Specifying Security Aspects in UML Models

Expansion of computer systems and the increasing number of services provided by Internet has lead software engineers to worry about security issues of their software. The reason is the short amount of time dedicated to test these characteristics, which leads to release insecure software to final users. To ease this problem, the use of modelbased testing is becoming popular. Several works propose standards to model various elements, but a few related to security characteristics. This article presents a technique to specify UML security stereotypes, aiming to guide developers by annotating vulnerable model parts and to allow the automatic security test case generation.

[1]  Brent Hailpern,et al.  Software debugging, testing, and verification , 2002, IBM Syst. J..

[2]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification using Object Constraint Language , 2001, Proceedings Tenth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. WET ICE 2001.

[3]  Miroslav Popovic,et al.  A generic model-based test case generator , 2005, 12th IEEE International Conference and Workshops on the Engineering of Computer-Based Systems (ECBS'05).

[4]  Amit M. Paradkar,et al.  A software flaw taxonomy: aiming tools at security , 2005, SOEN.

[5]  Brian Marick New Models for Test Development , 1999 .

[6]  Daniel A. Menascé,et al.  A method for evaluating the impact of software configuration parameters on e-commerce sites , 2005, WOSP '05.

[7]  Ramaswamy Chandramouli,et al.  Model-based Approach to Security Test Automation , 2001 .

[8]  Indrakshi Ray,et al.  Using uml to visualize role-based access control constraints , 2004, SACMAT '04.

[9]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[10]  James D. Arthur,et al.  Modeling Security Vulnerabilities: A Constraints and Assumptions Perspective , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[11]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[12]  Kelvin J. Ross,et al.  Model-Based Security Vulnerability Testing , 2007, 2007 Australian Software Engineering Conference (ASWEC'07).

[13]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[14]  Jan Jürjens Model-based Security Testing Using UMLsec: A Case Study , 2008, Electron. Notes Theor. Comput. Sci..