Integrating a Security Requirement Language with UML

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3273)


We present an approach that integrates a language for precise and high-level specification of application security requirements, the Security Requirement Language (SRL), with an existing modeling technique, namely, the Unified Modeling Language (UML). SRL is based on first-order logic extended with a small set of modal operators and a syntactic abstraction mechanism. It offers extensibility in that new application/domain-specific requirements can be defined and reused. The focus of SRL is the security of communication in distributed systems. The integrated framework enables developers to add to system models security requirements, such as confidentiality, non-repudiation, and authentication, at an early stage of development, making security an integral part of the system development process. We illustrate the practical usability of our approach by presenting an example, and discuss the experiences that the users of our approach, i.e., system developers, have reported.


Security Requirement Security Protocol Sequence Diagram Cryptographic Protocol Integration Methodology 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Gordon, A.D.: A Calculus for Cryptographic Protocols, The Spi Calculus. Research Report, digital Systems Research Center (January 1998)Google Scholar
  2. 2.
    Aredo, D.B., Kristoffersen, T., Mazaher, S.: Abstract Security Requirement Specification. Technical Report DART/03/04, Norsk Regnesentral, Oslo, Norway (March 2004)Google Scholar
  3. 3.
    Bieber, P.: A Logic of Communication in a Hostile environment. In: Proceedings of the Computer Security Foundations Workshop III, June 1990, IEEE Computer Society Press, Los Alamitos (1990)Google Scholar
  4. 4.
    Burrows, M., Abadi, M., Needham, R.: A Logic of Authentication. ACM Transactions on Computer Systems 8(1) (February 1990)Google Scholar
  5. 5.
    CASENET, IST project 2001-32446: User Trial Progress Report. Deliverable CASENET/WP5/D5.2 (June 2003)Google Scholar
  6. 6.
    CASENET, IST project IST-2001-32446:
  7. 7.
    Denker, G., Millen, J., Rues, H.: The CAPSL Integrated Protocol Environment. Technical Report SRI-CSL-2000-02, SRI International, Computer Science Laboratory (October 2000)Google Scholar
  8. 8.
    Higginbotham, M.D., Maley, J.G., Milheizler, A.J., Suskie, B.j.: Integrating Information Security Engineering with System Engineering with System Engineering Tools. In: Proceedings of WETICE 1998 (July 1998)Google Scholar
  9. 9.
    Jurjens, J.: UMLsec: Extending UML for Secure Systems Development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, p. 412. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, p. 426. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR. In: Brinksma, E., Steffen, B., Cleaveland, W.R., Larsen, K.G., Margaria, T. (eds.) TACAS 1995. LNCS, vol. 1019, Springer, Heidelberg (1996)Google Scholar
  12. 12.
    Meadows, C., Syverson, P.: A Formal Language for Cryptographic Protocol Requirements. Designs, Codes and Cryptography 7(1-2) (January 1996)Google Scholar
  13. 13.
    Meadows, C.: The NRL Protocol Analyzer: An Overview. Journal of Logic Programming 26(2) (1996)Google Scholar
  14. 14.
    Moser, L.: A Logic of Knowledge and Belief for Reasoning about Computer Security. In: Proceedings of the Computer Security Foundations Workshop II, June 1989, IEEE Computer Society Press, Los Alamitos (1989)Google Scholar
  15. 15.
    Mouratidis, H., Giorgini, P., Manson, G.: Integrating Security and Systems Engineering: Towards the Modeling of Secure Information Systems. In: Eder, J., Missikoff, M. (eds.) CAiSE 2003. LNCS, vol. 2681, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    OMG: The Unified Modeling Language Specification V1.5., Object Management Group, Needham, MA, U.S.A.” (March 2003)Google Scholar
  17. 17.
  18. 18.
    Shroff, M., France, R.: Towards a Formalization of UML Class Structures in Z. In: Proceedings of COMPSAC 1997 (August 1997)Google Scholar
  19. 19.
    Syverson, P.: Formal Semantics of Logics of Cryptographic Protocols. In: Proceedings of the Computer Security Foundations Workshop III, June 1990, IEEE Computer Society Press, Los Alamitos (1990)Google Scholar
  20. 20.
    Wimmel, G., Wißpeintner, A.: Extended Description Techniques for Security Engineering. In: Dupuy, M., Paradinas, P. (eds.) Trusted Information, The New Decade Challenge, Proceedings of the IFIP 16th International Conference on Information Security (Sec 2001), Kluwer Academic Publishers, Dordrecht (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  1. 1.Norwegian Computing CenterBlindern, OsloNorway
  2. 2.NetUnion sarlLausanneSwitzerland

Personalised recommendations