Skip to main content
Springer Nature Link
Log in

A Classification of Software-Architectural Uncertainty Regarding Confidentiality

  • Conference paper
  • First Online:
E-Business and Telecommunications (ICETE 2021)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1795))

Included in the following conference series:

Abstract

In our connected world, ensuring and demonstrating the confidentiality of exchanged data becomes increasingly critical for software systems. However, especially in early system design, uncertainty exists about the software architecture itself and the software’s execution environment. This does not only impede early confidentiality analysis but can also cause data breaches due to the lack of awareness of the impact of uncertainty. Classifying uncertainty helps in understanding its impact and in choosing proper analysis and mitigation strategies. There already exist multiple taxonomies, e.g., from the domain of self-adaptive systems. However, they do not fit the abstraction of software architecture and do not focus on security-related quality properties like confidentiality.

To address this, we present a classification of architectural uncertainty regarding confidentiality. It enables precise statements about uncertain influences and their impact on confidentiality. It raises awareness of uncertainty properties, enables knowledge transfer to non-experts, and serves as a baseline for discussion. Also, it can be directly integrated into existing notions of data flow diagrams for uncertainty-aware confidentiality analysis. We evaluate the structural suitability, applicability, and purpose of the classification based on a real-world case study and a user study. The results show increased significance compared to existing taxonomies and raised awareness of the impact of uncertainty on confidentiality.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
eBook
USD 69.99
Price excludes VAT (USA)
Softcover Book
USD 89.99
Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/corona-warn-app/.

References

  1. Armour, P.G.: The five orders of ignorance. Commun. ACM 43(10) (2000)

    Google Scholar 

  2. Basili, V.R., Weiss, D.M.: A Methodology for Collecting Valid Software Engineering Data. TSE, pp. 728–738 (1984). https://doi.org/10.1109/TSE.1984.5010301

  3. Benkler, N.: Architecture-based Uncertainty Impact Analysis for Confidentiality. Master’s thesis, Karlsruhe Institute of Technology (KIT) (2022)

    Google Scholar 

  4. Boehm, B., Basili, V.: Defect reduction top 10 list. Computer 34(1), 135–137 (2001)

    Article  Google Scholar 

  5. Bures, T., Hnetynka, P., Heinrich, R., Seifermann, S., Walter, M.: Capturing dynamicity and uncertainty in security and trust via situational patterns. In: Margaria, T., Steffen, B. (eds.) ISoLA 2020. LNCS, vol. 12477, pp. 295–310. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61470-6_18

    Chapter  Google Scholar 

  6. Council of European Union: REGULATION (EU) 2016/679 (General Data Protection Regulation) (2016). https://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04. Accessed 05/11/2022

  7. Esfahani, N., et al.: GuideArch. In: ICSE, pp. 43–52 (2013). https://doi.org/10.1109/ICSE.2013.6606550

  8. Esfahani, N., Malek, S.: Uncertainty in self-adaptive software systems. In: de Lemos, R., Giese, H., Müller, H.A., Shaw, M. (eds.) Software Engineering for Self-Adaptive Systems II. LNCS, vol. 7475, pp. 214–238. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35813-5_9

    Chapter  Google Scholar 

  9. FIRST: CVSS v3.1 specification document. https://www.first.org/cvss/v3.1/specification-document#2-3-Impact-Metrics. Accessed 05/11/2022

  10. Garlan, D.: Software engineering in an uncertain world. In: Proceedings of the FSE/SDP Workshop on Future of Software Engineering Research - FoSER 2010, p. 125. ACM Press (2010). https://doi.org/10.1145/1882362.1882389

  11. Grassi, V., Mirandola, R.: The Tao way to anti-fragile software architectures: the case of mobile applications. In: ICSA-C, pp. 86–89. IEEE (2021). https://doi.org/10.1109/ICSA-C52384.2021.00021

  12. Hahner, S.: Architectural access control policy refinement and verification under uncertainty. In: ECSA-C (2021)

    Google Scholar 

  13. Hahner, S.: Dealing with uncertainty in architectural confidentiality analysis. In: Proceedings of the Software Engineering 2021 Satellite Events, pp. 1–6. GI (2021)

    Google Scholar 

  14. Hahner, S., et al.: Companion data set. https://doi.org/10.5281/zenodo.6814107

  15. Hahner, S., et al.: Modeling data flow constraints for design-time confidentiality analyses. In: ICSA-C, pp. 15–21. IEEE (2021). https://doi.org/10.1109/ICSA-C52384.2021.00009

  16. Isaak, J., Hanna, M.J.: User Data Privacy. Computer 51(8), 56–59 (2018). https://doi.org/10.1109/MC.2018.3191268

    Article  Google Scholar 

  17. ISO: ISO/IEC 27000:2018(E) Information technology – Security techniques – Information security management systems – Overview and vocabulary. Standard (2018)

    Google Scholar 

  18. Jansen, A., Bosch, J.: Software architecture as a set of architectural design decisions. In: WICSA, pp. 109–120 (2005). https://doi.org/10.1109/WICSA.2005.61

  19. Kaplan, A., et al.: Introducing an evaluation method for taxonomies. In: EASE. ACM (2022). https://doi.org/10.5445/IR/1000145968, accepted, to appear

  20. Kiureghian, A.D., Ditlevsen, O.: Aleatory or epistemic? does it matter? Struct. Saf. 31, 105–112 (2009). https://doi.org/10.1016/j.strusafe.2008.06.020

    Article  Google Scholar 

  21. Konersmann, M., et al.: Evaluation methods and replicability of software architecture research objects. In: ICSA. IEEE (2022), accepted, to appear

    Google Scholar 

  22. Koziolek, A., et al.: PerOpteryx: automated application of tactics in multi-objective software architecture optimization. In: QoSA-ISARCS, pp. 33–42. ACM (2011). https://doi.org/10.1145/2000259.2000267

  23. Kruchten, P.: An Ontology of Architectural Design Decisions in Software-Intensive Systems. In: 2nd Groningen Workshop on Software Variability, pp. 54–61 (2004)

    Google Scholar 

  24. Lewis, J.R.: The system usability scale: past, present, and future. Int. J. Hum.-Comput. Interact. 34(7), 577–590 (2018). https://doi.org/10.1080/10447318.2018.1455307

    Article  Google Scholar 

  25. Lytra, I., Zdun, U.: Supporting architectural decision making for systems-of-systems design under uncertainty. In: SESoS, pp. 43–46. ACM (2013). https://doi.org/10.1145/2489850.2489859

  26. Mahdavi-Hezavehi, S., et al.: A Classification Framework of Uncertainty in Architecture-Based Self-Adaptive Systems with Multiple Quality Requirements. Managing Trade-Offs in Adaptable Software Architectures, p. 33 (2017). https://doi.org/10.1016/B978-0-12-802855-1.00003-4

  27. Mahdavi-Hezavehi, S., et al.: Uncertainty in Self-Adaptive Systems: A Research Community Perspective. ACM TAAS (2021)

    Google Scholar 

  28. McConnell, S.: Software Project Survey Guide. Microsoft Press, Redmond, Wash (1998)

    Google Scholar 

  29. OWASP Foundation: Owasp top 10:2021 (2021). https://owasp.org/Top10/. Accessed 05/11/2022

  30. Perez-Palacin, D., Mirandola, R.: Dealing with uncertainties in the performance modelling of software systems. In: QoSA, pp. 33–42. ACM (2014). https://doi.org/10.1145/2602576.2602582

  31. Perez-Palacin, D., Mirandola, R.: Uncertainties in the modeling of self-adaptive systems. In: ICPE, pp. 3–14. ACM (2014). https://doi.org/10.1145/2568088.2568095

  32. Ramirez, A.J., et al.: A taxonomy of uncertainty for dynamically adaptive systems. In: SEAMS, pp. 99–108 (2012). https://doi.org/10.1109/SEAMS.2012.6224396

  33. Reussner, R.H., et al.: Modeling and Simulating Software Architectures: The Palladio Approach. The MIT Press (2016)

    Google Scholar 

  34. Robert Koch Institute: Open-Source Project Corona-Warn-App (2020). https://www.coronawarn.app/en/. Accessed 05/11/2022

  35. Runeson, P., Höst, M.: Guidelines for conducting and reporting case study research in software engineering. Empir. Softw. Eng. 14, 131 (2009). https://doi.org/10.1007/s10664-008-9102-8

    Article  Google Scholar 

  36. Sasse, M.A., Flechais, I.: Usable security: Why do we need it? how do we get it? O’Reilly (2005)

    Google Scholar 

  37. Seifermann, S., Heinrich, R., Reussner, R.: Data-driven software architecture for analyzing confidentiality. In: ICSA, p. 1–10. IEEE (2019). https://doi.org/10.1109/ICSA.2019.00009

  38. Seifermann, S., Heinrich, R., Werle, D., Reussner, R.: A unified model to detect information flow and access control violations in software architectures. In: SECRYPT, pp. 26–37. SCITEPRESS (2021). https://doi.org/10.5220/0010515300260037

  39. Seifermann, S., et al.: Detecting violations of access control and information flow policies in data flow diagrams. JSS (2022). https://doi.org/10.1016/j.jss.2021.111138

    Article  Google Scholar 

  40. Shostack, A.: Threat Modeling: Designing for Security. John Wiley & Sons (2014)

    Google Scholar 

  41. Troya, J., Moreno, N., Bertoa, M.F., Vallecillo, A.: Uncertainty representation in software models: a survey. Softw. Syst. Model. 20(4), 1183–1213 (2021). https://doi.org/10.1007/s10270-020-00842-1

    Article  Google Scholar 

  42. Tuma, K., et al.: Flaws in flows. In: ICSA, pp. 191–200. IEEE (2019). https://doi.org/10.1109/ICSA.2019.00028

  43. Walker, W.E., et al.: Defining uncertainty: a conceptual basis for uncertainty management in model-based decision support. Integr. Assess. 4(1), 5–17 (2003). https://doi.org/10.1076/iaij.4.1.5.16466

    Article  Google Scholar 

  44. Walter, M., et al.: Architectural optimization for confidentiality under structural uncertainty. In: ECSA’21 Post-Proceedings. Springer (2022), accepted, to appear

    Google Scholar 

  45. Weisbaum, H.: Trust in facebook has dropped by 66 percent since the cambridge analytica scandal (2018). https://www.nbcnews.com/business/consumer/trust-facebook-has-dropped-51-percent-cambridge-analytica-scandal-n867011. Accessed 05/11/2022

Download references

Acknowledgments

This work was supported by the German Research Foundation (DFG) under project number 432576552, HE8596/1-1 (FluidTrust), as well as by funding from the topic Engineering Secure Systems (46.23.03) of the Helmholtz Association (HGF) and by KASTEL Security Research Labs. We like to thank Niko Benkler, who helped in developing this classification during his Master’s thesis. We also like to thank all participants of the user study.

Author information

Authors and Affiliations

  1. KASTEL – Institute of Information Security and Dependability, Karlsruhe Institute of Technology (KIT), Karlsruhe, Germany

    Sebastian Hahner, Stephan Seifermann, Robert Heinrich & Ralf Reussner

Authors
  1. Sebastian Hahner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stephan Seifermann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Robert Heinrich
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ralf Reussner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sebastian Hahner .

Editor information

Editors and Affiliations

  1. Università degli Studi di Milano, Milan, Italy

    Pierangela Samarati

  2. University of Twente, Enschede, The Netherlands

    Marten van Sinderen

  3. Università degli Studi di Milano, Milan, Italy

    Sabrina De Capitani di Vimercati

  4. University of Twente, Enschede, The Netherlands

    Fons Wijnhoven

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hahner, S., Seifermann, S., Heinrich, R., Reussner, R. (2023). A Classification of Software-Architectural Uncertainty Regarding Confidentiality. In: Samarati, P., van Sinderen, M., Vimercati, S.D.C.d., Wijnhoven, F. (eds) E-Business and Telecommunications. ICETE 2021. Communications in Computer and Information Science, vol 1795. Springer, Cham. https://doi.org/10.1007/978-3-031-36840-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-36840-0_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-36839-4

  • Online ISBN: 978-3-031-36840-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation