Restoring security of evolving software models using graph transformation



Security certification of complex systems requires a high amount of effort. As a particular challenge, today’s systems are increasingly long-living and subject to continuous change. After each change of some part of the system, the whole system needs to be re-certified from scratch (since security properties are not in general modular), which is usually far too much effort. When models for software get changed, this can lead to security weaknesses that are also part of the software system that is derived from those models. Hence, it is important to check the models with respect to security properties and correct them respectively. To address this challenge, we present an approach which not only finds security weaknesses but can also correct them in a tool-supported way. As time goes by, a diverse number of changing requirements that may be security-related and non-security-related lead to an evolving system that met its security requirements at design time but can contain vulnerabilities with respect to meanwhile updated security knowledge. Supported by patterns we can describe and detect potential flaws that may arise in models, such as inconsistencies in security requirements. Potential violations can be formalized in the patterns as well as the correction alternatives to fix these. It is based on graph transformation and can be applied to different types of models and violations. For flaw detection, these patterns are used as the left-hand sides of graph transformation rules. Using graph transformation, we can further correct the models and establish that they no longer violate the security requirements under investigation. The approach is supported by a tool which can check whether these patterns arise in models and assist the user in correcting the security vulnerabilities.


Evolution Graph transformation Model transformation Model-based software engineering security 


  1. 1.
    Aksit, M., Rensink, A., Staijen, T.: A graph-transformation-based simulation approach for analysing aspect interference on shared join points. In: AOSD 2009, pp. 39–50. ACM, New York (2009)Google Scholar
  2. 2.
    Amrani, M., Lucio, L., Selim, G.M.K., Combemale, B., Dingel, J., Vangheluwe, H., Traon, Y.L., Cordy, J.R.: A tridimensional approach for studying the formal verification of model transformations. In: ICST 2012, pp. 921–928. IEEE (2012)Google Scholar
  3. 3.
    Arendt, T., Biermann, E., Jurack, S., Krause, C., Taentzer, G.: Henshin: advanced concepts and tools for in-place EMF model transformations. In: MoDELS 2010. LNCS, vol. 6394, pp. 121–135. Springer, Berlin (2010)Google Scholar
  4. 4.
    Awad, A.: BPMN-Q: A language to query business processes. In EMISA, pp. 115–128 (2007)Google Scholar
  5. 5.
    Banti, Federico, Pugliese, Rosario, Tiezzi, Francesco: An accessible verification environment for UML models of services. J. Symb. Comput. 46(2), 119–149 (2011)CrossRefMATHGoogle Scholar
  6. 6.
    Bergmann, G., Horváth, Á., Ráth, I., Varró, D., Balogh, A., Balogh, Z., Ökrös, A.: Incremental evaluation of model queries over emf models. In: Model Driven Engineering Languages and Systems. Lecture Notes in Computer Science, vol. 6394, pp. 76–90. Springer, Berlin (2010)Google Scholar
  7. 7.
    Bergmann, G., Massacci, F., Paci, F., Tun, T., Varró, D., Yijun, Y.: A tool for managing evolving security requirements. In: Nurcan, S. (ed.) IS Olympics: Information Systems in a Diverse World. Lecture Notes in Business Information Processing, vol. 107, pp. 110–125. Springer, Berlin (2012)Google Scholar
  8. 8.
    Biermann, E., Ermel, C., Taentzer, G.: Lifting parallel graph transformation concepts to model transformation based on the eclipse modeling framework. Electron. Commun. EASST 26, 1–19 (2010)Google Scholar
  9. 9.
    Bottoni, P., Koch, M., Parisi-Presicce, F., Taentzer, G.: Consistency checking and visualization of OCL constraints. In: UML. LNCS, vol. 1939, pp. 294–308. Springer, Berlin (2000)Google Scholar
  10. 10.
    Brown, W.J., Malveau, R.C., McCormick, H.W., Mowbray, T.J.: AntiPatterns: Refactoring Software, Architectures, and Projects in Crisis. Wiley, New York (1998)Google Scholar
  11. 11.
    Carisma tool homepage (2013).
  12. 12.
    CEA: Papyrus UML.
  13. 13.
    Cengarle, M.V., Knapp, A., Tarlecki, A., Wirsing, M.: A heterogeneous approach to UML semantics. In: Degano, P., de Nicola, R., Meseguer, J. (eds.) Concurrency, Graphs and Models. LNCS, vol. 5065, pp. 383–402. Springer, Berlin (2008)Google Scholar
  14. 14.
    Cunningham, W., et al.: Portland pattern repository.
  15. 15.
    Eclipse Foundation: Eclipse.
  16. 16.
    Eclipse Foundation: Eclipse modeling framework project (EMF).
  17. 17.
    Eclipse Foundation: EMF compare.
  18. 18.
  19. 19.
    Ehrig, H., Kreowski, H.J.: Parallel graph grammars. In: Automata, Languages, Development, pp. 425–447. North Holland, Amsterdam (1976)Google Scholar
  20. 20.
    Engels, G., Heckel, R., Küster, J.M.: The consistency workbench: a tool for consistency management in UML-based development. In: UML 2003. LNCS, vol. 2863, pp. 356–359. Springer, Berlin (2003)Google Scholar
  21. 21.
    Greenyer, J., Kindler, E.: Comparing relational model transformation technologies: implementing query/view/transformation with triple graph grammars. Softw. Syst. Model. 9(1), 21–46 (2010)CrossRefGoogle Scholar
  22. 22.
  23. 23.
    Guerra, E., de Lara, J., Kolovos, D.S., Paige, R.F., dos Santos, O.M.: Engineering model transformations with transML. Softw. Syst. Model. 12(3), 555–577 (2013)CrossRefGoogle Scholar
  24. 24.
    Jürjens, J.: Modelling audit security for smart-card payment schemes with UMLsec. In: Dupuy, M., Paradinas, P. (eds.) Trusted Information: The New Decade Challenge. IFIP TC11 Sixteenth Annual Working Conference on Information Security (IFIP/Sec’01), June 11–13, 2001, Paris, France. IFIP Conference Proceedings, vol. 193, pp. 93–108. Kluwer, Dordrecht (2001)Google Scholar
  25. 25.
    Jürjens, J.: Secure Systems Development with UML. Springer, Berlin (2005)MATHGoogle Scholar
  26. 26.
    Jürjens, J., Wimmel, G.: Formally testing fail-safety of electronic purse protocols. In: 16th IEEE International Conference on Automated Software Engineering (ASE 2001), 26–29 November 2001, Coronado Island, San Diego, CA, USA, pp. 408–411. IEEE Computer Society (2001)Google Scholar
  27. 27.
    Jürjens, J., Wimmel, G.: Security modelling for electronic commerce: the common electronic purse specifications. In: Schmid B., Stanoevska-Slabeva, K., Tschammer, V. (eds.) Towards the E-Society: E-Commerce, E-Business, and E-Government. The First IFIP Conference on E-Commerce, E-Business, E-Government (I3E 2001), October 3–5, Zürich, Switzerland. IFIP Conference Proceedings, vol. 202, pp. 489–505. Kluwer, Dordrecht (2001)Google Scholar
  28. 28.
    Kehrer, T., Kelter, U., Ohrndorf, M., Sollbach, T.: Understanding model evolution through semantically lifting model differences with SiLift. In: 2012 28th IEEE International Conference on Software Maintenance (ICSM), pp. 638–641 (2012)Google Scholar
  29. 29.
    Kehrer, T., Kelter, U., Taentzer, G.: A rule-based approach to the semantic lifting of model differences in the context of model versioning. In: ASE, pp. 163–172 (2011)Google Scholar
  30. 30.
    Kindler, E., Wagner, R.: Triple graph grammars: concepts, extensions, implementations, and application scenarios. Technical report, tr-ri-07-284, University of Paderborn (2007)Google Scholar
  31. 31.
    Knapp, A., Merz, S., Rauh, C.: Model checking timed UML state machines and collaborations. In: FTRTFT, pp. 395–416 (2002)Google Scholar
  32. 32.
    Krause, C., Dyck, J., Giese, H.: Metamodel-specific coupled evolution based on dynamically typed graph transformations. In: ICMT 2013. LNCS, vol. 7909, pp. 76–91. Springer, Berlin (2013)Google Scholar
  33. 33.
    Latella, D., Majzik, I., Massink, M.: Automatic verification of a behavioural subset of UML statechart diagrams using the SPIN model-checker. Form. Asp. Comput. 11(6), 637–664 (1999)CrossRefMATHGoogle Scholar
  34. 34.
    LBC: Topcased, the open-source toolkit for critical systems.
  35. 35.
    Llano, M.T., Pooley, R.: UML specification and correction of object-oriented anti-patterns. In: ICSEA ’09, pp. 39–44. IEEE Computer Society (2009)Google Scholar
  36. 36.
    Lodderstedt, T., Basin, D.A., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: Proceedings of the 5th International Conference on The Unified Modeling Language, UML ’02, pp. 426–441 (2002)Google Scholar
  37. 37.
    Massacci, F., Naliuka, K.: Towards practical security monitors of UML policies for mobile applications. In: POLICY, pp. 278 (2007)Google Scholar
  38. 38.
    Mens, T., Taentzer, G., Müller, D.: Challenges in model refactoring. In: Proceedings of the 1st Workshop on Refactoring Tools. University of Berlin (2007)Google Scholar
  39. 39.
    Mens, T., Taentzer, G., Runge, O.: Analysing refactoring dependencies using graph transformation. Softw. Syst. Model. 6(3), 269–285 (2007)CrossRefGoogle Scholar
  40. 40.
    Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: ARES, pp. 41–48 (2009)Google Scholar
  41. 41.
    Montrieux, L.: Implementation of access control using aspect-oriented programming. Master’s thesis, Facults Universitaires Notre-Dame de la Paix, Namur (2009)Google Scholar
  42. 42.
    Object Management Group: Business Process Model and Notation (BPMN).
  43. 43.
    Pnueli, A., Siegel, M., Singerman, E.: Translation validation. In: Steffen, B. (ed.) Tools and Algorithms for Construction and Analysis of Systems. 4th International Conference, TACAS ’98. Held as Part of the European Joint Conferences on the Theory and Practice of Software, ETAPS’98, Lisbon, Portugal, March 28–April 4, 1998, Proceedings. Lecture Notes in Computer Science, vol. 1384, pp. 151–166. Springer, Berlin (1998)Google Scholar
  44. 44.
    Reder, A., Egyed, A.: Computing repair trees for resolving inconsistencies in design models. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, ASE 2012, pp. 220–229. ACM, New York (2012)Google Scholar
  45. 45.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE Trans. 90–D(4), 745–752 (2007)Google Scholar
  46. 46.
    Ruhroth, T., Gärtner, S., Bürger, J., Jürjens, J., Schneider, K.: Versioning and evolution requirements for model-based system development. In: International Workshop on Comparison and Versioning of Software Models (CVSM) (2014)Google Scholar
  47. 47.
    Salay, R., Chechik, M., Easterbrook, S.M., Diskin, Z., McCormick, P., Nejati, S., Sabetzadeh, M., Viriyakattiyaporn, P.: An eclipse-based tool framework for software model management. In: OOPSLA Workshop on Eclipse Technology Exchange (ETX 2007), pp. 55–59. ACM, New York (2007)Google Scholar
  48. 48.
    Schmidt, Á., Varró, D.: CheckVML: a tool for model checking visual modeling languages. In: UML 2003. LNCS, vol. 2863, pp. 92–95. Springer, Berlin (2003)Google Scholar
  49. 49.
    Schürr, A.: Specification of graph translators with triple graph grammars. In: Mayr, E.W., Schmidt, G., Tinhofer, G. (eds.) Graph–Theoretic Concepts in Computer Science. LNCS, vol. 903, pp. 151–163. Springer, Heidelberg (1995)Google Scholar
  50. 50.
    Taentzer, G.: Parallel and distributed graph transformation: formal description and application to communication-based systems. PhD thesis, TU Berlin (1996)Google Scholar
  51. 51.
    Tun, T.T., Yu, Y., Haley, C.B., Nuseibeh, B.: Model-based argument analysis for evolving security requirements. In: SSIRI, pp. 88–97 (2010)Google Scholar
  52. 52.
    University of Siegen: SiDiff.
  53. 53.
    Wendehals, L.: Cliché-und Mustererkennung auf Basis von Generic Fuzzy Reasoning Nets. Master’s thesis, in German, Universität Paderborn (2001)Google Scholar
  54. 54.
    Wolter, C., Menzel, M., Meinel, C.: Modelling security goals in business processes. In: Kühne, T., Reisig, W., Steimann, F. (eds.) Modellierung 2008, Lecture Notes in Informatics, vol. 127, pp. 197–212 (2008)Google Scholar
  55. 55.
    Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: 5th BPM, pp. 64–79 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.TU DortmundDortmundGermany
  2. 2.Fraunhofer ISSTDortmundGermany

Personalised recommendations