Nowadays, almost all electronic devices include a communication interface that allows to interact with them, exchange data, or operate their services remotely. The trend toward increased interconnectivity simultaneously increases the vulnerability of these systems. Due to the high costs associated with comprehensive security analysis, many manufacturers neglect the safety aspect of a product in order to avoid costs. However, the importance of secure IT systems is growing, as the security of a system can also influence safety-critical aspects. Standard security analysis approaches are nowadays still mainly based on time-intensive and error-prone manual activities. In this paper, we present the formal concepts of the automatic threat and vulnerability analysis tool ThreatGet. Therefore, we introduce the concept of the Extended Data-Flow Diagram that is used to represent the system under investigation in an abstracted form, and we highlight the formal analysis language of the tool. This domain-specific language is used to formulate so-called anti-patterns. These anti-patterns that can be interpreted by the tool for an automatic security analysis of the system. Besides the language declaration, we present the entire semantic evaluation of the language during the analysis. Parts of the definitions and elaborations of the diagram model and the analysis language were developed in the context of the master thesis of Korbinian Christl, in cooperation with the University of Vienna.
翻译:目前,几乎所有电子设备都包括能够与它们互动、交换数据或远程操作其服务的通信界面。增加互连性的趋势同时增加了这些系统的脆弱性。由于全面安全分析所涉费用高昂,许多制造商忽略了产品的安全方面,以避免成本。然而,安全信息技术系统的重要性正在增加,因为一个系统的安全也可以影响安全关键方面。标准安全分析方法目前仍然主要基于时间密集和容易出错的手工活动。我们在本文件中介绍了自动威胁和脆弱性分析工具“威胁Get”的正式概念。因此,我们引入了用于抽象地代表正在调查的系统的扩展数据流图概念,我们强调了该工具的正式分析语言。这种特定领域的语言被用来制定所谓的反模式。这些反模式可以由系统自动安全分析工具来解释。除了语言声明外,我们还介绍了分析期间对语言的全语义性评价。在分析过程中,我们介绍了用于以抽象形式代表正在调查的系统使用的扩展数据流图图图,我们着重介绍了该工具的正式分析语言。我们着重介绍了该工具的正式分析语言。这一工具所使用的格式。这种特定语言用于设计所谓的反方向。这些语言可以被自动安全分析工具解释。在大学主图模型中与分析中使用。
相关内容
微信扫码咨询专知VIP会员