Security Model

Security Models (Main Models for Java programs)

In the associated paper we proposed a Security Assessment Model (SAM) that systematically aggregates low-level security indicators (i.e. static analysis alerts and software metrics) in order to produce a security score that reflects the security level of the analyzed software. For the purposes of the evaluation of the proposed model, an alternative model that omits software metrics was also produced. These models can be found in the links below:

1. The Complete Security Assessment Model (SAM):

securityModel.xml

2. The Security Assessment Model that omits Software Metrics

securityModel_no_metrics.xml

Binaries (Main Models for Java programs)

In order to evaluate the security level of Java applications using the proposed Security Assessment Model (SAM), a set of standalone offline tools were implemented and are available for download. Below you may find a rar file containing these tools along with a README file with relevant instructions. Please read the README file in order to understand how to install and use the assessment tools.

1. The binaries of the Security Assessment Model

Security Assessment Toolbox.rar

2. Installation and Usage Instructions

README.txt

Security Assessment Model for C/C++

Apart from the main model that is described in the paper, a similar model for analyzing software products written in C/C++ programming language was also built, within the context of the SDK4ED Project.

- The Security Model for C/C++

securityModel_cpp.xml

A standalone command-line tool has been implemented, so that the proposed model can be used in practice. The files that are required for the standalone tool to run, along with instructions of how the proposed model can be installed and used are provided below:

- The binaries of the Security Assessment Model for C/C++

SecurityAssessmentToolboxCPP.zip

- Installation and Usage Instructions

README.txt

- List of CppCheck Rules:

cppCheck_rules.xml

Usage of the Security Assessment Models for Java and C/C++ as Web Services through the SDK4ED Platform

As described above, the two models are available in the form of offline standalone tools that they can be downloaded and used locally. However, the easiest (and probably) the most convenient way of using these models is through the Web Services that are provided by the SDK4ED Platform. In particular, the Security Assessment Models for Java and C/C++ that are described in the paper have been implemented as part of the Quantitative Security Assessment (QSA) web service of the Dependability Toolbox of the SDK4ED Platform. Instructions on how the QSA web service (and the broader Dependability Toolbox) can be installed (using Docker) and used for analyzing the security level of software products written in Java and C/C++ using our models are provided in the links below:

- Wiki Page - Dependability Toolbox: link

- Dependability Toolbox - Installation: link

- QSA Web Service - Usage: link

The Security Models can be also used through the SDK4ED Dashboard, which provides an intuitive and easy-to-use GUI for using the services of the SDK4ED Platform. In fact, the SDK4ED Dashboard invokes the Quantitative Security Assessment (QSA) web service in order to analyze a given software project with the security models for Java and C/C++ that are described in the paper. Information on how the SDK4ED Dashboard can be used for analyzing a software product is provided in the links below:

- Front-end Walkthrough: link

- Tutorial: link

Attention: For analyzing a software project written in Java programming language, the binary files (i.e., .class files) should be also provided. Hence, the .class files of the software project under analysis should be also uploaded in its Git repository (e.g., GitHub, Bitbucket, GitLab, etc.)

Tutorials

Please watch a short tutorial below in order to understand how to use the proposed Security Assessment Model (SAM) in order to evaluate the security level of Java applications.