This paper introduces the subject of secrecy models development by transformation, with formal validation. In an enterprise, constructing a secrecy model is a participatory exercise involving policy makers and implementers. Policy makers iteratively provide business governance requirements, while policy implementers formulate rules of access in computer-executable terms. The process is error prone and may lead to undesirable situations thus threatening the security of the enterprise. At each iteration, a security officer (SO) needs to guarantee business continuity by ensuring property preservation; as well, he needs to check for potential threats due to policy changes. This paper proposes a method that is meant to address both aspects: the formal analysis of transformation results and the formal proof that transformations are property preserving. UML is used for expressing and transforming models [1], and the Alloy analyzer is used to perform integrity checks [3]. Governance requirements dictate a security policy, that regulates access to information. This policy is implemented by means of secrecy models. Hence, the SO defines the mandatory secrecy rules as a part of enterprise governance model in order to implement security policy. For instance, a secrecy rule may state: higher-ranking officers have read rights to information at lower ranks. Automation helps reduce design errors of combined and complex secrecy models [2]. However, current industry practices do not include precise methods for constructing and validating enterprise governance models. Our research proposes a formal transformation method to construct secrecy models by way of applying transformations to a base UML model (BM). For example, starting from the BM, with only three primitives: Subject/Verb/Object, we can generate RBAC0 in addition to SecureUML [2] model. By way of examples and by means of formal analysis we intend to show that, using our method, a SO is able to build different types of secrecy models and validate them for consistency, in addition to detecting scenarios resulting from unpreserved properties.
[1]
David Basin,et al.
Model driven security: From UML models to access control infrastructures
,
2006,
TSEM.
[2]
Indrakshi Ray,et al.
On challenges of model transformation from UML to Alloy
,
2008,
Software & Systems Modeling.
[3]
Kevin Lano,et al.
Slicing of UML models using model transformations
,
2010,
MODELS'10.
[4]
Indrakshi Ray,et al.
UML2Alloy: a challenging model transformation
,
2007,
MODELS'07.
[5]
Diego Calvanese,et al.
Reasoning on UML class diagrams
,
2005,
Artif. Intell..