Model driven security: From UML models to access control infrastructures

We present a new approach to building secure systems. In our approach, which we call Model Driven Security, designers specify system models along with their security requirements and use tools to automatically generate system architectures from the models, including complete, configured access control infrastructures. Rather than fixing one particular modeling language for this process, we propose a general schema for constructing such languages that combines languages for modeling systems with languages for modeling security. We present several instances of this schema that combine (both syntactically and semantically) different UML modeling languages with a security modeling language for formalizing access control requirements. From models in the combined languages, we automatically generate access control infrastructures for server-based applications, built from declarative and programmatic access control mechanisms. The modeling languages and generation process are semantically well-founded and are based on an extension of Role-Based Access Control. We have implemented this approach in a UML-based CASE-tool and report on experiments.

[1]  Ivar Jacobson,et al.  The unified modeling language reference manual , 2010 .

[2]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification using Object Constraint Language , 2001, Proceedings Tenth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. WET ICE 2001.

[3]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[4]  Gail-Joon Ahn,et al.  UML-based representation of role-based access control , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[5]  José Meseguer,et al.  Order-Sorted Algebra I: Equational Deduction for Multiple Inheritance, Overloading, Exceptions and Partial Operations , 1992, Theor. Comput. Sci..

[6]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[7]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[8]  Nicodemos Constantinou Damianou,et al.  A policy framework for management of distributed systems , 2002 .

[9]  Trent Jaeger On the increasing importance of constraints , 1999, RBAC '99.

[10]  Gregor Kiczales,et al.  Aspect-oriented programming , 1996, CSUR.

[11]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[12]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[13]  David Frankel,et al.  Model Driven Architecture: Applying MDA to Enterprise Computing , 2003 .

[14]  Torsten Lodderstedt,et al.  Model driven security from UML models to access control architectures , 2003 .

[15]  John M. Boone,et al.  Integrity in Automated Information Systems , 1991 .

[16]  Richard Monson-Haefel,et al.  Enterprise JavaBeans , 1999, Java series.

[17]  U. Keller,et al.  Translating the Object Constraint Language into First-order Predicate Logic , 2001 .

[18]  Michael von der Beeck,et al.  A Comparison of Statecharts Variants , 1994, FTRTFT.

[19]  Derek Beyer C# COM+ Programming , 2001 .

[20]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[21]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[22]  Ivar Jacobson,et al.  Unified Modeling Language , 2020, Definitions.

[23]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[24]  Fang Chen,et al.  Constraints for role-based access control , 1996, RBAC '95.

[25]  Richard Hubert,et al.  Convergent Architecture: Building Model-Driven J2EE Systems with UML , 2001 .

[26]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[27]  William Crawford,et al.  Java servlet programming, second edition , 2001 .

[28]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[29]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[30]  Jason Hunter Java servlet programming , 1998, Java series.

[31]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[32]  Stephen Travis Pope,et al.  A cookbook for using the model-view controller user interface paradigm in Smalltalk-80 , 1988 .

[33]  Stuart Kent,et al.  A Relational Approach to Defining Transformations in a Metamodel , 2002, UML.

[34]  Gail-Joon Ahn,et al.  The RSL99 language for role-based separation of duty constraints , 1999, RBAC '99.