Secure Java Development with UML
Developing secure software systems is difficult and error-prone. Numerous implementations have been found vulnerable in the past; a recent example is the unauthorised access to millions of online account details at an American bank.
We aim to address this general problem in the context of development in Java. While the JDK 1.2 security architecture offers features (such as guarded objects) that provide a high degree of flexibility and the possibility to perform fine-grained access control, these features are not so easy to use correctly.
We show how to use a formal core of the Unified Modeling Language (UML), the de-facto industry-standard in object-oriented modelling, to correctly employ Java security concepts as such as signing, sealing, and guarding objects. We prove results for verification of specifications wrt. security requirements. We illustrate our approach with a (simplified) account of the development of a web-based financial application from formal specifications.
KeywordsDistributed systems security access control mobile code Java security secure software engineering Unified Modeling Language
- [Aba00]M. Abadi. Security protocols and their properties. In F. Bauer and R. Steinbrueggen, editors, Foundations of Secure Computation. IOS Press, 2000.Google Scholar
- [And01]R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, 2001.Google Scholar
- [BV99]B. Bokowski and J. Vitek. Confined types. In 14th Annual ACM SIGPLAN Conference on Object Oriented Programming Systems, Languages, and Applications (OOPSLA’ 99), 1999.Google Scholar
- [CCR01]R. Campo, A. Cavarra, and E. Riccobene. Simulating UML state machines. In E. Borger and U. Glässer, editors, ASM’2001, LNCS. Springer-Verlag, 2001. To be published.Google Scholar
- [FDR94]J. C. Fabre, Y. Deswarte, and B. Randell. Designing secure and reliable applications using fragmentation-redundancy-scattering: an object-oriented approach. In PDCS 2: Open Conference, pages 343–362, Newcastle-upon-Tyne, 1994. Dept of Computing Science, University of Newcastle, NE1 7RU, UK.Google Scholar
- [Go199]D. Gollmann. Computer Security. J. Wiley, 1999.Google Scholar
- [Gon98]Li Gong. JavaTM Security Architecture (JDK1.2). http://java.sun.com/products/jdk/1.2/docs/guide/security/spec/securityspec.doc.html, October 2 1998.
- [Gon99]Li Gong. Inside Java 2 Platform Security-Architecture, API Design, and Implementation. Addison-Wesley, 1999.Google Scholar
- [HKK00]Manfred Hauswirth, Clemens Kerer, and Roman Kurmanowytsch. A secure execution framework for Java. In ACM conference on Computer and communications security, 2000.Google Scholar
- [Huß01]H. Hußmann, editor. Fundamental Approaches to Software Engineering (FASE/ETA PS, International Conference), volume 2029 of LNCS. Springer-Verlag, 2001.Google Scholar
- [Jür01a]Jan Jürjens. Developing secure systems with UMLsec-from business processes to implementation. In VIS 2001. Vieweg-Verlag, 2001. To appear.Google Scholar
- [Jür01b]Jan Jiirjens. Encapsulating rules of prudent security engineering. In International Workshop on Security Protocols, LNCS. Springer-Verlag, 2001. To be published.Google Scholar
- [Jür01c]Jan Jurjens. Modelling audit security for smart-card payment schemes with UMLsec. In M. Dupuy and P. Paradinas, editors, Trusted Information: The New Decade Challenge, pages 93–108. International Federation for Information Processing (IFIP), Kluwer Academic Publishers, 2001. Proceedings of SEC 2001-16th International Conference on Information Security.Google Scholar
- [Jür01d]Jan Jürjens. Principles for Secure Systems Design. PhD thesis, Oxford University Computing Laboratory, 2001. In preparation.Google Scholar
- [Jür01f]Jan Jurjens. Towards development of secure systems using UMLsec. In Hußmann [Huß01], pages 187–200. Also OUCL TR-9-00 (Nov. 2000), http://web.cornlab.ox.ac.uk/oucl/publications/tr/tr-9-00.html.
- [Kar00b]G. Karjoth. Java and mobile code security-an operational semantics of Java 2 access control. In IEEE Computer Security Foundations Workshop, 2000.Google Scholar
- [KG98]L. Kassab and S. Greenwald. Towards formalizing the Java Security Architecture in JDK 1.2. In European Symposium on Research in Computer Security (ESORICS), LNCS. Springer-Verlag, 1998.Google Scholar
- [LGK+99]C. Lai, L. Gong, L. Koved, A. Nadalin, and R. Schemers. User authentication and authorization in the Java platform. In IEEE Annual Computer Security Applications Conference, 1999.Google Scholar
- [Mea01]W. Measor. Secure byzantine agreement-design, implementation and verification. Master’s thesis, Oxford University Computing Laboratory, 2001.Google Scholar
- [ND97]V. Nicomette and Y. Deswarte. An Authorization scheme for distributed object systems. In IEEE Symposium on Security and Privacy, 1997.Google Scholar
- [RSG+01]P. Ryan, S. Schneider, M. Goldsmith, G. Lowe, and B. Roscoe. The Modelling and Analysis of Security Protocols: the CSP Approach. Addison-Wesley, 2001.Google Scholar
- [Sam00]P. Samarati. Access control: Policies, models, architectures, and mechanisms. Lecture Notes, 2000.Google Scholar
- [SP00]P. Stevens and R. Pooley. Using VML. Addison-Wesley, 2000.Google Scholar
- [SS94]R. Sandhu and P. Samarati. Access control: Principles and practice. IEEE Communications, 32(9), 1994.Google Scholar
- [UML01]UML Revision Task Force. OMG UML Specification v. 1.4 (draft). OMG Document ad/01-02-14. Available at http://www.omg.org/uml, February 2001.
- [Var95]V. Varadharajan. Distributed object system security. In H.P. Eloff and S.H. von Solms, editors, Information Security-the next Decade, pages 305–321. Chapman & Hall, 1995.Google Scholar
- [VH96]V. Varadharajan and T. Hardjono. Security model for distributed object framework and its applicability to CORBA. In 12th International Information Security Conference IFIP SEC’96, 1996.Google Scholar
- [WF98]D. Wallach and E. Felten. Understanding Java Stack Inspection. In IEEE Security and Privacy, 1998.Google Scholar