Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University


Security analysis

A system designer faces several challenges when specifying security for distributed computing environments or migrating systems to a new execution platform. Business stakeholders impose constraints due to cost, time-to-market requirements, productivity impact, customer satisfaction concerns, and the like. And users exercise power at the desktop over computing resources and data availability.

So, a system designer needs to understand requirements regarding protected resources (e.g., data), confidentiality, and integrity. And, a designer needs to predict the effect that security measures will have on other runtime quality attributes such as resource consumption, availability, and real-time performance.

Despite that, security is often studied only in isolation and late in the process. However, the SEI has developed model-based engineering tools, methods, and analytical techniques to validate security according to flow-based approaches and standard security protocols such as Bell-LaPadula, Chinese Wall, and role-based access control.

The SEI approach also allows a designer to identify how security choices affect other quality attributes. For example, a designer can visualize and analyze, for battery-powered devices in embedded systems, the tradeoff between increased execution time and latency that supports the required security levels—to take advantage, for instance, of the multiple independent levels of security (MILS) paradigm.

Security Analysis Concern SEI Approach Answer
Sanitization (i.e., controlled lowering of security levels) YES Provides metrics on the number of sanitized flows in a system
Security effectiveness applied using minimum security clearances YES Derives the minimum security clearance on components in the model (By pointing out differences between actual security clearances and the minimum security clearance required, a system designer can evaluate security effectiveness.)
Integration of security at multiple system levels YES Provides system-level solution by checking that secure information is associated with components that have appropriate security clearance and is communicated by secure connections

The SEI Toolkit for Security Analysis

The SEI uses the Architecture Analysis and Design Language (AADL) to document a system architecture and provide a platform for multiple analyses. AADL, an international industry standard, supports multiple analyses from a single architectural model, enables modeling and analysis throughout the life cycle, and provides analysis of runtime behavior such as availability, performance, and security.

The SEI offers the Open Source AADL Tool Environment (OSATE) set of analysis plug-ins. The OSATE security analysis plug-in checks the security levels and flow completeness of components. It includes

  • a syntax-sensitive text editor, with integrated error reporting
  • a parser and semantic checker for textual AADL with conversion into AADL XML
  • an unparser for AADL XML to textual AADL conversion
  • support for multi-enterprise development through a version control system interface

AADL also can be used with

Read our white paper that contains an example from industry of this analysis in use and our information sheet on this analysis.