Can I Check What I Designed? Mapping Security Design DSLs to Code Analyzers
This work provides an empirical basis for understanding the abstraction gap between security design DSLs and code analyzers, benefiting practitioners and researchers aiming to bridge this gap.
The authors studied 66 design-level security DSLs and 559 security checks from 36 code-level analyzers, finding few commonalities between design-level and implementation-level security, with security experts overwhelmed by the complexity. They propose the SecLan model to capture common concepts, validated by 22 experts.
When assessing the potential impact of code-level vulnerabilities, e.g., discovered by automated analyzers, it is essential to consider them in the context of the system's security design. However, this is a challenging task due to the abstraction gap between security design, often specified using security DSLs, and implementation. As we will show, even security experts lack a complete understanding of this relationship. Intrigued by this gap (and the general disconnect between secure design and secure implementation) we present a study of 66 design-level security DSLs and 559 security checks from 36 code-level analyzers. We identify what concepts are common to both and capture them in the SecLan model, which has been validated by 22 security experts. Based on this, we investigate the relationship between DSLs and analyzers quantitatively and explore it qualitatively together with 9 security experts. We learn that there are few commonalities between design-level and implementation-level security; security checks are often described by overly general weaknesses, resulting in many non-obvious potential relationships between security DSLs and analyzers; and even security experts are overwhelmed by this complexity. We provide an empirical basis that helps practitioners and researchers better understand the gap and serves as a first step toward bridging it.