[摘要] Many security attacks arise from unanticipated behaviors that are inadvertently introduced by the system designer at various stages of the development. This thesis proposes a multi-representational approach to security modeling and analysis, where models capturing distinct (but possibly overlapping) views of a system are automatically composed in order to enable an end-to-end analysis. This approach allows the designer to incrementally explore the impact of design decisions on security, and discover attacks that span multiple layers of the system. The thesis also introduces Poirot, a prototype implementation of the approach, and reports on the application of Poirot to detect previously unknown security flaws in publicly deployed systems.