Policy and implementation assurance for software security

Sammanfattning: To build more secure software, accurate and consistent security requirements must be specified.We have investigated current practice by doing a field study of eleven requirementspecifications on IT systems. The overall conclusion is that security requirements are poorlyspecified due to three things: inconsistency in the selection of requirements, inconsistency inlevel of detail, and almost no requirements on standard security solutions.To build more secure software we specifically need assurance requirements on code. Away to achieve implementation assurance is to use effective methods and tools that solve orwarn for known vulnerability types in code. We have investigated the effectiveness of fourpublicly available tools for run-time prevention of buffer overflow attacks. Our comparisonshows that the best tool is effective against only 50 % of the attacks and there are six attackforms which none of the tools can handle. We have also investigated the effectiveness of fivepublicly available compile-time intrusion prevention tools. The test results show high rates offalse positives for the tools building on lexical analysis and low rates of true positives for thetools building on syntactical and semantical analysis.As a first step toward a more effective and generic solution we propose dependencegraphs decorated with type and range information as a way of modeling and pattern matchingsecurity properties of code. These models can be used to characterize both good and badprogramming practice. They can also be used to visually explain code properties to theprogrammer.