SECORIA: an approach for analyzing security architectures

Marwan Abi-Antoun and Jeffrey M. Barnes

SECORIA stands for Security Conformance of Object-oriented Runtime views of Architecture

 

For the best overview of the SECORIA approach, please refer to the following published research paper:

Case study: CryptoDB

Supplementary material

Remarks:

  1. We tested the constraints on a nightly AcmeStudio build which fixes some important bugs (use any version after 04/15/2009). Do not use an older stable build.

  2. SyncFamily currently extends from the built-in Acme style, TieredFam, which is overly restrictive. We use a modified version.

References/Technical reports

Abi-Antoun, M. and Barnes, J. M. Enforcing Conformance between Security Architecture and Implementation. Carnegie Mellon University Technical Report CMU-ISR-09-113, April 2009. [PDF]

Abi-Antoun, M. and Barnes, J. M.  STRIDE-based security model in Acme. Carnegie Mellon University Technical Report CMU-ISR-10-106, January 2010. [PDF]

Abi-Antoun, M., Wang, D. and Torr, P. Checking Threat Modeling Data Flow Diagrams for Implementation Conformance and Security (Short Paper/Presented only during poster session.). International Conference on Automated Software Engineering (ASE), pp. 393396, 2007. [DOI] An extended version appeared as Carnegie Mellon University Technical Report CMU-ISRI-06-124.

Tool walkthrough

 

For Further Information on SCHOLIA

Abi-Antoun, M. and Aldrich, J. Practical Static Extraction and Conformance Checking of the Runtime Architecture of Object-Oriented Systems. Half-day tutorial at the SEI Architecture Technology User Network (SATURN), May 5th 2009. [Presentation (PDF)] [Handout (PDF)]

Credits and Acknowledgements

The idea of re-implementing a STRIDE-based security model using types and predicates in the Acme ADL was inspired by ongoing discussions with David Garlan, Kirti Garg and Bradley Schmerl at Carnegie Mellon University. The authors thank Bradley Schmerl for his help with Acme and AcmeStudio. Raed Almomani also worked on re-implementing the security model in Acme.

Last Updated: 09/10/2010