A UML-based static verification framework for security

Secure software engineering is a new research area that has been proposed to address security issues during the development of software systems. This new area of research advocates that security characteristics should be considered from the early stages of the software development life cycle and should not be added as another layer in the system on an ad-hoc basis after the system is built. In this paper, we describe a UML-based Static Verification Framework (USVF) to support the design and verification of secure software systems in early stages of the software development life-cycle taking into consideration security and general requirements of the software system. USVF performs static verification on UML models consisting of UML class and state machine diagrams extended by an action language. We present an operational semantics of UML models, define a property specification language designed to reason about temporal and general properties of UML state machines using the semantic domains of the former, and implement the model checking process by translating models and properties into Promela, the input language of the SPIN model checker. We show that the methodology can be applied to the verification of security properties by representing the main aspects of security, namely availability, integrity and confidentiality, in the USVF property specification language.

[1]  Michael von der Beeck A structured operational semantics for UML-statecharts , 2002 .

[2]  Sabine Kuske,et al.  A Formal Semantics of UML State Machines Based on Structured Graph Transformation , 2001, UML.

[3]  Jan Jürjens,et al.  Towards a Comprehensive Framework for Secure Systems Development , 2006, CAiSE.

[4]  Diego Latella,et al.  Modular semantics for a UML statechart diagrams kernel and its extension to multicharts and branching time model-checking , 2002, J. Log. Algebraic Methods Program..

[5]  Johan Lilius,et al.  vUML: a tool for verifying UML models , 1999, 14th IEEE International Conference on Automated Software Engineering.

[6]  Jan van Leeuwen,et al.  Handbook of Theoretical Computer Science, Vol. B: Formal Models and Semantics , 1994 .

[7]  Alfred Strohmeier,et al.  «UML» 2004 - The Unified Modelling Language: Modelling Languages and Applications. 7th International Conference, Lisbon, Portugal, October 11-15, 2004. Proceedings , 2004, UML.

[8]  S. Gnesi,et al.  On the fly model checking of communicating UML State Machines , 2003 .

[9]  Martín Abadi,et al.  Just Fast Keying in the Pi Calculus , 2004, ESOP.

[10]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[11]  Jan Jürjens,et al.  Automated Verification of UMLsec Models for Security Requirements , 2004, UML.

[12]  K Lano,et al.  Making Uml Precise , 1998 .

[13]  Jan Jürjens,et al.  Tools for secure systems development with UML , 2007, International Journal on Software Tools for Technology Transfer.

[14]  Matthew B. Dwyer,et al.  Slicing Software for Model Construction , 2000, High. Order Symb. Comput..

[15]  Diomidis Spinellis,et al.  Security protocols over open networks and distributed systems: formal methods for their analysis, design, and verification , 1999, Comput. Commun..

[16]  Igor Siveroni,et al.  Property Specification and Static Verification of UML Models , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[17]  Stephan Merz,et al.  Model checking UML state machines and collaborations , 2001, Workshop on Software Model Checking @ CAV.

[18]  Ernst-Rüdiger Olderog,et al.  Integrating a formal method into a software engineering process with UML and Java , 2008, Formal Aspects of Computing.

[19]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[20]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[21]  Fei Xie,et al.  Model checking for an executable subset of UML , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[22]  Michael von der Beeck A structured operational semantics for UML-statecharts , 2002, Software and Systems Modeling.

[23]  George Spanoudakis,et al.  A Pattern-Driven Framework for Monitoring Security and Dependability , 2007, TrustBus.

[24]  Ivan Porres,et al.  Model Checking Dynamic and Hierarchical UML State Machines , 2006 .

[25]  George Spanoudakis,et al.  Towards security monitoring patterns , 2007, SAC '07.

[26]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[27]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[28]  H. B. Williams,et al.  A Survey , 1992 .

[29]  Diego Latella,et al.  Automatic Verification of a Behavioural Subset of UML Statechart Diagrams Using the SPIN Model-checker , 1999, Formal Aspects of Computing.

[30]  Jan Jürjens A UML statecharts semantics with message-passing , 2002, SAC '02.

[31]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[32]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[33]  Diego Latella,et al.  Towards a Formal Operational Semantics of UML Statechart Diagrams , 1999, FMOODS.

[34]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[35]  Jan van Leeuwen,et al.  Formal models and semantics , 1990 .

[36]  Wolfgang Thomas,et al.  Handbook of Theoretical Computer Science, Volume B: Formal Models and Semantics , 1990 .

[37]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[38]  Haralambos Mouratidis,et al.  When security meets software engineering: a case of modelling secure information systems , 2005, Inf. Syst..

[39]  Maurice H. ter Beek,et al.  An Action/State-Based Model-Checking Approach for the Analysis of Communication Protocols for Service-Oriented Applications , 2007, FMICS.

[40]  Johan Lilius,et al.  Formalising UML State Machines for Model Checking , 1999, UML.

[41]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .

[42]  Catherine A. Meadows,et al.  Formal Verification of Cryptographic Protocols: A Survey , 1994, ASIACRYPT.

[43]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .