Restoring security of evolving software models using graph transformation

Security certification of complex systems requires a high amount of effort. As a particular challenge, today's systems are increasingly long-living and subject to continuous change. After each change of some part of the system, the whole system needs to be re-certified from scratch (since security properties are not in general modular), which is usually far too much effort. When models for software get changed, this can lead to security weaknesses that are also part of the software system that is derived from those models. Hence, it is important to check the models with respect to security properties and correct them respectively. To address this challenge, we present an approach which not only finds security weaknesses but can also correct them in a tool-supported way. As time goes by, a diverse number of changing requirements that may be security-related and non-security-related lead to an evolving system that met its security requirements at design time but can contain vulnerabilities with respect to meanwhile updated security knowledge. Supported by patterns we can describe and detect potential flaws that may arise in models, such as inconsistencies in security requirements. Potential violations can be formalized in the patterns as well as the correction alternatives to fix these. It is based on graph transformation and can be applied to different types of models and violations. For flaw detection, these patterns are used as the left-hand sides of graph transformation rules. Using graph transformation, we can further correct the models and establish that they no longer violate the security requirements under investigation. The approach is supported by a tool which can check whether these patterns arise in models and assist the user in correcting the security vulnerabilities.