A Formal Framework for Secure Design and Constraint Checking in UML

The design of software applications using the unified modeling language, UML, embodies an incremental process, transitioning a design from state to state over time. The integration of security into this process is critical to satisfy an application’s security requirements. This paper reports on a formal approach that incorporates role-based access control (RBAC), mandatory access control (MAC), and lifetimes, with constraint checking, into UML for time-sensitive application design. The resulting framework promotes secure software design by tracking an application’s security requirements as UML elements and connections are added, modified, and deleted. It also captures snapshots of each design state by checking constraints on security satisfaction properties for the design. Our objective in this paper is to detail the formal functional model with constraint checking that is able to track security for a UML design via the creation and maintenance of multiple design instances. To demonstrate the feasibility of our efforts, we report on the transition of the functional framework for secure design into Borland’s UML tool Together Control Center.

[1]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[2]  T. C. Ting,et al.  Role-Based Security in a Distributed Resource Environment , 2000, DBSec.

[3]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[4]  A Min Tjoa,et al.  The Entity-Relationship Model for Multilevel Security , 1993, ER.

[5]  Elisa Bertino,et al.  Temporal Authorization Bases: From Specification to Integration , 2000, J. Comput. Secur..

[6]  Thomas Ledoux,et al.  Aspect-Oriented Software Development , 2003 .

[7]  T. C. Ting,et al.  Stateful Design for Secure Information Systems , 2005, WOSIS.

[8]  Gary W. Smith,et al.  Modeling security-relevant data semantics , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[10]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[11]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[12]  FrazerKen Building secure software , 2002 .

[13]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[14]  Gail-Joon Ahn,et al.  UML-based representation of role-based access control , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[15]  Indrakshi Ray,et al.  Using Parameterized UML to Specify and Compose Access Control Models , 2003, IICIS.

[16]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[17]  Duminda Wijesekera,et al.  Consistent and Complete Access Control Policies in Use Cases , 2003, UML.

[18]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[19]  A Min Tjoa,et al.  Modelling Data Secrecy and Integrity , 1998, Data Knowl. Eng..

[20]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.