Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Model-based security analysis of feature-oriented software product lines

: Peldszus, S.; Strüber, D.; Jürjens, J.


Wyk, E. van ; Association for Computing Machinery -ACM-; Association for Computing Machinery -ACM-, Special Interest Group on Programming Languages -SIGPLAN-:
17th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences, GPCE 2018. Proceedings : November 5-6, 2018, Boston, MA, USA
New York: ACM, 2018 (ACM SIGPLAN notices 53.2019, Nr.9)
ISBN: 978-1-4503-6045-6
International Conference on Generative Programming - Concepts & Experiences (GPCE) <17, 2018, Boston/Mass.>
Conference Paper
Fraunhofer ISST ()

Today's software systems are too complex to ensure security after the fact – security has to be built into systems by design. To this end, model-based techniques such as UMLsec support the design-time specification and analysis of security requirements by providing custom model annotations and checks. Yet, a particularly challenging type of complexity arises from the variability of software product lines. Analyzing the security of all products separately is generally infeasible. In this work, we propose SecPL, a methodology for ensuring security in a software product line. SecPL allows developers to annotate the system design model with product-line variability and security requirements. To keep the exponentially large configuration space tractable during security checks, SecPL provides a family-based security analysis. In our experiments, this analysis outperforms the naive strategy of checking all products individually. Finally, we present the results of a user study that indicates the usability of our overall methodology.