Monitoring compliance of a software system with its high-level design models
Proceedings of the 18th international conference on Software engineering
Parametric shape analysis via 3-valued logic
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
JFlow: practical mostly-static information flow control
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Acme: architectural description of component-based systems
Foundations of component-based systems
Lightweight Extraction of Object Models from Bytecode
IEEE Transactions on Software Engineering - Special issue on 1999 international conference on software engineering
Writing Secure Code
Documenting Software Architectures: Views and Beyond
Documenting Software Architectures: Views and Beyond
Software Reflexion Models: Bridging the Gap between Design and Implementation
IEEE Transactions on Software Engineering
An Event-Based Architecture Definition Language
IEEE Transactions on Software Engineering
SecureUML: A UML-Based Modeling Language for Model-Driven Security
UML '02 Proceedings of the 5th International Conference on The Unified Modeling Language
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
An Approach for Modeling and Analysis of Security System Architectures
IEEE Transactions on Knowledge and Data Engineering
Threat Modeling
Parameterized object sensitivity for points-to analysis for Java
ACM Transactions on Software Engineering and Methodology (TOSEM)
Reverse Engineering of Object Oriented Code (Monographs in Computer Science)
Reverse Engineering of Object Oriented Code (Monographs in Computer Science)
Cryptography in the Database: The Last Line of Defense
Cryptography in the Database: The Last Line of Defense
Demystifying the Threat-Modeling Process
IEEE Security and Privacy
Modular checking for buffer overflows in the large
Proceedings of the 28th international conference on Software engineering
The Security Development Lifecycle
The Security Development Lifecycle
Using SCL to Specify and Check Design Intent in Source Code
IEEE Transactions on Software Engineering
Discovering Architectures from Running Systems
IEEE Transactions on Software Engineering
A Comparison of Static Architecture Compliance Checking Approaches
WICSA '07 Proceedings of the Sixth Working IEEE/IFIP Conference on Software Architecture
Identifying and addressing problems in object-oriented framework reuse
Empirical Software Engineering
Information flow control for standard OS abstractions
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Checking threat modeling data flow diagrams for implementation conformance and security
Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering
Securing distributed systems with information flow control
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Wedge: splitting applications into reduced-privilege compartments
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Software Architecture Reconstruction: A Process-Oriented Taxonomy
IEEE Transactions on Software Engineering
Genoa Proceedings of the 23rd European Conference on ECOOP 2009 --- Object-Oriented Programming
Proceedings of the 24th ACM SIGPLAN conference on Object oriented programming systems languages and applications
Secure Systems Development with UML
Secure Systems Development with UML
Object graphs with ownership domains: an empirical study
Aliasing in Object-Oriented Programming
A retrospective on aliasing type systems: 2012-2022
Aliasing in Object-Oriented Programming
| Hi-index | 0.00 |
We present a semi-automated approach, SECORIA, for analyzing a security runtime architecture for security and for conformance to an object-oriented implementation. Type-checkable annotations describe architectural intent within the code, enabling a static analysis to extract a hierarchical object graph that soundly reflects all runtime objects and runtime relations between them. In addition, the annotations can describe modular, code-level policies. A separate analysis establishes traceability between the extracted object graph and a target architecture documented in an architecture description language. Finally, architectural types, properties, and logic predicates describe global constraints on the target architecture, which will also hold in the implementation. We validate the SECORIA approach by analyzing a 3,000-line pedagogical Java implementation and a runtime architecture designed by a security expert.