Security attacks often exploit flaws that are not anticipated in an
abstract design, but are introduced inadvertently when high-level
interactions in the design are mapped to low-level behaviors in the
supporting platform. This paper proposes a multi-representational
approach to security analysis, where models capturing distinct (but
possibly overlapping) views of a system are automatically composed in
order to enable an end-to-end analysis. This approach allows the
designer to incrementally explore the impact of design decisions on
security, and discover attacks that span multiple layers of the
system. This paper describes Poirot, a prototype implementation of the
approach, and reports on our experience on applying Poirot to detect
previously unknown security flaws in publicly deployed systems.