Model-based Security and Software Quality Analysisin Variability Aware Evolving Systems

Many software systems tend to be used on a long-term basis, are highly interconnected, share many common parts, and often process security-critical data. Due to these trends, it is vital to keep up with ever-changing security precautions, attacks, and mitigations for preserving a software system's security. Model-based system development enables us to address security issues in the early phases of the software design, e.g., using UMLsec in UML models or using SecDFDs. Unfortunately, such design-time models are often inconsistent with the implementation or even among themselves. This inconsistency might cause security violations. The main reason for this is continuous changes in the security assumptions and the design of software systems, for instance, due to structural decay. To prevent such inconsistencies, all changes have to be reflected in both the design-time models of the software system and the software system's implementation. The detection of where which changes have to be applied has currently to be performed manually by developers. As this task requires considering many and often indiscernible dependencies, manual changes often give rise to new inconsistencies that are likely to lead to security violations. An additional burden to detecting security violations and preserving a software system's maintainability is potential reuse among different variants of an individual software system. In this thesis, we present the GRaViTY approach for continuously supporting developers with an automated propagation of changes on a single representation of a software system to all other representations for avoiding inconsistencies. Our synchronization is based on Triple Graph Grammars as supported by the eMoflon transformation tool and currently supports bidirectional synchronization between Java source code and UML class diagrams. Based on this synchronization, security experts can specify security requirements on the most suitable software system representation using the UMLsec or SecDFD approach. For example, domain models can be suitable for the classification of sensitive information of the domain and implementation models for tailoring encryption according to the planned deployment. We reuse these security requirements for the verification and enforcement of them on all representations of the software system using automated security checks. This allows us to verify whether the implementation is compliant with the specified security requirements, as needed in certifications. To preserve this compliance when restructuring the software system, we provide support for semantics preserving refactorings that are enriched with security preserving constraints. Here, we leverage the formalism of algebraic graph transformation rules for the specification and implemented these using the transformation tool Henshin. For both security checks and refactorings, we show how these can be applied to variant-rich software systems, also known as software product lines. For this purpose, we leverage an interpretation of OCL constraints on product lines and extend the Henshin tool to support variability. To allow the application of the approach to legacy systems, we show how variability-aware UML models can be reverse-engineered from an existing software product line using Antenna preprocessor statements and how existing early SecDFD design models can be semi-automatically mapped to the implementation. In addition to an evaluation of the single parts of the approach, the overall approach is demonstrated in two real-world case studies, the iTrust electronics health records system and the Eclipse Secure Storage.