Requirements Engineering

, Volume 15, Issue 1, pp 95–118 | Cite as

A UML-based static verification framework for security

  • Igor SiveroniEmail author
  • Andrea Zisman
  • George Spanoudakis
Special Issue-Security Requirements Engineering


Secure software engineering is a new research area that has been proposed to address security issues during the development of software systems. This new area of research advocates that security characteristics should be considered from the early stages of the software development life cycle and should not be added as another layer in the system on an ad-hoc basis after the system is built. In this paper, we describe a UML-based Static Verification Framework (USVF) to support the design and verification of secure software systems in early stages of the software development life-cycle taking into consideration security and general requirements of the software system. USVF performs static verification on UML models consisting of UML class and state machine diagrams extended by an action language. We present an operational semantics of UML models, define a property specification language designed to reason about temporal and general properties of UML state machines using the semantic domains of the former, and implement the model checking process by translating models and properties into Promela, the input language of the SPIN model checker. We show that the methodology can be applied to the verification of security properties by representing the main aspects of security, namely availability, integrity and confidentiality, in the USVF property specification language.


UML Security requirements Model checking SPIN 



This work was partially supported by the European Comission under the Information Society Technologies Programme as part of the project PEPERS (contract ISI-26901).


  1. 1.
    Mouratidis H, Giorgini P (2006) Integrating security and software engineering: advances and future vision. IGI GlobalGoogle Scholar
  2. 2.
    Alexander I (2003) Misuse cases: use cases with hostile intent. IEEE Softw 20:58–66CrossRefGoogle Scholar
  3. 3.
  4. 4.
    Viega J (2001) Building secure software: how to avoid security problems the right way. Addison-Wesley, ReadingGoogle Scholar
  5. 5.
    Abadi M, Blanchet B, Fournet C (2004) Just fast keying in the pi calculus. In: 13th European symposium on programming (ESOPG04). Springer, pp 340–354Google Scholar
  6. 6.
    Gritzalis S, Spinellis D, Georgiadis P (1999) Security protocols over open networks and distributed systems: formal methods for their analysis, design, and verification. Comput Commun 22:70–77CrossRefGoogle Scholar
  7. 7.
    Meadows C (1994) Formal verification of cryptographic protocols: a survey. In: ASIACRYPT, pp 135–150Google Scholar
  8. 8.
    Jayaram KR, Mathur AP (2005) Software engineering for secure software—state of the art: a survey. Tech. rep., Purdue UniversityGoogle Scholar
  9. 9.
    Anderson RJ (2008) Security engineering: a guide to building dependable distributed systems. Wiley, ChichesterGoogle Scholar
  10. 10.
    Devanbu PT (2000) Software engineering for security: a roadmap. In: The future of software engineering. ACM Press, pp 227–239Google Scholar
  11. 11.
    Mouratidis H, Giorgini P, Manson G (2005) When security meets software engineering: a case of modelling secure information systems. Inf Syst 30(8):609–629CrossRefGoogle Scholar
  12. 12.
    PEPERS project.
  13. 13.
    Redwine S, Davis N (2004) Processes to produce secure software: towards more secure software. Software security subgroup of the task force on security across the software development cycle. National Cyber Security SummitGoogle Scholar
  14. 14.
    Gnesi S, Mazzanti F (2004) On the fly model checking of communicating UML state machines. In: ACIS. IEEEGoogle Scholar
  15. 15.
    Object Management Group.
  16. 16.
    Emerson E (1990) Temporal and modal logic. In: Leeuwen JV (ed) Handbook of theoretical computer science, vol B: formal models and semantics. MIT Press, CambridgeGoogle Scholar
  17. 17.
    Holzmann GJ (2003) The SPIN model checker: primer and reference manual. Addison-Wesley, ReadingGoogle Scholar
  18. 18.
    Pfleeger CP, Pfleeger SL (2006) Security in computing. Prentice Hall PTR, Upper Saddle RiverGoogle Scholar
  19. 19.
    Wynskel G (1993) The formal semantic of programming languages. MIT Press, CambridgeGoogle Scholar
  20. 20.
    Schneider F (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50CrossRefGoogle Scholar
  21. 21.
    Jürjens J (2002) A UML statecharts semantics with message-passing. In: Applied Computing 2002. Proceedings of the 2002 ACM symposium of applied computing, Madrid, pp 1009–1013Google Scholar
  22. 22.
    Jürjens J, Shabalin P (2004) Automated verification of UMLsec models for security requirements. In: Baar T, Strohmeier A, Moreira A, Mellor SJ (eds) UML 2004—The unified modeling language. Model languages and applications. 7th International conference, Lisbon, Portugal, October 11–15, 2004, Proceedings, LNCS, vol 3273. Springer, pp 365–379Google Scholar
  23. 23.
  24. 24.
    Siveroni I, Spanoudakis G, Zisman A (2008) Property specification and static verification of UML models. In: Proceedings of 3rd international conference on availability, reliability and security (ARES 2008). IEEE Computer Society, BarcelonaGoogle Scholar
  25. 25.
    Jürjens J (2004) Secure systems development with UML. Springer, BerlinGoogle Scholar
  26. 26.
    Jürjens J, Shabalin P (2007) Tools for secure systems development with UML. Int J Softw Tools Technol Transf 9(5):527–544CrossRefGoogle Scholar
  27. 27.
    Lodderstedt T, Basin DA, Doser J (2002) Secureuml: a uml-based modeling language for model-driven security. In: UML ’02: Proceedings of the 5th international conference on the unified modeling language. Springer, London, pp 426–441Google Scholar
  28. 28.
    Mouratidis H, Jürjens J, Fox J (2006) Towards a comprehensive framework for secure systems development. In: Advanced information systems engineering, pp 48–62Google Scholar
  29. 29.
    Evans A, Bruel JM, France R, Lano K, Rumpe B (1998) Making UML precise. In: Andrade L, Moreira A, Deshpande A, Kent S (eds) Proceedings of the OOPSLA’98 workshop on formalizing UML. Why? How?.
  30. 30.
    von der Beeck M (2002) A structured operational semantics for uml-statecharts. Softw Syst Model 1(2):130–141CrossRefGoogle Scholar
  31. 31.
    Paltor I, Lilius J (1999) Formalising uml state machines for model checking. In: France RB, Rumpe B (eds) UML 1999, Lecture Notes in Computer Science, vol 1723. Springer, pp 430–445Google Scholar
  32. 32.
    Jussila T, Dubrovin J, Junttila T, Latvala T, Porres I (2006) Model checking dynamic and hierarchical UML state machines. In: Hearnden D, S+++ JG, Baudry B, Rapin N (eds) MoDeV-a: model development, validation and verification. University of Queensland, Le Commissariat + l’Energie Atomique - CEAGoogle Scholar
  33. 33.
    Latella D, Majzik I, Massink M (1999) Automatic verification of a behavioural subset of uml statechart diagrams using the spin model-checker. Formal Asp Comput 11(6):637–664zbMATHCrossRefGoogle Scholar
  34. 34.
    Paltor IP, Lilius J (1999) vUML: a tool for verifying UML models. In: Hall RJ, Tyugu E (eds) Proceedings of the 14th IEEE international conference on automated software engineering, ASE’99. IEEEGoogle Scholar
  35. 35.
    Schäfer T, Knapp A, Merz S (2001) Model checking UML state machines and collaborations. Electron Notes Theor Comput Sci 55(3):13CrossRefGoogle Scholar
  36. 36.
    Latella D, Majzik I, Massink M (1999) Towards a formal operational semantics of uml statechart diagrams. In: Proceedings of the IFIP TC6/WG6.1 3rd international conference on formal methods for open object-based distributed systems (FMOODS). Kluwer, Deventer, p 465Google Scholar
  37. 37.
    Gnesi S, Latella D, Massink M (2002) Modular semantics for a UML statechart diagrams kernel and its extension to multicharts and branching time model-checking. J Logic Algebraic Program 51(1):43–75zbMATHCrossRefMathSciNetGoogle Scholar
  38. 38.
    Kuske S (2001) A formal semantics of UML state machines based on structured graph transformation. In: UML 2001: Proceedings of the 4th international conference on the unified modeling language, modeling languages, concepts, and tools. Springer, London, pp 241–256Google Scholar
  39. 39.
    Xie F, Levin V, Browne JC (2001) Model checking for an executable subset of uml. Automated Software Engineering, ASE 2001, p 333Google Scholar
  40. 40.
    Möller M, Olderog ER, Rasch H, Wehrheim H (2008) Integrating a formal method into a software engineering process with UML and Java. Formal Aspects Comput 20(2):161–204.
  41. 41.
    ter Beek MH, Fantechi A, Gnesi S, Mazzanti F (2007) An action/state-based model-checking approach for the analysis of communication protocols for service-oriented applications. In: FMICS, pp 133–148Google Scholar
  42. 42.
    Hatcliff J, Dwyer M, Zheng H (2000) Slicing software for model construction. High Order Symb Comput 13(4):315–353zbMATHCrossRefGoogle Scholar
  43. 43.
    Kloukinas C, Spanoudakis G (2007) A pattern-driven framework for monitoring security and dependability. In: TrustBus, pp 210–218Google Scholar
  44. 44.
    Spanoudakis G, Kloukinas C, Androutsopoulos K (2007) Towards security monitoring patterns. In: SAC, pp 1518–1525Google Scholar

Copyright information

© Springer-Verlag London Limited 2009

Authors and Affiliations

  • Igor Siveroni
    • 1
    Email author
  • Andrea Zisman
    • 1
  • George Spanoudakis
    • 1
  1. 1.Department of ComputingCity University London Northampton SquareLondonUK

Personalised recommendations