Abstract
In practice, security of computer systems is compromised most often not by breaking dedicated mechanisms (such as security protocols), but by exploiting vulnerabilities in the way they are employed. We show how UML (the industry standard in object-oriented modelling) can be used to encapsulate rules of prudent security engineering to make them available to developers without a background in security. UML diagrams can be evaluated wrt. these rules, violations indicated and suggestions for modifications derived. We also show how to use transformations between UML models to introduce patterns by refinement.
Supported by the Studienstiftung des deutschen Volkes and the Computing Laboratory.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
M. Abadi. Security protocols and their properties. In F. Bauer and R. Steinbrueggen, editors, Foundations of Secure Computation. IOS 2000.
M. Abadi and Jan Jürjens. Formal eavesdropping and its computational interpretation,2001. Submitted.
R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, 2001.
V. Apostolopoulos, V. Penis, and D. Saha. Transport layer security: How much does it really cost? In Conference on Computer Communications (IEEE Infocom), New York, March 1999.
N. Asokan, V. Shoup, and M. Waidner. Asynchronous protocols for optimistic fair exchange. In IEEE Symposium on Security and Privacy, 1998.
C. Bolton and J. Davies. Activity graphs and processes. In Integrated Formal Methods, LNCS. Springer, 2000.
J. Biskup. Grundlagen von Informationssystemen. Vieweg, 1995.
H. Brüggemann. Spezifikation von objektorientierten Rechten. Vieweg, 1997.
CEPSCO. Common Electronic Purse Specifications,2001. Business Requirements vers. 7.0, Functional Requirements vers. 6.3, Technical Specification vers. 2.3, available from http://www.cepsco.com.
S. Cook, A. Kleppe, R. Mitchell, B. Rumpe, J. Warmer, and A. Wills. Defining UML family members using prefaces. In Ch. Mingins and B. Meyer, editors, TOOLS’99 Pacific. IEEE Computer Society, 1999.
C. Crichton. UML statecharts and CSP,2001. In preparation.
P. Devanbu and S. Stubblebine. Software engineering for security: a roadmap. In The Future of Software Engineering, 2000. Special Volume (ICSE 2000 ).
C. Eckert. IT-Sicherheit — Konzepte, Verfahren, Protokolle. R. Oldenbourg Verlag, 2000.
D. Fox and P. Horster. Realisierung von Public Key-Infrastrukturen. Pages 283–304. Vieweg Verlag, 1999.
E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns -Elements of Reusable Object-Oriented Software. Addison-Wesley, 1995.
D. Gollmann. What do we mean by entity authentication? In IEEE Symposium on Security and Privacy, 1996.
D. Gollmann. Computer Security. J. Wiley, 1999.
Li Gong. Inside Java 2 Platform Security -Architecture, API Design, and I mplementation. Addison-Wesley, 1999.
P. Horster, editor. Systemsicherheit. Vieweg Verlag, 2000. Conference proceedings.
H. Hußmann, editor. Fundamental Approaches to Software Engineering FASE/ETAPS, International Conference, volume 2029 of LNCS. Springer, 2001.
Jan Jürjens. Encapsulating Rules of Prudent Security Engineering. In International Workshop on Security Protocols, Springer Verlag, 2001 (to be published).
Jan Jürjens. Modelling audit security for smart-card payment schemes with UMLsec. In P. Paradinas, editor, IFIP/SEC 2001–16th International Conference on Information Security. Kluwer, 2001.
Jan Jürjens. Towards development of secure systems using UMLsec. In [Huß0I], 2001.
Jan Jürjens. Secrecy-preserving refinement. In Formal Methods Europe (International Symposium), volume 2021 of LNCS, pages 135–152. Springer, 2001.
Jan Jürjens. Secure Java development with UMLsec. 2001. Submitted.
Jan Jürjens and Guido Wimmel. Security modelling for electronic commerce: The Common Electronic Purse Specifications. In First IFIP conference on e-commerce, e-business, and e-government (13E). Kluwer, 2001.
Jan Jürjens and Guido Wimmel. Specification-based testing of firewalls. In Andrei Ershov 4th International Conference “Perspectives of System Informatics” (PSI’01), LNCS. Springer, 2001. To be published.
V. Lotz. Ein methodischer Rahmen zur formalen Entwicklung sicherer Systeme. In [Hor00], 2000.
UML Revision Task Force, OMG. UML Specification 1.3. Available at http://www.omg.org/uml, 1999.
L. Paulson. Inductive analysis of the Internet protocol TLS (transcript of discussion). In B. Christianson, B. Crispo, W.S. Harbison, and M. Roe, editors, Security Protocols -6th International Workshop, number 1550 in LNCS, page 13 ff., Cambridge, UK, April 1998.
A. Pfitzmann. Sicherheit in Rechnernetzen, 1999. Lecture Notes (in German).
K. Pommenering. Datenschutz und Datensicherheit. BI-Wissenschaftsverlag, 1991.
B. Pfitzmann and M. Waidner. Composition and integrity preservation of secure reactive systems. In 7th ACM Conference on Computer and Communications Security, 2000.
Birgit Pfitzmann and Michael Waidner. A model for asynchronous reactive systems and its applications to secure message transmissions. In IEEE Symposium on Security and Privacy, 2001.
J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Language Reference Manual. Addison-Wesley, 1999.
P. Ryan, S. Schneider, M. Goldsmith, G. Lowe, and B. Roscoe. Modelling and Analysis of Security Protocols. Addison Wesley, 2001. (to be published).
P. Stevens and R. Pooley. Using UML. Addison-Wesley, 2000.
P. Stevens. On use cases and their relationships in the Unified Modelling Language. In [Huß01], LNCS. Springer, 2001.
M. Walker. On the security of 3GPP networks. In Advances in Cryptology EUROCRYPT, volume 1807 of LNCS. Springer, 2000.
G. Wolf and A. Pfitzmann. Charakteristika von Schutzzielen und Konsequenzen für Benutzungsschnittstellen. Informatik-Spektrum, 23 (3): 173–191, 2000.
G. Wimmel and A. Wißpeitner. Extended description techniques for security engineering. In IFIP SEC, 2001.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2001 Springer Fachmedien Wiesbaden
About this chapter
Cite this chapter
Jürjens, J. (2001). Developing Secure Systems with UMLsec — From Business Processes to Implementation. In: Fox, D., Köhntopp, M., Pfitzmann, A. (eds) Verlässliche IT-Systeme 2001. DuD-Fachbeiträge. Vieweg+Teubner Verlag, Wiesbaden. https://doi.org/10.1007/978-3-663-05918-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-663-05918-9_11
Publisher Name: Vieweg+Teubner Verlag, Wiesbaden
Print ISBN: 978-3-663-05919-6
Online ISBN: 978-3-663-05918-9
eBook Packages: Springer Book Archive