The project ASKS aims to analyze business-critical software (e.g., JEE and .NET applications) with respect to security. The software is analyzed based upon the software architecture which allows one to focus the analyses to the security-critical data and modules. Typical security problems which shall be identified with this architecture-centric approach are 1. Erroneous role-models of JEE applications, 2. Missing enforcement of access control restrictions and circumvention of security-protected APIs, 3. Security holes induced by erroneous trust relationships between software components, 4. Missing cryptographic protection of data and communications channels within applications, 5. Violations of compartment boundaries. The security analyses are implemented with the help of the Bauhaus tool, a reverse engineering tool-suite. Specifically, we envision to employ the reflexion analysis to detect security violations such as the circumvention of APIs in the source code.
Funding Body: BMBF