirements engineering. IEEE Computer Society, pp 151–161, 2003.
[51] Elahi, G. & Yu, E. S. K. A goal oriented approach for modeling and analyzing security trade-offs, Proceedings of 26th International Conference on Conceptual Modeling (pp. 375-390), ER 2007.
[52] Elahi, G., Yu, E. S. K., & Zannone, N. A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements Engineering, DOI:10.1007/s00766-009-0090-z, 2009.
[53] Massacci F, Mylopoulos J, Zannone N. An ontology for secure socio-technical systems. In: Handbook of ontologies for business interaction, Chap. XI. The IDEA Group, 2008.
[54] Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A. TROPOS: an Agent-oriented Software Development Methodology. Journal of Autonomous Agents and Multi-Agent Systems 8, 203–236, 2004
[55] Castro, J., Kolp, M., Mylopoulos, J. Towards Requirements-Driven Information Systems Engineering: The TROPOS Project. Information Systems 27, 365–389, 2002.
[56] Sindre G, Opdahl A. L. Capturing dependability threats in conceptual modelling. In: Conceptual modelling in information systems engineering. Springer, pp 247–260, 2007.
[57] Massacci F, Prest M, Zannone N. Using a security requirements engineering methodology in practice: the compliance with the Italian data protection legislation. Comp Stand Interf 27(5):445–455, 2005.
[58] Compagna L, Khoury PE, Krausova′A, Massacci F, Zannone N. How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns. Artif Intell Law 17(1):1–30, 2009.
[59] Massacci F, Zannone N. A model-driven approach for the specification and analysis of access control policies. In: Proceedings of the OTM 2008 confederated international conferences, LNCS 5332. Springer, pp 1087–1103, 2008.
[60] Mouratidis, H. & Giorgini, P. Secure Tropos: a security-oriented extension of the Tropos methodology. International Journal of Software Engineering and Knowledge Engineering, 17(2), 285-309, 2007.
[61] Matulevicius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., & Genon, N. Adapting secure tropos for security risk management in the early phases of information systems development. Proceedings of the 20th international conference on advanced information systems engineering, ((Lecture Notes in Computer Science 5074, pp. 541–555), Springer Berlin, 2008.
[62] Asnar Y, Giorgini P. Modelling risk and identifying countermeasure in organizations. In: Proceedings of the 1st international workshop on critical information infrastructures security, LNCS 4347. Springer, pp 55–66, 2006.
[63] Asnar Y, Moretti R, Sebastianis M, Zannone N. Risk as dependability metrics for the evaluation of business solutions: a model-driven approach. In: Proceedings of the 3rd international conference on availability, reliability and security. IEEE Computer Society, pp 1240–1248, 2008.
[64] Mayer N, Rifaut A, Dubois E. Towards a risk-based security requirements engineering framework. In: Proceedings of the 11th workshop on requirements engineering for software quality, 2005.
[65] Mayer N, Heymans P, Matulevicius R. Design of a modeling language for information system security risk management. In: Proceedings of the 1st international conference on research challenges in information science, pp 121–132, 2007.
[66] Mayer N, Dubois E, Matulevicius R, Heymans P. Towards a measurement framework for security risk management. In: Proceedings of modeling security workshop, 2008.
[67] Haley, C., Laney, R., Moffett, J. & Nuseibeh, B. Security requirements engineering: a framework for representation and analysis. IEEE Transactions on Software Engineering, 34(1), 133-153, 2008.
[68] Alexander, I. Misuse cases: use cases with hostile intent. IEEE Software, 20(1), 58-66, 2003.
[69] G. Sindre and A.L. Opdahl, Eliciting Security Requirements by Misuse Cases, Proc. Conf. Technology of Object-Oriented Languages and Systems, pp. 120-131, 2000.
[70] D.G. Firesmith, Security Use Cases, J. Object-Technology, vol. 2, no. 3, pp. 53-64, 2003.
[71] Rostad L. An extended misuse case notation: including vulnerabilities and the insider threat. In: Proceedings of the 12th working conference on requirements engineering: foundation for software quality, 2006.
[72] McDermott, J. Abuse-case-based assurance arguments, Proceedings of the 17th Annual Computer Security Application Conference (pp. 366-374). ACSAC 2001.
[73] D. Xu, V. Goel, K. Nygard, and W. E. Wong, Aspect-oriented specification of threat-driven security requirements, Internat. J. Comp. Applicat. Technol., In press.
[74] C. B. Haley, R. C. Laney, and B. Nuseibeh, Deriving security requirements from crosscutting threat descriptions, Proc. of the International Conference on Aspect-Oriented Software Development (AOSD’04), 2004, pp. 112–121.
[75] Dianxiang Xu, Software Security, Wiley Encyclopedia of Computer Science and Engineering, B. W. Wah (Editor-In-Chief), Volume 5, pages 2703-2716, John Wiley & Sons, Inc., Hoboken, NJ, January 2009.
[76] T. V. Benzel, C. E. Irvine, T. E. Levin, G. Bhaskara, T. D. Nguyen, and P. C. Clark,Design principles for security, SecureCore Technical Report, ISI-TR-605 and NPS-CS-05-010, Monterey and Los Angeles, CA: Naval Postgraduate School and University of Southern California, 2005.
[77] N. Daswani, C. Kern,and A. Kesavan, Foundations of Security: What Every Programmer Needs to Know, Berkeley CA: Apress, 2007.
[78] J. Viega and G. McGraw, Building Secure Software: How to Avoid Security Problems in the Right Way, Reading, MA: Addison Wesley, 2002.
[79] J. Pauli and D. Xu, Threat-Driven Architectural Design of Secure Information Systems, Proc. Seventh Int’l Conf. Enterprise Information Systems, pp. 136-143, 2005.
[80] Lodderstedt, T., Basin, D.A., Doser, J.: SecureUML: A UML-based Modeling Language for Model-driven Security. In: J′ez′equel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg, 2002.
[81] Jürjens, J. Secure systems development with UML. Springer Academic Publishers, Germany, 2004.
[82] Jürjens J, Schreck J, Yu Y. Automated analysis of permission-based security using UMLsec. In: Proceedings of 11th international conference on fundamental approaches to software engineering, LNCS 4961. Springer, pp 292–295, 2008.
[83] S.H. Houmb, S. Islam, E. Knauss, J. Jürjens, K. Schneider. Eliciting Security Requirements and Tracing them to Design: An Integration of Common Criteria, Heuristics, and UMLsec. Requirements Engineering Journal, vol 15, no 1, pp. 63-93, 2010.
[84] J. Jürjens, UMLsec: Extending UML for Secure Systems Development, 5th International Conference on The Unified Modeling Language (UML 2002), volume 2460 of Lecture Notes in Computer Science, Springer, 2002, pages 412-425.
[85] B. Best, J. Jürjens, B. Nuseibeh. Model-based Security Engineering of Distributed Information Systems using UMLsec, In the 29th International Conference on Software Engineering (ICSE 2007), ACM, pp. 581-590, 2007.
[86] B. DeWin, B. Vanhaute, and B. De Decker, Security through aspect-oriented programming, Proc of the First Annual Working Conference on Network security: Advances in Network and Distributed Systems Security, pp. 125-138, 2001.
[87] S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. Ernst. Finding bugs in dynamic web applications. In Proceedings of the International Conference on Software Testing and Analysis, pages 261–271, July 2008.
[88] M. Blackburn, R. Busser, A. Nauman, and R. Chandramouli. Model-based Approach to Security Test Automation. Quality Week, June 2001.
[89] W. Halfond, A. Orso, and P. Manolios. Using positive tainting and synrax-aware evaluation to counter SQL injection attacks. In Proceedings of the ACM SIGSOFT Symposium on Foundations of Software Engineering, November 2006.
[90] J Jürjens. Model-based security testing using umlsec. Electronic Notes in Theoretical Computer Science (ENTCS), 220(1):93–104, December 2008.
[91] A. Kiezun, P. Guo, K. Jayaraman, and M. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the International Conference on Software Engineering, pages 199–209, May 2009.
[92] M. Lam, M. Martin, B. Livshits, and J. Whaley. Securing web applications with static and dynamic information flow tracking. In Proceedings of PEPM, January 2008.
[93] E. Martin and T. Xie. Automated test generation for access control policies via change-impact analysis. In The 3rd International Workshop on Software Engineering for Secure Systems, May 2007.
[94] A. Masood, A. Ghafoor, and A. Mathur. Scalable and effective test generation for access control systems that employ RBAC policies. Technical Report SERC-TR-285, Purdue University, September 2006.
[95] G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for web applications. In Proceedings of the International Conference on Software Testing and Analysis, July 2008.
[96] W. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the IEEE and ACM International Conference on Automated Software Engineering, pages 174-183, November 2005.
[97] A. Pretschner, W. Prenninger, S. Wagner, Kuhnel C., M. Baumgartner, B. Sostawa, R. Zolch, and T. Stauner. One evaluation of model-based testing and its automation. In Proceedings of the 27th International Conference on Software Engineering, pages 392-401, May 2005.
[98] I. El-Far and J. Whittaker. Model-based software testing. In Marciniak (ed.) Encyclopedia on Software Engineering, Wiley, 2001.
[99] Mark Utting and Bruno Legeard. Practical Model-Based Testing: A Tools Approach. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 2006.
[100] S. R. Dalal, A. Jain, N. Karunanithi, J. M. Leaton, C. M. Lott, G. C. Patton, and B. M. Horowitz. Model-based testing in practice. In Proceedings of the 21st international conference on Software engineering (ICSE 1999), pp. 285–294, Los Alamitos, CA, USA, 1999. IEEE Computer Society Press.
[101] R. Binder. Testing Object-Oriented Systems: Models, Patterns, and Tools. Addison-Wesley. Addison Wesley, Reading, MA, 2000.
[102] J. Offutt, S. Liu, A. Abdurazik, and P. Ammann. Generating test data from state-based specifications. Journal of Software Testing, Verification and Reliability, 13(1): 25-53, 2003.
[103] A. J. Offutt and A. Abdurazik, Generating Tests from UML specifications, Proc. 2nd International Conference on the Unified Modeling Language (UML’99), Fort Collins, CO, pp. 416-429, October, 1999.
[104] Hartmann, J., Imoberdof, C., Meisenger, M., UML-Based Integration Testing, in ISSTA 2000 conference proceeding, Portland, Oregon, pp. 60-70, August 2000.
[105] Chris Rudram, Generating Test Cases from UML, University of Sheffield, technique report. Available at: http://www.dcs.shef.ac.uk, 2003.
[106] Charles Crichton, Alessandra Cavarra, Jim Davies. Using UML for automatic test generation, TACAS2002, Grenoble, France, 2002.
[107] Ian Craggs, Manolis Sardis, and Thierry Heuillard. Agedis case studies: Model-based testing in industry. In 1st European Conference on Model Driven Software Engineering. AGEDIS, December 2003.
[108] H. Thompson and J.Whittaker. Testing for software security. Dr. Dobb’s Journal, pages 24–34, November 2002.
[109] C. Wysopal, L. Nelson, D. D. Zovi, and E. Dustin. The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press). Addison-Wesley Professional, 2006.
[110] Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. Web Application Security Assessment by Fault Injection and Behavior Monitoring.”In Proc. Twelfth Int’l World Wide Web Conference (WWW2003), 148-159, Budapest, Hungary, May 21-25, 2003.
[111] Halfond, W. G., Choudhary, S. R., and Orso, A. Penetration Testing with Improved Input Vector Identification. In Proceedings of the 2009 international Conference on Software Testing Verification and Validation (ICST 2009). IEEE Computer Society, Washington, DC, pp. 346-355, April 2009.
[112] AG Communication Systems. Pattern Template. Available at: http://www.agcs.com/ supportv2/techpapers/patterns/template.htm, 2001.
[113] Gamma, E., R. Helm, R. Johnson, and J. Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, 1995.
[114] M. Schumacher, E. B. Fernandez, D. Hyberson, F. Buschmann, P. Sommerlad, Security Pattern: Integrating Security and Systems Engineering, John Wiley & Sons Inc, 2006.
[115] B. Blakely and C. Health, Security Design Patterns, Berkshire, UK: The Open Group, 2004.
[116] C. Steel, R. Nagappan, and R. Lai, Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management, Englewood chiffs, NJ: Prentice Hall, 2005.
[117] D. M. Kienzle, M. C. Elder, D. Tyree, and J. Edwards-Hewitt, Security Patterns Repository, Version 1.0. Available at: http://www.scrypt.net/~celer/ securitypatterns/, 2002.
[118] Hoglund G, McGraw G. Exploiting software: how to break code. Addison-Wesley Professional, Reading, 2004.
[119] Whittaker JA, Thompson H, Thompson HH, Thompson H. How to break software security: effective techniques for security testing. Pearson, 2003.
[120] Gegick, M. and Williams, L. On the design of more secure software-intensive systems by use of attack patterns. Inf. Softw. Technol. 49: (4) 381-397, 2007.
[121] Stuart Russell, Peter Norvig. Artifical Intelligence: A Modern Approach, 2nd edition, Prentice Hall, 2002.
[122] Vulnerability Remediation Statistics by CERT. Available at: http://www.cert.org/stats/vulnerability_remediation.html, visited on Sep, 2008.
[123] Hole, K.J., Moen, V., & Tjostheim, T. (2006). Case study: online banking security. Security & Privacy, IEEE, 4(2), 14-20.
[124] Ryser J, Glinz M. A scenario-based approach to validating and testing software systems using statecharts. In: Proceeding of 12th International Conference on Software and Systems Engineering and their Applications, 1999.
[125] Thomas AA, Debra JR, Thomas AS. Scenarios, state machines and purpose-driven testing. In: Proceedings of the fourth international workshop on Scenarios and state machines: models, algorithms and tools, St. Louis, 2005: 1-5.
[126] Tsai WT, Saimi A, Yu L, Paul R. Scenario-based object-oriented testing framework. In: Proceedings of Third International Conference on Quality Software, 2003: 410-417.
[127] Mouratidis H, Giorgini P. Security Attack Testing (SAT)—testing the security of information systems at design time. Information Systems, 2007,(32):1166-1183.
[128] Aurum A, Petersson H, Wohlin C. State-of-the-Art: software inspections after 25 years. Software Testing, Verification and Reliability, 2002,12(3):133-154.
[129] Ricca F, Tonella P. Analysis and testing of Web applications. In the 23rd international Conference on Software Engineering (ICSE 2001). IEEE Computer Society, 2001, 25-34.
[130]卢虹,徐宝文.一种Web应用的状态测试方法.计算机工程与应用, 2002, 38(2): 55-57.
[131] Anneliese Andrews, Jeff Offutt, Roger Alexander. Testing Web Applications by Modeling with FSMs. Software Systems and Modeling, 2005, 4(3):326-345.
[132]张楣,刘超,基于UML活动图模型的测试用例生成技术研究.北京航空航天大学学报, 2001, 8(4): 433-437.
[133] Wang LZ, Yuan JS, Yu XF, et al. Generating Test Cases from UML Activity Diagram Based on Gray Box Method. The 11th Asia-Pacific Software Engineering Conference (APSEC 2004). IEEE Computer Society, 2004, 284-291.
[134]牟凯,顾明.基于UML活动图的测试用例自动生成方法研究.计算机应用, 2006, 4(4): 844-846.
[135] UML Testing Profile v 1.0. Available at: http://www.omg.org/technology/ documents/formal/test_profile.htm, 2005.
[136] P. Ammann and J. Offutt. Introduction to Software Testing. Cambridge University Press, 2008.
[137]陈小峰.可信平台模块的形式化分析与测试.计算机学报, 2009, 32(4):646-653.
[2] Michael H, David L. Writing Secure Code. 2nd edition, Redmond, Washington: Microsoft Press, 2003.
[3] M. Howard, S. Lipner. The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, 2006.
[4] Inc.WebCohort. Only 10% of web applications are secured against common hacking techniques. 2004.
[5] Cenzic. Application security trends report Q1 2008. Available at: http://www.cenzic.com.
[6] Web Application Security Consortium: Threat Classification V1.0, Available at: http://www.webappsec.org/.
[7] J. Wing, A symbiotic relationship between formal methods and security, Proc. of NSF Workshop on Computer Security, Fault Tolerance, and Software Assurance: From Needs to Solution, 1998, pp. 26–38.
[8] OWASP CLASP. Comprehensive, lightweight application security process. Available at: http://www.owasp.org.
[9]王怀民,尹刚,网络时代的软件可信演化,中国计算机学会通讯,第6卷,第2期, 2010年2月, 28-34.
[10]刘克,单志广,王戟,何积丰,张兆田,秦玉文,“可信软件基础研究”重大研究计划综述,中国科学基金, 2008年第3期, 145-151.
[11] F. Swiderski, W. Snyder. Threat Modeling. Microsoft Press, 2004.
[12] Richard, J.R. Analysis techniques for mechanical reliability. Reliability Analysis Center, A DoD Information Analysis Center, 1985.
[13] Amoroso, E. G. Fundamentals of computer security technology. Englewood Cliffs. NJ: Prentice Hall PTR, 1994.
[14] Schneier, B. Attack trees. Dr. Dobb's Journal of Software Tools, 24(12), 21-29, 1999.
[15] Moore, A. P., Ellison, R. J., Linger, R. C. Attack modeling for information security and survivability. Technical Note CMU/SEI-2001-TN-001, 2001.
[16] McDermott, J. Attack net penetration testing, Proceedings of the 2000 Workshop on New Security Paradigms (pp. 15-21). ACM, 2000.
[17] Dalton, G. C., Mills, R. F., Colombi, J. M., & Raines, R. A. Analyzing attack trees using generalized stochastic Petri nets, Information Assurance Workshop (pp. 116– 123). IEEE, 2006.
[18] Xu, D., & Nygard, K. E. Threat-driven modeling and verification of secure software using aspect oriented Petri nets. IEEE Transactions on Software Engineering, 32(4), 265-278, 2006.
[19] Xu, D., & Nygard, K. E. A threat-driven approach to modeling and verifying secure software, Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (pp. 342-346). ASE 2005.
[20] Phillips C, Swiler LP. A graph-based system for network vulnerability analysis. In: Proceedings of the 1998 workshop on new security paradigms. ACM, pp 71–79, 1998.
[21] Sheyner, O., & Wing, J. M. Tools for generating and analyzing attack graphs, Proceedings of Formal Methods for Components and Objects, (Lecture Notes in Computer Science 3188, pp. 344–371). Springer Berlin, 2004.
[22] Wang L, Wong W, Xu D. A threat model driven approach for security testing. In: The 3rd International Workshop on Software Engineering for Secure Systems, May 2007.
[23] Genrich, H. J. Predicate/Transition nets, in Petri Nets: Central Models and Their Properties, Brauer, W., Resig, W., & Rozenberg, G. (Eds.), (pp. 207-247). New York: Springer Verlag, 1987.
[24] Xu, D., Volz, R. A., Joerger, T. R. & Yen, J. Modeling and analyzing multi-agent behaviors using Predicate/Transition nets. International Journal of Software Engineering and Knowledge Engineering, 13(1), 103-124, 2003.
[25] Xu, D., Yin, J., Deng, Y., & Ding, J. A formal architectural model for logical agent mobility. IEEE Transactions on Software Engineering, 29(1), 31-45, 2003.
[26] Chen, H., Dean, D., & Wagner, D. Model checking one million lines of C code, Proceedings of the 11th Annual Network and Distributed System Security Symposium (pp. 171-185). NDSS 2004.
[27] Boehm, B. W. Software risk management: principles and practices. IEEE Software, 8(1), 32-41, 1991.
[28] Trusted Computer System Evaluation Criteria (TCSEC). Department of Defense, DOD 5200.28-STD, December 1985.
[29] Information Technology Security Evaluation Criteria, Version 1.2. Commission of the European Communities, 1991.
[30] Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model, Version 2.1, CCIMB-99-031. National Institute of Standards and Technology, August 1999.
[31] Common Criteria for Information Technology Security Evaluation, Part 2: Security Function Requirements, Version 2.1, CCIMB-99-031. National Institute of Standards and Technology, August 1999.
[32] Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Requirements, Version 2.1, CCIMB-99-031. National Institute of Standards and Technology, August 1999.
[33] R. Hefner, Lessons Learned with the Systems Security Engineering Capablity Maturity Model, Proceedings of the 1997 International Conference on Software Engineering, pp. 566-567, May 1997.
[34] R. Hefner, A Process Standard for System Security Engineering: Development Experiences and Pilot Results, Proceedings of the IEEE International Symposium on Software Engineering Standards, pp. 217-221, June 1997.
[35] C. Kormos, L. Gallagher, N. Givans, N. Bartol, Using Security Metrics to Assess Risk Management Capabilities, Proceeds of the 22nd National Information Systems Security Conference, pp. 370-388. October 1999.
[36] Systems Security Engineering Capability Maturity Model (SSE-CMM), Version 2.0. Systems Security Engineering Capability Maturity Model Project, April 1999.
[37] Braber F, Hogganvik I, Lund MS, Stolen K, Vraalsen F. Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol J 25(1):101–117, 2007.
[38] Braber F, Dimitrakos T, Gran BA, Lund MS, Stolen K, Aagedal JO. The CORAS methodology: model-based risk assessment using UML and UP. In: UML and the unified process. IGI Publishing, Hershey, PA, pp 332–357, 2003.
[39] Hogganvik, I., St?len, K. A graphical approach to risk identification, motivated by empirical investigations, 9th International Conference on Model Driven Engineering Languages and Systems, (Lecture Notes in Computer Science 4199, pp. 574-588), Springer Berlin, 2006.
[40] Goseva-Popstojanova, K., Hassan, A., Guedem, A., Abdelmoez, W., Nassar, D. E., Ammar, H., & Mili, A. Architectural-level risk analysis using UML. IEEE Transactions on Software Engineering, 29(10), 946-960, 2003.
[41] S. Yacoub, H. Ammar. A Methodology for Architectural-Level Reliability Risk Analysis,”IEEE Transaction on Software Engineering, 28(6), 529-547, 2002.
[42] Heninger, K. L. Specifying software requirements for complex systems: new techniques and their application. IEEE Transaction on Softwere Engineering, 6(1), 2-13, 1980.
[43] Dardenne A, van Lamsweerde A, Fickas S. Goal-directed requirements acquisition. Science of Computer Programming, 20:3–50, 1993.
[44] van Lamsweerde A, Letier E. Handling obstacles in goaloriented requirements engineering. IEEE Transaction on Software Engineering, 26(10):978–1005, 2000.
[45] van Lamsweerde A. Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th international conference on software engineering. IEEE Computer Society, pp 148–157, 2004.
[46] Kelly, T. P., & Weaver, R. A. The goal structuring notation - a safety argument notation. Proceedings of the Dependable Systems and Networks 2004 Workshop on Assurance Cases. DSN 2004.
[47] Yu E. S. K. Modeling strategic relationships for process reengineering. PhD thesis, University of Toronto, 1995.
[48] Yu, E. S. K. Towards modeling and reasoning support for early-phase requirements engineering. Proceedings of the 3rd IEEE International Symposium on Requirements Engineering (pp. 226–235). RE 1997.
[49] J. Mylopoulos, A. Borgida, M.Jarke M. Koubarakis, Telos: Representing Knowledge about Information Systems, ACM Transaction on Information System, 8 (4), 1991.
[50] Liu L, Yu E, Mylopoulos J. Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE international conference on requirements engineering. IEEE Computer Society, pp 151–161, 2003.
[51] Elahi, G. & Yu, E. S. K. A goal oriented approach for modeling and analyzing security trade-offs, Proceedings of 26th International Conference on Conceptual Modeling (pp. 375-390), ER 2007.
[52] Elahi, G., Yu, E. S. K., & Zannone, N. A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements Engineering, DOI:10.1007/s00766-009-0090-z, 2009.
[53] Massacci F, Mylopoulos J, Zannone N. An ontology for secure socio-technical systems. In: Handbook of ontologies for business interaction, Chap. XI. The IDEA Group, 2008.
[54] Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A. TROPOS: an Agent-oriented Software Development Methodology. Journal of Autonomous Agents and Multi-Agent Systems 8, 203–236, 2004
[55] Castro, J., Kolp, M., Mylopoulos, J. Towards Requirements-Driven Information Systems Engineering: The TROPOS Project. Information Systems 27, 365–389, 2002.
[56] Sindre G, Opdahl A. L. Capturing dependability threats in conceptual modelling. In: Conceptual modelling in information systems engineering. Springer, pp 247–260, 2007.
[57] Massacci F, Prest M, Zannone N. Using a security requirements engineering methodology in practice: the compliance with the Italian data protection legislation. Comp Stand Interf 27(5):445–455, 2005.
[58] Compagna L, Khoury PE, Krausova′A, Massacci F, Zannone N. How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns. Artif Intell Law 17(1):1–30, 2009.
[59] Massacci F, Zannone N. A model-driven approach for the specification and analysis of access control policies. In: Proceedings of the OTM 2008 confederated international conferences, LNCS 5332. Springer, pp 1087–1103, 2008.
[60] Mouratidis, H. & Giorgini, P. Secure Tropos: a security-oriented extension of the Tropos methodology. International Journal of Software Engineering and Knowledge Engineering, 17(2), 285-309, 2007.
[61] Matulevicius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., & Genon, N. Adapting secure tropos for security risk management in the early phases of information systems development. Proceedings of the 20th international conference on advanced information systems engineering, ((Lecture Notes in Computer Science 5074, pp. 541–555), Springer Berlin, 2008.
[62] Asnar Y, Giorgini P. Modelling risk and identifying countermeasure in organizations. In: Proceedings of the 1st international workshop on critical information infrastructures security, LNCS 4347. Springer, pp 55–66, 2006.
[63] Asnar Y, Moretti R, Sebastianis M, Zannone N. Risk as dependability metrics for the evaluation of business solutions: a model-driven approach. In: Proceedings of the 3rd international conference on availability, reliability and security. IEEE Computer Society, pp 1240–1248, 2008.
[64] Mayer N, Rifaut A, Dubois E. Towards a risk-based security requirements engineering framework. In: Proceedings of the 11th workshop on requirements engineering for software quality, 2005.
[65] Mayer N, Heymans P, Matulevicius R. Design of a modeling language for information system security risk management. In: Proceedings of the 1st international conference on research challenges in information science, pp 121–132, 2007.
[66] Mayer N, Dubois E, Matulevicius R, Heymans P. Towards a measurement framework for security risk management. In: Proceedings of modeling security workshop, 2008.
[67] Haley, C., Laney, R., Moffett, J. & Nuseibeh, B. Security requirements engineering: a framework for representation and analysis. IEEE Transactions on Software Engineering, 34(1), 133-153, 2008.
[68] Alexander, I. Misuse cases: use cases with hostile intent. IEEE Software, 20(1), 58-66, 2003.
[69] G. Sindre and A.L. Opdahl, Eliciting Security Requirements by Misuse Cases, Proc. Conf. Technology of Object-Oriented Languages and Systems, pp. 120-131, 2000.
[70] D.G. Firesmith, Security Use Cases, J. Object-Technology, vol. 2, no. 3, pp. 53-64, 2003.
[71] Rostad L. An extended misuse case notation: including vulnerabilities and the insider threat. In: Proceedings of the 12th working conference on requirements engineering: foundation for software quality, 2006.
[72] McDermott, J. Abuse-case-based assurance arguments, Proceedings of the 17th Annual Computer Security Application Conference (pp. 366-374). ACSAC 2001.
[73] D. Xu, V. Goel, K. Nygard, and W. E. Wong, Aspect-oriented specification of threat-driven security requirements, Internat. J. Comp. Applicat. Technol., In press.
[74] C. B. Haley, R. C. Laney, and B. Nuseibeh, Deriving security requirements from crosscutting threat descriptions, Proc. of the International Conference on Aspect-Oriented Software Development (AOSD’04), 2004, pp. 112–121.
[75] Dianxiang Xu, Software Security, Wiley Encyclopedia of Computer Science and Engineering, B. W. Wah (Editor-In-Chief), Volume 5, pages 2703-2716, John Wiley & Sons, Inc., Hoboken, NJ, January 2009.
[76] T. V. Benzel, C. E. Irvine, T. E. Levin, G. Bhaskara, T. D. Nguyen, and P. C. Clark,Design principles for security, SecureCore Technical Report, ISI-TR-605 and NPS-CS-05-010, Monterey and Los Angeles, CA: Naval Postgraduate School and University of Southern California, 2005.
[77] N. Daswani, C. Kern,and A. Kesavan, Foundations of Security: What Every Programmer Needs to Know, Berkeley CA: Apress, 2007.
[78] J. Viega and G. McGraw, Building Secure Software: How to Avoid Security Problems in the Right Way, Reading, MA: Addison Wesley, 2002.
[79] J. Pauli and D. Xu, Threat-Driven Architectural Design of Secure Information Systems, Proc. Seventh Int’l Conf. Enterprise Information Systems, pp. 136-143, 2005.
[80] Lodderstedt, T., Basin, D.A., Doser, J.: SecureUML: A UML-based Modeling Language for Model-driven Security. In: J′ez′equel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg, 2002.
[81] Jürjens, J. Secure systems development with UML. Springer Academic Publishers, Germany, 2004.
[82] Jürjens J, Schreck J, Yu Y. Automated analysis of permission-based security using UMLsec. In: Proceedings of 11th international conference on fundamental approaches to software engineering, LNCS 4961. Springer, pp 292–295, 2008.
[83] S.H. Houmb, S. Islam, E. Knauss, J. Jürjens, K. Schneider. Eliciting Security Requirements and Tracing them to Design: An Integration of Common Criteria, Heuristics, and UMLsec. Requirements Engineering Journal, vol 15, no 1, pp. 63-93, 2010.
[84] J. Jürjens, UMLsec: Extending UML for Secure Systems Development, 5th International Conference on The Unified Modeling Language (UML 2002), volume 2460 of Lecture Notes in Computer Science, Springer, 2002, pages 412-425.
[85] B. Best, J. Jürjens, B. Nuseibeh. Model-based Security Engineering of Distributed Information Systems using UMLsec, In the 29th International Conference on Software Engineering (ICSE 2007), ACM, pp. 581-590, 2007.
[86] B. DeWin, B. Vanhaute, and B. De Decker, Security through aspect-oriented programming, Proc of the First Annual Working Conference on Network security: Advances in Network and Distributed Systems Security, pp. 125-138, 2001.
[87] S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. Ernst. Finding bugs in dynamic web applications. In Proceedings of the International Conference on Software Testing and Analysis, pages 261–271, July 2008.
[88] M. Blackburn, R. Busser, A. Nauman, and R. Chandramouli. Model-based Approach to Security Test Automation. Quality Week, June 2001.
[89] W. Halfond, A. Orso, and P. Manolios. Using positive tainting and synrax-aware evaluation to counter SQL injection attacks. In Proceedings of the ACM SIGSOFT Symposium on Foundations of Software Engineering, November 2006.
[90] J Jürjens. Model-based security testing using umlsec. Electronic Notes in Theoretical Computer Science (ENTCS), 220(1):93–104, December 2008.
[91] A. Kiezun, P. Guo, K. Jayaraman, and M. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the International Conference on Software Engineering, pages 199–209, May 2009.
[92] M. Lam, M. Martin, B. Livshits, and J. Whaley. Securing web applications with static and dynamic information flow tracking. In Proceedings of PEPM, January 2008.
[93] E. Martin and T. Xie. Automated test generation for access control policies via change-impact analysis. In The 3rd International Workshop on Software Engineering for Secure Systems, May 2007.
[94] A. Masood, A. Ghafoor, and A. Mathur. Scalable and effective test generation for access control systems that employ RBAC policies. Technical Report SERC-TR-285, Purdue University, September 2006.
[95] G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for web applications. In Proceedings of the International Conference on Software Testing and Analysis, July 2008.
[96] W. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the IEEE and ACM International Conference on Automated Software Engineering, pages 174-183, November 2005.
[97] A. Pretschner, W. Prenninger, S. Wagner, Kuhnel C., M. Baumgartner, B. Sostawa, R. Zolch, and T. Stauner. One evaluation of model-based testing and its automation. In Proceedings of the 27th International Conference on Software Engineering, pages 392-401, May 2005.
[98] I. El-Far and J. Whittaker. Model-based software testing. In Marciniak (ed.) Encyclopedia on Software Engineering, Wiley, 2001.
[99] Mark Utting and Bruno Legeard. Practical Model-Based Testing: A Tools Approach. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 2006.
[100] S. R. Dalal, A. Jain, N. Karunanithi, J. M. Leaton, C. M. Lott, G. C. Patton, and B. M. Horowitz. Model-based testing in practice. In Proceedings of the 21st international conference on Software engineering (ICSE 1999), pp. 285–294, Los Alamitos, CA, USA, 1999. IEEE Computer Society Press.
[101] R. Binder. Testing Object-Oriented Systems: Models, Patterns, and Tools. Addison-Wesley. Addison Wesley, Reading, MA, 2000.
[102] J. Offutt, S. Liu, A. Abdurazik, and P. Ammann. Generating test data from state-based specifications. Journal of Software Testing, Verification and Reliability, 13(1): 25-53, 2003.
[103] A. J. Offutt and A. Abdurazik, Generating Tests from UML specifications, Proc. 2nd International Conference on the Unified Modeling Language (UML’99), Fort Collins, CO, pp. 416-429, October, 1999.
[104] Hartmann, J., Imoberdof, C., Meisenger, M., UML-Based Integration Testing, in ISSTA 2000 conference proceeding, Portland, Oregon, pp. 60-70, August 2000.
[105] Chris Rudram, Generating Test Cases from UML, University of Sheffield, technique report. Available at: http://www.dcs.shef.ac.uk, 2003.
[106] Charles Crichton, Alessandra Cavarra, Jim Davies. Using UML for automatic test generation, TACAS2002, Grenoble, France, 2002.
[107] Ian Craggs, Manolis Sardis, and Thierry Heuillard. Agedis case studies: Model-based testing in industry. In 1st European Conference on Model Driven Software Engineering. AGEDIS, December 2003.
[108] H. Thompson and J.Whittaker. Testing for software security. Dr. Dobb’s Journal, pages 24–34, November 2002.
[109] C. Wysopal, L. Nelson, D. D. Zovi, and E. Dustin. The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press). Addison-Wesley Professional, 2006.
[110] Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. Web Application Security Assessment by Fault Injection and Behavior Monitoring.”In Proc. Twelfth Int’l World Wide Web Conference (WWW2003), 148-159, Budapest, Hungary, May 21-25, 2003.
[111] Halfond, W. G., Choudhary, S. R., and Orso, A. Penetration Testing with Improved Input Vector Identification. In Proceedings of the 2009 international Conference on Software Testing Verification and Validation (ICST 2009). IEEE Computer Society, Washington, DC, pp. 346-355, April 2009.
[112] AG Communication Systems. Pattern Template. Available at: http://www.agcs.com/ supportv2/techpapers/patterns/template.htm, 2001.
[113] Gamma, E., R. Helm, R. Johnson, and J. Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, 1995.
[114] M. Schumacher, E. B. Fernandez, D. Hyberson, F. Buschmann, P. Sommerlad, Security Pattern: Integrating Security and Systems Engineering, John Wiley & Sons Inc, 2006.
[115] B. Blakely and C. Health, Security Design Patterns, Berkshire, UK: The Open Group, 2004.
[116] C. Steel, R. Nagappan, and R. Lai, Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management, Englewood chiffs, NJ: Prentice Hall, 2005.
[117] D. M. Kienzle, M. C. Elder, D. Tyree, and J. Edwards-Hewitt, Security Patterns Repository, Version 1.0. Available at: http://www.scrypt.net/~celer/ securitypatterns/, 2002.
[118] Hoglund G, McGraw G. Exploiting software: how to break code. Addison-Wesley Professional, Reading, 2004.
[119] Whittaker JA, Thompson H, Thompson HH, Thompson H. How to break software security: effective techniques for security testing. Pearson, 2003.
[120] Gegick, M. and Williams, L. On the design of more secure software-intensive systems by use of attack patterns. Inf. Softw. Technol. 49: (4) 381-397, 2007.
[121] Stuart Russell, Peter Norvig. Artifical Intelligence: A Modern Approach, 2nd edition, Prentice Hall, 2002.
[122] Vulnerability Remediation Statistics by CERT. Available at: http://www.cert.org/stats/vulnerability_remediation.html, visited on Sep, 2008.
[123] Hole, K.J., Moen, V., & Tjostheim, T. (2006). Case study: online banking security. Security & Privacy, IEEE, 4(2), 14-20.
[124] Ryser J, Glinz M. A scenario-based approach to validating and testing software systems using statecharts. In: Proceeding of 12th International Conference on Software and Systems Engineering and their Applications, 1999.
[125] Thomas AA, Debra JR, Thomas AS. Scenarios, state machines and purpose-driven testing. In: Proceedings of the fourth international workshop on Scenarios and state machines: models, algorithms and tools, St. Louis, 2005: 1-5.
[126] Tsai WT, Saimi A, Yu L, Paul R. Scenario-based object-oriented testing framework. In: Proceedings of Third International Conference on Quality Software, 2003: 410-417.
[127] Mouratidis H, Giorgini P. Security Attack Testing (SAT)—testing the security of information systems at design time. Information Systems, 2007,(32):1166-1183.
[128] Aurum A, Petersson H, Wohlin C. State-of-the-Art: software inspections after 25 years. Software Testing, Verification and Reliability, 2002,12(3):133-154.
[129] Ricca F, Tonella P. Analysis and testing of Web applications. In the 23rd international Conference on Software Engineering (ICSE 2001). IEEE Computer Society, 2001, 25-34.
[130]卢虹,徐宝文.一种Web应用的状态测试方法.计算机工程与应用, 2002, 38(2): 55-57.
[131] Anneliese Andrews, Jeff Offutt, Roger Alexander. Testing Web Applications by Modeling with FSMs. Software Systems and Modeling, 2005, 4(3):326-345.
[132]张楣,刘超,基于UML活动图模型的测试用例生成技术研究.北京航空航天大学学报, 2001, 8(4): 433-437.
[133] Wang LZ, Yuan JS, Yu XF, et al. Generating Test Cases from UML Activity Diagram Based on Gray Box Method. The 11th Asia-Pacific Software Engineering Conference (APSEC 2004). IEEE Computer Society, 2004, 284-291.
[134]牟凯,顾明.基于UML活动图的测试用例自动生成方法研究.计算机应用, 2006, 4(4): 844-846.
[135] UML Testing Profile v 1.0. Available at: http://www.omg.org/technology/ documents/formal/test_profile.htm, 2005.
[136] P. Ammann and J. Offutt. Introduction to Software Testing. Cambridge University Press, 2008.
[137]陈小峰.可信平台模块的形式化分析与测试.计算机学报, 2009, 32(4):646-653.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |