SecLan Model

Security Objectives (called security property in ISO 27001 and 27002) are high-level goals, such as confidentiality, integrity, and availability, that must be achieved to guarantee the security of a system based on its assets, such as data, objects, and its users.

The means to specify a Security Aspect are provided via Specification Elements. Each Specification Element provides additional security-related information by being applied to instances of the system element types. A security DSL for secure data flows, for instance, may provide specification elements to label Data or the location of Nodes.

The System Model is used to describe the types of system elements to which a security DSL or check of a security analyzer is applied.

A Threat threatens a Security Objective or enables attackers to do so. The NIST defines a threat as a circumstance or event that could adversely affect assets or operations, such as unauthorized access, disclosure of information, or exploitation of a specific vulnerability in an information system. An instance of a threat is Information Disclosure.

A Static Analyzer implements one or more Security Checks. A Security Check inspects certain implementation elements, described by their Element Type, for errors related to predefined Weaknesses. The Security Check then reports detected instances of the Weakness.

We have identified the common elements that make up a security DSL by analyzing 63 design-time security DSLs. Based on these elements and the Security Model and the System Model, we can describe a Security DSL according to a common conceptual basis.

A Weakness in the system potentially enables a Threat. The NIST defines a weakness as a flaw or characteristic that can lead to undesirable behavior. For example, a weakness can be the selection of a weak cryptographic algorithm that allows an adversary to read data without permission. A weakness in the system design may manifest itself as errors in the assumed security properties, while in the implementation it may manifest itself as security-critical bugs.

An element of a system. Concrete element types applicable to security DSLs and security analyzers are contained in our system model.

A Security DSL is used to design software systems to achieve one or more security objectives.

As for the security DSLs, we extracted common elements of security checks offered by security analyzers and how these can relate to the Security Model and the System Model.

A Static Analyzer is a tool to detect security flaws in a system.

For this purpose, a set of Security Aspects are defined in the security DSL to counteract some potential security Threat from the security model. A security aspect in a security DSL for secure data flows might be "secure data processing", which counteracts the threat of Information Disclosure.

Both design-time security DSLs and security checks provided by security analyzers address specific parts of software security. We have extracted the common elements for denoting which aspects of security a DSL or check addresses from all security DSLs and checks provided by security analyzers that we investigated. These elements are described in a Security Model that is part of our conceptual model.