Secure Java Development with UML

  • Jan Jürjens
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 78)


Developing secure software systems is difficult and error-prone. Numerous implementations have been found vulnerable in the past; a recent example is the unauthorised access to millions of online account details at an American bank.

We aim to address this general problem in the context of development in Java. While the JDK 1.2 security architecture offers features (such as guarded objects) that provide a high degree of flexibility and the possibility to perform fine-grained access control, these features are not so easy to use correctly.

We show how to use a formal core of the Unified Modeling Language (UML), the de-facto industry-standard in object-oriented modelling, to correctly employ Java security concepts as such as signing, sealing, and guarding objects. We prove results for verification of specifications wrt. security requirements. We illustrate our approach with a (simplified) account of the development of a web-based financial application from formal specifications.


Distributed systems security access control mobile code Java security secure software engineering Unified Modeling Language 


  1. [Aba00]
    M. Abadi. Security protocols and their properties. In F. Bauer and R. Steinbrueggen, editors, Foundations of Secure Computation. IOS Press, 2000.Google Scholar
  2. [ABLP93]
    M. Abadi, Michael Burrows, Butler Lampson, and Gordon Plotkin. A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, 15(4):706–734, 1993.CrossRefGoogle Scholar
  3. [And01]
    R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, 2001.Google Scholar
  4. [BV99]
    B. Bokowski and J. Vitek. Confined types. In 14th Annual ACM SIGPLAN Conference on Object Oriented Programming Systems, Languages, and Applications (OOPSLA’ 99), 1999.Google Scholar
  5. [CCR01]
    R. Campo, A. Cavarra, and E. Riccobene. Simulating UML state machines. In E. Borger and U. Glässer, editors, ASM’2001, LNCS. Springer-Verlag, 2001. To be published.Google Scholar
  6. [FDR94]
    J. C. Fabre, Y. Deswarte, and B. Randell. Designing secure and reliable applications using fragmentation-redundancy-scattering: an object-oriented approach. In PDCS 2: Open Conference, pages 343–362, Newcastle-upon-Tyne, 1994. Dept of Computing Science, University of Newcastle, NE1 7RU, UK.Google Scholar
  7. [GAS99]
    Stefanos Gritzalis, George Aggelis, and Diomidis Spinellis. Architectures for secure portable executable content. Internet Research, 9(1):16–24, 1999.CrossRefGoogle Scholar
  8. [Go199]
    D. Gollmann. Computer Security. J. Wiley, 1999.Google Scholar
  9. [Gon98]
    Li Gong. JavaTM Security Architecture (JDK1.2)., October 2 1998.
  10. [Gon99]
    Li Gong. Inside Java 2 Platform Security-Architecture, API Design, and Implementation. Addison-Wesley, 1999.Google Scholar
  11. [GSG99]
    Stefanos Gritzalis, Diomidis Spinellis, and Panagiotis Georgiadis. Security protocols over open networks and distributed systems: Formal methods for their analysis, design, and verification. Computer Communications Journal, 22(8):695–707, 1999.CrossRefGoogle Scholar
  12. [HKK00]
    Manfred Hauswirth, Clemens Kerer, and Roman Kurmanowytsch. A secure execution framework for Java. In ACM conference on Computer and communications security, 2000.Google Scholar
  13. [Huß01]
    H. Hußmann, editor. Fundamental Approaches to Software Engineering (FASE/ETA PS, International Conference), volume 2029 of LNCS. Springer-Verlag, 2001.Google Scholar
  14. [Jür01a]
    Jan Jürjens. Developing secure systems with UMLsec-from business processes to implementation. In VIS 2001. Vieweg-Verlag, 2001. To appear.Google Scholar
  15. [Jür01b]
    Jan Jiirjens. Encapsulating rules of prudent security engineering. In International Workshop on Security Protocols, LNCS. Springer-Verlag, 2001. To be published.Google Scholar
  16. [Jür01c]
    Jan Jurjens. Modelling audit security for smart-card payment schemes with UMLsec. In M. Dupuy and P. Paradinas, editors, Trusted Information: The New Decade Challenge, pages 93–108. International Federation for Information Processing (IFIP), Kluwer Academic Publishers, 2001. Proceedings of SEC 2001-16th International Conference on Information Security.Google Scholar
  17. [Jür01d]
    Jan Jürjens. Principles for Secure Systems Design. PhD thesis, Oxford University Computing Laboratory, 2001. In preparation.Google Scholar
  18. [Jür01e]
    Jan Jürjens. Secrecy-preserving refinement. In Formal Methods Europe (International Symposium), volume 2021 of LNCS, pages 135–152. Springer-Verlag, 2001.zbMATHGoogle Scholar
  19. [Jür01f]
    Jan Jurjens. Towards development of secure systems using UMLsec. In Hußmann [Huß01], pages 187–200. Also OUCL TR-9-00 (Nov. 2000),
  20. [Kar00a]
    G. Karjoth. Authorization in CORBA security. Journal of Computer Security, 8(2,3):89–108, 2000.CrossRefGoogle Scholar
  21. [Kar00b]
    G. Karjoth. Java and mobile code security-an operational semantics of Java 2 access control. In IEEE Computer Security Foundations Workshop, 2000.Google Scholar
  22. [KG98]
    L. Kassab and S. Greenwald. Towards formalizing the Java Security Architecture in JDK 1.2. In European Symposium on Research in Computer Security (ESORICS), LNCS. Springer-Verlag, 1998.Google Scholar
  23. [LGK+99]
    C. Lai, L. Gong, L. Koved, A. Nadalin, and R. Schemers. User authentication and authorization in the Java platform. In IEEE Annual Computer Security Applications Conference, 1999.Google Scholar
  24. [Mea01]
    W. Measor. Secure byzantine agreement-design, implementation and verification. Master’s thesis, Oxford University Computing Laboratory, 2001.Google Scholar
  25. [ND97]
    V. Nicomette and Y. Deswarte. An Authorization scheme for distributed object systems. In IEEE Symposium on Security and Privacy, 1997.Google Scholar
  26. [RSG+01]
    P. Ryan, S. Schneider, M. Goldsmith, G. Lowe, and B. Roscoe. The Modelling and Analysis of Security Protocols: the CSP Approach. Addison-Wesley, 2001.Google Scholar
  27. [Sam00]
    P. Samarati. Access control: Policies, models, architectures, and mechanisms. Lecture Notes, 2000.Google Scholar
  28. [SP00]
    P. Stevens and R. Pooley. Using VML. Addison-Wesley, 2000.Google Scholar
  29. [SS75]
    J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278–1308, September 1975.CrossRefGoogle Scholar
  30. [SS94]
    R. Sandhu and P. Samarati. Access control: Principles and practice. IEEE Communications, 32(9), 1994.Google Scholar
  31. [UML01]
    UML Revision Task Force. OMG UML Specification v. 1.4 (draft). OMG Document ad/01-02-14. Available at, February 2001.
  32. [Var95]
    V. Varadharajan. Distributed object system security. In H.P. Eloff and S.H. von Solms, editors, Information Security-the next Decade, pages 305–321. Chapman & Hall, 1995.Google Scholar
  33. [VH96]
    V. Varadharajan and T. Hardjono. Security model for distributed object framework and its applicability to CORBA. In 12th International Information Security Conference IFIP SEC’96, 1996.Google Scholar
  34. [WF98]
    D. Wallach and E. Felten. Understanding Java Stack Inspection. In IEEE Security and Privacy, 1998.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2002

Authors and Affiliations

  • Jan Jürjens
    • 1
  1. 1.Computing LaboratoryUniversity of OxfordGB

Personalised recommendations