UMLsec: Extending UML for Secure Systems Development
Developing secure-critical systems is difficult and there are many well-known examples of security weaknesses exploitedin practice. Thus a sound methodology supporting secure systems development is urgently needed.
Our aim is to aid the difficult task of developing security-critical systems in an approach basedon the notation of the Unified Modeling Language. We present the extension UMLsec of UML that allows to express securityrelevant information within the diagrams in a system specification. UMLsec is defined in form of a UML profile using the standard UML extension mechanisms. In particular, the associatedc onstraints give criteria to evaluate the security aspects of a system design, by referring to a formal semantics of a simplified fragment of UML. We demonstrate the concepts with examples.
KeywordsSecurity Requirement Local Area Network Formal Semantic Activity Diagram Adversary Model
Unable to display preview. Download preview PDF.
- [ACM02]ACM. Symposium of Applied Computing 2002, Madrid, March 11–14 2002.Google Scholar
- [BCR00]E. Börger, A. Cavarra, and E. Riccobene. Modeling the dynamics of UML State Machines. In ASMs, volume 1912 of LNCS. Springer, 2000.Google Scholar
- [BLMF00]J.-Michel Bruel, J. Lilius, A. Moreira, and R. B. France. Defining Precise Semantics for UML. In ECOOP’2000 Workshop Reader, volume 1964 of LNCS. Springer, 2000.Google Scholar
- [DS00]P. Devanbu and S. Stubblebine. Software engineering for security: a roadmap. In The Future of Software Engineering (ICSE 2000), pages 227–239, 2000.Google Scholar
- [EHHS00]G. Engels, J. Hausmann, R. Heckel, and S. Sauer. Dynamic metamodeling. In Evans et al. [EKS00], pages 323–337.Google Scholar
- [EKS00]A. Evans, S. Kent, and B. Selic, editors. The Unified Modeling Language: Advancing the Standard (UML’2000), volume 1939 of LNCS. Springer, 2000.Google Scholar
- [FH97]E. B. Fernandez and J. C. Hawkins. Determining role rights from use cases. In Workshop on Role-Based Access Control, pages 121–125. ACM, 1997.Google Scholar
- [GPP98]M. Gogolla and F. Parisi-Presicce. State diagrams in UML. In PSMT’98. TU München, TUM-I9803, 1998.Google Scholar
- [HJGP99]W.-M. Ho, J.-M. Jézéquel, A. Le Guennec, and F. Pennaneac'h. UMLAUT: an extendible UML transformation framework. In ASE, 1999.Google Scholar
- [Jür01]J. Jürjens. Towards development of secure systems using UML. In Hußmann [Huß01], pages 187–200.Google Scholar
- [Jür02a]J. Jürjens. A UML statecharts semantics with message-passing. In Symposium of Applied Computing 2002 [ACM02], pages 1009–1013.Google Scholar
- [Jür02b]J. Jürjens. Formal Semantics for Interacting UML subsystems. In FMOODS 2002, pages 29–44. IFIP, Kluwer, 2002.Google Scholar
- [Jür02c]J. Jürjens. Principles for Secure Systems Design. PhD thesis, Oxford University Computing Laboratory, Trinity Term 2002. Submitted.Google Scholar
- [Jür02d]J. Jürjens. Using UMLsec andG oal-Trees for Secure Systems Development. In Symposium of Applied Computing 2002 [ACM02], pages 1026–1031.Google Scholar
- [JW01]J. Jürjens and G. Wimmel. Security modelling for electronic commerce: The Common Electronic Purse Specifications. In I3E 2001, pages 489–506. IFIP, Kluwer, 2001.Google Scholar
- [KER99]S. Kent, A. Evans, and B. Rumpe. UML Semantics FAQ. In ECOOP’99 Workshop Reader, volume 1743 of LNCS. Springer, 1999.Google Scholar
- [Kob01]C. Kobryn. Modeling Distributed Applications with UML, Part IV. In J. Siegel, editor, Quick CORBA 3, chapter 1. Wiley, 2001.Google Scholar
- [MC01]W. E. McUmber and B. H. C. Cheng. A Generic Framework for Formalizing UML. In ICSE. IEEE Computer Society, 2001.Google Scholar
- [RJB99]J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Language Reference Manual. Addison-Wesley, 1999.Google Scholar
- [Ste01]P. Stevens. On use cases and their relationships in the Unified Modelling Language. In Hußmann [Huß01], pages 140–155.Google Scholar
- [SW98]A. Schürr and A. Winter. Formal Definition of UML’s Package Concept. In UML—Technical Aspects and Applications, pages 144–159, 1998.Google Scholar
- [UML01]UML Revision Task Force. OMG UML Specification v. 1.4. OMG Document ad/01-09-67. Available at http://www.omg.org/uml, 2001.
- [Whi00]J. Whittle. Formal approaches to systems analysis using UML: An overview. Journal of Database Management, 11(4):4–13, 2000.Google Scholar
- [WW01]G. Wimmel and A. Wißpeitner. Extended description techniques for security engineering. In IFIP SEC 2001. Kluwer, 2001.Google Scholar