Checking Compliance of Program with SecureUML Model

  • Thanh-Nhan Luong
  • Van-Khanh To
  • Ninh-Thuan Truong
Part of the Studies in Computational Intelligence book series (SCI, volume 710)


Access control is one of the most efficient ways to restrict resource access violations. However, in software development process, programs may not be fully complied with access policies represented in specifications. In this paper, we present an approach to verify the access policies compliance between a SecureUML model and its software program. We extract access control rules specified in SecureUML model, analyze source code of its program and propose an algorithm to check the compliance between two paradigms. Our approach can help programmers to detect some resource access violations and to improve the quality of software systems.


Specification Compliance Checking SecureUML 



This research is funded by Vietnam National Foundation for Science and Technology Development (NAFOSTED) under grant number 102.03-2014.40.


  1. 1.
    Mead, N.R., Allen, J.H., Barnum, S., Ellison, R.J., McGraw, G.: Software Security Engineering: A Guide for Project Managers. Addison-Wesley Professional (2004)Google Scholar
  2. 2.
    Ferraiolo, D., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House (2003)Google Scholar
  3. 3.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: International Conference on the Unified Modeling Language, pp. 426–441. Springer (2002)Google Scholar
  4. 4.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)CrossRefGoogle Scholar
  5. 5.
    Sandhu, R.S., Coynek, E.J., Feinsteink, H.L., Youmank, C.E.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)CrossRefGoogle Scholar
  6. 6.
    Basin, D., Doser, J., Lodderstedt, T.: Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. (TOSEM) 15(1), 39–91 (2006)CrossRefGoogle Scholar
  7. 7.
    Matulevičius, R., Dumas, M.: A comparison of secureUML and UMLsec for rolebased access control. In: Proceedings of the 9th Conference on Databases and Information Systems, pp. 171–185 (2010)Google Scholar
  8. 8.
    Boadu, E.O., Armah, G.K.: Role-based access control (RBAC) based in hospital management. Int. J. Softw. Eng. Knowl. Eng. 3, 53–67 (2014)Google Scholar
  9. 9.
    Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th International Conference on Software Engineering, pp. 196–205. ACM (2005)Google Scholar
  10. 10.
    Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 168–176. Springer (2004)Google Scholar
  11. 11.
    Qamar, N., Ledru, Y., Idani, A.: Validation of security-design models using z. In: International Conference on Formal Engineering Methods, pp. 259–274. Springer (2011)Google Scholar
  12. 12.
    Qamar, N., Faber, J., Ledru, Y., Liu, Z.: Automated reviewing of healthcare security policies. In: International Symposium on Foundations of Health Informatics Engineering and Systems, pp. 176–193. Springer (2012)Google Scholar
  13. 13.
    Gunter, T.D., Terry, N.P.: The emergence of national electronic health record architectures in the United States and Australia: models, costs, and questions. J. Med. Internet Res. 7(1), e3 (2005)CrossRefGoogle Scholar
  14. 14.
    Kierkegaard, P.: Electronic health record: wiring Europes healthcare. Comput. Law Secur. Rev. 27(5), 503–515 (2011)CrossRefGoogle Scholar
  15. 15.
    M. University: Soot: a Java optimization framework. (2012)

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Thanh-Nhan Luong
    • 1
  • Van-Khanh To
    • 2
  • Ninh-Thuan Truong
    • 2
  1. 1.Department of InformaticsHai Phong University of Medicine and PharmacyNgo Quyen, Hai PhongVietnam
  2. 2.VNU University of Engineering and TechnologyCau GiayVietnam

Personalised recommendations