Using Malware Analysis to Identify Overlooked Security Requirements

Author:
Nancy R. Mead
File Size:
648.56 kB
Date:
01 July 2017
Downloads:
54 x

Despite the reported attacks on critical systems, operational techniques such as malware analysis are not used to inform early lifecycle activities, such as security requirements engineering. In our CERT research, it was thought that malware analysis reports (Found in databases such as Rapid 7), could be used to identify misuse cases that pointed towards overlooked security requirements. If such requirements could be identified, they could be incorporated into future systems that were similar to those that were successfully attacked. A process was defined, and then CMU Master of Software Engineering project was sponsored to develop a tool. The hope was that the malware report databases were amenable to automated processing, and that they would point to flaws such as those documented in the CWE and CAPEC databases. It turned out to not be so simple. This talk will describe our initial research results, and the research remaining to be done. A second team of CMU graduate students is continuing to assist in the research and tool development. Their progress as of the time of the conference will also be discussed.

Using Malware Analysis to Identify Overlooked Security Requirements