AsmLSec: An Extension of Abstract State Machine Language for Attack Scenario Specification

Security, one of the most important aspects of software, gets very little attention during the software development life cycle (SDLC). Therefore, the software remains vulnerable to attacks which are handled by issuing patches or service packs by the software vendors. To overcome this problem, researchers have proposed to take security into consideration right from the very beginning of the software development process. However, most specification languages were not designed with an intention for specifying security requirements, and therefore, they lack some features to serve this purpose. As a result, we need suitable specification languages that can be used both for functional specification and security specification. We propose a formal extension of a popular specification language called AsmL (Abstract State Machine Language) for attack descriptions with a view to building secure software. We name the extended language AsmLSec. We present the details of AsmLSec syntax and semantics, describe how to model attacks using its constructs, and present the design and implementation of a compiler that generates attack signatures from the AsmLSec attack specifications. To evaluate the expressive power of AsmLSec, we model attack scenarios based on the benchmark DARPA data sets