Skip to main content
SpringerLink
Log in

Developing Secure Systems with UMLsec — From Business Processes to Implementation

  • Chapter
Verlässliche IT-Systeme 2001

Part of the book series: DuD-Fachbeiträge ((DUD))

Abstract

In practice, security of computer systems is compromised most often not by breaking dedicated mechanisms (such as security protocols), but by exploiting vulnerabilities in the way they are employed. We show how UML (the industry standard in object-oriented modelling) can be used to encapsulate rules of prudent security engineering to make them available to developers without a background in security. UML diagrams can be evaluated wrt. these rules, violations indicated and suggestions for modifications derived. We also show how to use transformations between UML models to introduce patterns by refinement.

Supported by the Studienstiftung des deutschen Volkes and the Computing Laboratory.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. M. Abadi. Security protocols and their properties. In F. Bauer and R. Steinbrueggen, editors, Foundations of Secure Computation. IOS 2000.

    Google Scholar 

  2. M. Abadi and Jan Jürjens. Formal eavesdropping and its computational interpretation,2001. Submitted.

    Google Scholar 

  3. R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, 2001.

    Google Scholar 

  4. V. Apostolopoulos, V. Penis, and D. Saha. Transport layer security: How much does it really cost? In Conference on Computer Communications (IEEE Infocom), New York, March 1999.

    Google Scholar 

  5. N. Asokan, V. Shoup, and M. Waidner. Asynchronous protocols for optimistic fair exchange. In IEEE Symposium on Security and Privacy, 1998.

    Google Scholar 

  6. C. Bolton and J. Davies. Activity graphs and processes. In Integrated Formal Methods, LNCS. Springer, 2000.

    Google Scholar 

  7. J. Biskup. Grundlagen von Informationssystemen. Vieweg, 1995.

    Google Scholar 

  8. H. Brüggemann. Spezifikation von objektorientierten Rechten. Vieweg, 1997.

    Google Scholar 

  9. CEPSCO. Common Electronic Purse Specifications,2001. Business Requirements vers. 7.0, Functional Requirements vers. 6.3, Technical Specification vers. 2.3, available from http://www.cepsco.com.

    Google Scholar 

  10. S. Cook, A. Kleppe, R. Mitchell, B. Rumpe, J. Warmer, and A. Wills. Defining UML family members using prefaces. In Ch. Mingins and B. Meyer, editors, TOOLS’99 Pacific. IEEE Computer Society, 1999.

    Google Scholar 

  11. C. Crichton. UML statecharts and CSP,2001. In preparation.

    Google Scholar 

  12. P. Devanbu and S. Stubblebine. Software engineering for security: a roadmap. In The Future of Software Engineering, 2000. Special Volume (ICSE 2000 ).

    Google Scholar 

  13. C. Eckert. IT-Sicherheit — Konzepte, Verfahren, Protokolle. R. Oldenbourg Verlag, 2000.

    Google Scholar 

  14. D. Fox and P. Horster. Realisierung von Public Key-Infrastrukturen. Pages 283–304. Vieweg Verlag, 1999.

    Google Scholar 

  15. E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns -Elements of Reusable Object-Oriented Software. Addison-Wesley, 1995.

    Google Scholar 

  16. D. Gollmann. What do we mean by entity authentication? In IEEE Symposium on Security and Privacy, 1996.

    Google Scholar 

  17. D. Gollmann. Computer Security. J. Wiley, 1999.

    Google Scholar 

  18. Li Gong. Inside Java 2 Platform Security -Architecture, API Design, and I mplementation. Addison-Wesley, 1999.

    Google Scholar 

  19. P. Horster, editor. Systemsicherheit. Vieweg Verlag, 2000. Conference proceedings.

    Google Scholar 

  20. H. Hußmann, editor. Fundamental Approaches to Software Engineering FASE/ETAPS, International Conference, volume 2029 of LNCS. Springer, 2001.

    Google Scholar 

  21. Jan Jürjens. Encapsulating Rules of Prudent Security Engineering. In International Workshop on Security Protocols, Springer Verlag, 2001 (to be published).

    Google Scholar 

  22. Jan Jürjens. Modelling audit security for smart-card payment schemes with UMLsec. In P. Paradinas, editor, IFIP/SEC 2001–16th International Conference on Information Security. Kluwer, 2001.

    Google Scholar 

  23. Jan Jürjens. Towards development of secure systems using UMLsec. In [Huß0I], 2001.

    Google Scholar 

  24. Jan Jürjens. Secrecy-preserving refinement. In Formal Methods Europe (International Symposium), volume 2021 of LNCS, pages 135–152. Springer, 2001.

    Google Scholar 

  25. Jan Jürjens. Secure Java development with UMLsec. 2001. Submitted.

    Google Scholar 

  26. Jan Jürjens and Guido Wimmel. Security modelling for electronic commerce: The Common Electronic Purse Specifications. In First IFIP conference on e-commerce, e-business, and e-government (13E). Kluwer, 2001.

    Google Scholar 

  27. Jan Jürjens and Guido Wimmel. Specification-based testing of firewalls. In Andrei Ershov 4th International Conference “Perspectives of System Informatics” (PSI’01), LNCS. Springer, 2001. To be published.

    Google Scholar 

  28. V. Lotz. Ein methodischer Rahmen zur formalen Entwicklung sicherer Systeme. In [Hor00], 2000.

    Google Scholar 

  29. UML Revision Task Force, OMG. UML Specification 1.3. Available at http://www.omg.org/uml, 1999.

    Google Scholar 

  30. L. Paulson. Inductive analysis of the Internet protocol TLS (transcript of discussion). In B. Christianson, B. Crispo, W.S. Harbison, and M. Roe, editors, Security Protocols -6th International Workshop, number 1550 in LNCS, page 13 ff., Cambridge, UK, April 1998.

    Google Scholar 

  31. A. Pfitzmann. Sicherheit in Rechnernetzen, 1999. Lecture Notes (in German).

    Google Scholar 

  32. K. Pommenering. Datenschutz und Datensicherheit. BI-Wissenschaftsverlag, 1991.

    Google Scholar 

  33. B. Pfitzmann and M. Waidner. Composition and integrity preservation of secure reactive systems. In 7th ACM Conference on Computer and Communications Security, 2000.

    Google Scholar 

  34. Birgit Pfitzmann and Michael Waidner. A model for asynchronous reactive systems and its applications to secure message transmissions. In IEEE Symposium on Security and Privacy, 2001.

    Google Scholar 

  35. J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Language Reference Manual. Addison-Wesley, 1999.

    Google Scholar 

  36. P. Ryan, S. Schneider, M. Goldsmith, G. Lowe, and B. Roscoe. Modelling and Analysis of Security Protocols. Addison Wesley, 2001. (to be published).

    Google Scholar 

  37. P. Stevens and R. Pooley. Using UML. Addison-Wesley, 2000.

    Google Scholar 

  38. P. Stevens. On use cases and their relationships in the Unified Modelling Language. In [Huß01], LNCS. Springer, 2001.

    Google Scholar 

  39. M. Walker. On the security of 3GPP networks. In Advances in Cryptology EUROCRYPT, volume 1807 of LNCS. Springer, 2000.

    Google Scholar 

  40. G. Wolf and A. Pfitzmann. Charakteristika von Schutzzielen und Konsequenzen für Benutzungsschnittstellen. Informatik-Spektrum, 23 (3): 173–191, 2000.

    Article  Google Scholar 

  41. G. Wimmel and A. Wißpeitner. Extended description techniques for security engineering. In IFIP SEC, 2001.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computing Laboratory, University of Oxford, GB

    Jan Jürjens

Authors
  1. Jan Jürjens
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Dirk Fox Marit Köhntopp Andreas Pfitzmann

Rights and permissions

Reprints and permissions

Copyright information

© 2001 Springer Fachmedien Wiesbaden

About this chapter

Cite this chapter

Jürjens, J. (2001). Developing Secure Systems with UMLsec — From Business Processes to Implementation. In: Fox, D., Köhntopp, M., Pfitzmann, A. (eds) Verlässliche IT-Systeme 2001. DuD-Fachbeiträge. Vieweg+Teubner Verlag, Wiesbaden. https://doi.org/10.1007/978-3-663-05918-9_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-663-05918-9_11

  • Publisher Name: Vieweg+Teubner Verlag, Wiesbaden

  • Print ISBN: 978-3-663-05919-6

  • Online ISBN: 978-3-663-05918-9

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation