Skip to main content
Book cover

International School on Foundations of Security Analysis and Design

International School on Foundations of Security Analysis and Design

FOSAD 2005, FOSAD 2004: Foundations of Security Analysis and Design III pp 42–77Cite as

Model-Based Security Engineering with UML

  • Chapter

Part of the Lecture Notes in Computer Science book series (LNSC,volume 3655)

Abstract

Developing security-critical systems is difficult and there are many well-known examples of security weaknesses exploited in practice. Thus a sound methodology supporting secure systems development is urgently needed.

Our aim is to aid the difficult task of developing security-critical systems in a formally based approach using the notation of the Unified Modeling Language. We present the extension UMLsec of UML that allows one to express security-relevant information within the diagrams in a system specification. UMLsec is defined in form of a UML profile using the standard UML extension mechanisms. In particular, the associated constraints give criteria to evaluate the security aspects of a system design, by referring to a formal semantics of a simplified fragment of UML. We explain how these constraints can be formally verified against the dynamic behavior of the specification using automated theorem provers for first-order logic. This formal security verification can also be extended to C code generated from the specifications.

Keywords

  • Smart Card
  • Security Requirement
  • Security Protocol
  • Sequence Diagram
  • Formal Semantic

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/11554578_2
  • Chapter length: 36 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   39.99
Price excludes VAT (USA)
  • ISBN: 978-3-540-31936-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   54.99
Price excludes VAT (USA)
Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M.: Security protocols and their properties. In: Bauer, F.L., Steinbrüggen, R. (eds.) Foundations of Secure Computation, pp. 39–60. IOS Press, Amsterdam (2000); 20th International Summer School, Marktoberdorf, Germany

    Google Scholar 

  2. Abadi, M., Jürjens, J.: Formal eavesdropping and its computational interpretation. In: Kobayashi, N., Pierce, B.C. (eds.) TACS 2001. LNCS, vol. 2215, pp. 82–94. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  3. Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, New York (2001)

    Google Scholar 

  4. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory IT-29(2), 198–208 (1983)

    CrossRef  MathSciNet  Google Scholar 

  5. Grünbauer, J., Hollmann, H., Jürjens, J., Wimmel, G.: Modelling and verification of layered security-protocols: A bank application. In: Anderson, S., Felici, M., Littlewood, B. (eds.) SAFECOMP 2003. LNCS, vol. 2788, pp. 116–129. Springer, Heidelberg (2003)

    CrossRef  Google Scholar 

  6. Goguen, J., Meseguer, J.: Security policies and security models. In: Symposium on Security and Privacy (S&P), pp. 11–20. IEEE Computer Society, Los Alamitos (1982)

    Google Scholar 

  7. Jürjens, J., Fernandez, E.B., France, R.B., Rumpe, B., Heitmeyer, C.: Critical systems development using modelling languages (CSDUML 2004): Current development and future challenges (report on the third international workshop). In: Jardim Nunes, N., Selic, B., Rodrigues da Silva, A., Toval Alvarez, A. (eds.) UML Satellite Activities 2004. LNCS, vol. 3297, pp. 76–84. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  8. Jürjens, J., Houmb, S.H.: Dynamic secure aspect modeling with UML: From models to code. In: Briand, L.C., Williams, C. (eds.) MoDELS 2005. LNCS, vol. 3713, pp. 142–155. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  9. Jürjens, J., Shabalin, P.: Automated verification of UMLsec models for security requirements. In: Jézéquel, J.-M., Hußmann, H., Cook, S. (eds.) UML 2004. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2004)

    Google Scholar 

  10. Jürjens, J., Shabalin, P.: Tools for secure systems development with UML: Security analysis with ATPs. In: Cerioli, M. (ed.) FASE 2005. LNCS, vol. 3442, pp. 305–309. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  11. Jürjens, J.: Formal semantics for interacting UML subsystems. In: Jacobs, B., Rensink, A. (eds.) 5th International Conference on Formal Methods for Open Object-Based Distributed Systems (FMOODS 2002). International Federation for Information Processing (IFIP), pp. 29–44. Kluwer Academic Publishers, Dordrecht (2002)

    Google Scholar 

  12. Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)

    Google Scholar 

  13. Jürjens, J.: Sound methods and effective tools for model-based security engineering with UML. In: 27th International Conference on Software Engineering (ICSE 2005). IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  14. Jürjens, J.: Understanding security goals provided by crypto-protocol implementations. In: 21st International Conference on Software Maintenance (ICSM 2005). IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  15. Jürjens, J.: Verification of low-level crypto-protocol implementations using automated theorem proving. In: 3rd ACM & IEEE International Conference on Formal Methods and Models for Co-Design (MEMOCODE 2005). IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  16. Moser, M., Ibens, O., Letz, R., Steinbach, J., Goller, C., Schumann, J., Mayr, K.: SETHEO and E-SETHEO – The CADE-13 Systems. Journal of Automated Reasoning (JAR) 18(2), 237–246 (1997)

    CrossRef  Google Scholar 

  17. Netbeans project. Open source (2003), Available from, http://mdr.netbeans.org

  18. Sutcliffe, G., Suttner, C.: The TPTP problem library for automated theorem proving (2001), Available at, http://www.tptp.org

  19. Stenz, G., Wolf, A.: E-SETHEO: An automated3 theorem prover. In: Dyckhoff, R. (ed.) TABLEAUX 2000. LNCS, vol. 1847, pp. 436–440. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  20. UMLsec tool (2002-2004), Open-source, Accessible at, http://www.umlsec.org

  21. UML Revision Task Force. OMG UML Specification v. 1.4. OMG Document ad/01-09-67 (September 2001), Available at, http://www.omg.org/uml

  22. Watson, B.: The Real-time UML standard. In: Real-Time and Embedded Distributed Object Computing Workshop, OMG, July 15-18 (2002)

    Google Scholar 

  23. Object Management Group. OMG XML Metadata Interchange (XMI) Specification (January 2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dep. of Informatics, TU Munich, Germany

    Jan Jürjens

Authors
  1. Jan Jürjens
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Istituto di Scienze e Tecnologie dell’Informazione, Università degli Studi di Urbino “Carlo Bo”, Piazza della Repubblica 13, 61029, Urbino, Italy

    Alessandro Aldini

  2. Dipartimento di Scienze dell’Informazione, Università di Bologna, Mura A. Zamboni, 7, 40127, Bologna, Italy

    Roberto Gorrieri

  3. IIT CNR, Pisa, via Moruzzi, 1, 56125, Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and Permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Jürjens, J. (2005). Model-Based Security Engineering with UML. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds) Foundations of Security Analysis and Design III. FOSAD FOSAD 2005 2004. Lecture Notes in Computer Science, vol 3655. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11554578_2

Download citation

  • DOI: https://doi.org/10.1007/11554578_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-28955-5

  • Online ISBN: 978-3-540-31936-8

  • eBook Packages: Computer ScienceComputer Science (R0)