Extended Description Techniques for Security Engineering

  • Guido Wimmel
  • Alexander Wisspeintner
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 65)


There is a strong demand for techniques to aid development and modelling of security critical systems. Based on general security evaluation criteria, we show how to extend the system structure diagrams of the CASE tool AUTO FOCUS (which are related to UML-RT collaboration diagrams) to allow modelling of security critical systems, in particular concerning components and channels. Both high-level and low-level models of systems are supported, and the notion of security patterns is introduced to provide generic solutions for security requirements. We explain our approach on the example of an electronic purse card system.


Security Engineering Graphical Description Techniques Software Engineering Requirements Engineering Security Properties Design Patterns Security Patterns Formal Methods CASE AutoFocus UML-RT 


  1. Bell, D. E. and LaPadula, L. (1973). Secure computer systems: Mathematical foundations and model. Technical Report M74-244, The MITRE Corp., Bedford MA.Google Scholar
  2. Broy, M., Dederich, F., Dendorfer, C., Fuchs, M., Gritzner, T., and Weber, R. (1992). The Design of Distributed Systems-An Introduction to FOCUS. Technical Report TUM-I9202, Tchnische Univerität München.Google Scholar
  3. Broy, M. and Slotosch, O. (1999). Enriching the Software Development Process by Formal Methods. In Current Trends in Applied Formal Methods 1998, pages 44–61.Google Scholar
  4. Burrows, M., Abadi, M., and Needham, R. (1989). A logic of authentication. Proceedings of the Royal Society of London A, 426:233–271.CrossRefGoogle Scholar
  5. CEPSCO (2000). Common electronic purse specifications: Business requirements. Version 7.0, available from
  6. Eckert, C. (1998). Sichere, verteilte Systeme-Konzepte, Modelle und Systemar-chitekturen. professorial thesis, Technische Universität München.Google Scholar
  7. Goguen, J. A. and Meseguer, J. (1998). Security Policy and Security Models. In Proceedings of 1982 IEEE Symposium on Security and Privacy.Google Scholar
  8. Gollmann, D. (1996). What do We Mean by Entity Authentication? In Proceedings of 1996 IEEE Symposium on Security and Privacy.Google Scholar
  9. Huber, F., Molterer, S., Rausch, A., Schätz, B., Sihling, M., and Slotosch, O. (1998a). Tool supported Specification and Simulation of Distributed Systems. In International Symposium on Software Engineering for Parallel and Distributed Systems, pages 155–164.Google Scholar
  10. Huber, F., Molterer, S., Schätz, B., Slotosch, O., and Vilbig, A. (1998b). Traffic Lights-An AutoFocus Case Study. In 1998 International Conference on Application of Concurrency to System Design, pages 282–294. IEEE Computer Society.Google Scholar
  11. ITSEC (1990). ITSEC. Information Technology Security Evaluation Criteria-Harmonised Criteria of France, Germany, the Netherlands, the United Kingdom. Version 1.Google Scholar
  12. ITU (1996). ITU-TS Recommendation Z. 120: Message Sequence Chart (MSC). ITU-TS, Geneva.Google Scholar
  13. Jones, M. P. (August 1993). An Introduction to Gofer.Google Scholar
  14. Jürjens, J. (2001). Towards Development of Secure Systems using UML. In FASE’ 01: Fundamental Approaches to Software Engineering. to appear.Google Scholar
  15. Lotz, V. (2000). Formally Defining Security Properties with Relations on Streams. In Schneider, S. and Ryan, P., editors, Electronic Notes in Theoretical Computer Science, volume 32. Elsevier Science Publishers.Google Scholar
  16. Lowe, G. (1996). Breaking and fixing the Needham-Schroeder Public-Key Protocol using FDR. In Margaria and Steffen, editors, TACAS, volume 1055 of lncs, pages 147–166. sv.Google Scholar
  17. Paulson, L. C. (1998). The inductive approach to verifying cryptographic protocols. Journal of Computer Security, 6(1–2):85–128.CrossRefGoogle Scholar
  18. Philipps, J. and Slotosch, O. (1999). The Quest for Correct Systems: Model Checking of Diagramms and Datatypes. In Asia Pacific Software Engineering Conference 1999.Google Scholar
  19. Slotosch, O. (1998). Quest: Overview over the Project. In Hutter, D., Stephan, W., Traverso, P., and Ullmann, M., editors, Applied Formal Methods-FM-Trends 98, pages 346–350. Springer LNCS 1641.Google Scholar
  20. Thayer, F., Herzog, J. C., and Guttman, J. D. (1998). Strand Spaces: Why is a security protocol correct? In Proceedings of 1998 IEEE Symposium on Security and Privacy.Google Scholar
  21. Thompson, S. (1999). Haskell: The Craft of Functional Programming. Addison-Wesley Longman.Google Scholar
  22. Wimmel, G., Lötzbeyer, H., Pretschner, A., and Slotosch, O. (2000). Specification Based Test Sequence Generation with Propositional Logic. Journal on Software Testing Verification and Reliability, 10:229–248.CrossRefGoogle Scholar
  23. Wimmel, G. and Wisspeintner, A. (2000). The Needham-Schroeder Protocolan AutoFocus Case Study. Internal report, Technische Universität München.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2001

Authors and Affiliations

  • Guido Wimmel
    • 1
  • Alexander Wisspeintner
    • 1
  1. 1.Institut für InformatikTechnische Universität MünchenMünchenGermany

Personalised recommendations