A model-driven formal methods approach to software architectural security vulnerabilities specification and verification

Detecting and addressing security vulnerabilities in software designs is crucial for ensuring the reliable and safe operation of systems. Existing approaches for vulnerability specification lack the necessary flexibility for practical use. To tackle this issue, we propose an integrated model-driven approach for vulnerability detection and treatment during software architecture design. The approach involves specifying vulnerabilities as properties of a modeled system in a technology-independent language, expressing conditions for vulnerability detection using a language supported by automated tools, and recommending security requirements to mitigate detected vulnerabilities. Formalized vulnerabilities and security requirements are presented as model libraries to facilitate reuse. Our methodology employs first-order and modal logic as a technology-independent formalism, with Alloy as the tool-supported language for modeling and software development. We have developed a Model-Driven Engineering (MDE) tool to implement this approach. To validate our work, we apply it to representative vulnerabilities based on the Common Weakness Enumeration (CWE) classifications within the context of secure component-based software architecture development.