SHOW publication #494 - ABLE Publications

Using information flow modeling to perform security analysis is a common technique used during software design. While much theoretical work has been conducted in this area, there are few tools to assist with such analysis. In many instances the security analysis must be done by hand, requiring consid-erable expertise, time, and effort. Most available tools require custom code to be written for the analysis, and are consequently not well integrated with the software process, and not easily tailored to different security requirements. In this paper we describe the use of an Architecture Description Language (ADL) to (a) represent information flow in a software system, and (b) analyze the security-related properties of a system. We use a formal predicate-based de-scription of the security properties and policies, which allows for automated analysis of the information flow to uncover common security vulnerabilities. A key advantage to using ADLs is that security properties become declarative and can be automatically checked by constraint-based tools and without the need to write custom code.