UML specification of access control policies and their formal verification

Security requirements have become an integral part of most modern software systems. In order to produce secure systems, it is necessary to provide software engineers with the appropriate systematic support. We propose a methodology to integrate the specification of access control policies into Unified Modeling Language (UML) and provide a graph-based formal semantics for the UML access control specification which permits to reason about the coherence of the access control specification. The main concepts in the UML access control specification are illustrated with an example access control model for distributed object systems.

[1]  Hartmut Ehrig,et al.  Handbook of graph grammars and computing by graph transformation: vol. 2: applications, languages, and tools , 1999 .

[2]  Luigi V. Mancini,et al.  Conflict Detection and Resolution in Access Control Policy Specifications , 2002, FoSSaCS.

[3]  Grzegorz Rozenberg,et al.  Handbook of Graph Grammars and Computing by Graph Transformations, Volume 1: Foundations , 1997 .

[4]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[5]  Gerald Brose,et al.  Manageable Access Control for CORBA , 2002, J. Comput. Secur..

[6]  Gerald Brose A Typed Access Control Model for CORBA , 2000, ESORICS.

[7]  Gerald Brose,et al.  Access Control Management in Distributed Object Systems , 2001, Softwaretechnik-Trends.

[8]  Aliki Tsiolakis Consistency Analysis of UML Class and Sequence Diagrams based on Attributed Typed Graphs and their T , 2000 .

[9]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[10]  Gabriele Taentzer,et al.  Towards Common Exchange Formats for Graphs and Graph Transformation Systems , 2001, UNIGRA.

[11]  Reiko Heckel,et al.  Ensuring consistency of conditional graph rewriting - a constructive approach , 1995, SEGRAGRA.

[12]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[13]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[14]  Desmond D'Souza,et al.  Objects, Components, and Frameworks with UML: The Catalysis Approach , 1998 .

[15]  G. Bennington Foundations , 2007 .

[16]  Luigi V. Mancini,et al.  Decidability of Safety in Graph-Based Models for Access Control , 2002, ESORICS.

[17]  Hartmut Ehrig,et al.  Handbook of graph grammars and computing by graph transformation: vol. 3: concurrency, parallelism, and distribution , 1999 .

[18]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[19]  Gerald Brose Raccoon - An Infrastructure For Managing Access Control in CORBA , 2001, DAIS.

[20]  Luigi V. Mancini,et al.  Foundations for a Graph-Based Approach to the Specification of Access Control Policies , 2001, FoSSaCS.

[21]  Gabriele Taentzer,et al.  A Visualization of OCL Using Collaborations , 2001, UML.

[22]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[23]  Microsystems Sun,et al.  Enterprise JavaBeans^ Specification Version 2.1 , 2002 .

[24]  Klaus-Peter Löhr,et al.  Entwicklung und Verwaltung von Zugriffsschutz in verteilten Objektsystemen – eine Krankenhausfallstudie , 2003, PIK Prax. Informationsverarbeitung Kommun..

[25]  Mario Piattini,et al.  UML for the Design of Secure Databases , 2002, SIS.