UML Design with Security Integration as First Class Citizen

Security for software applications involves defining what needs to be protected (security policy), authorizing privileges of the application to users, authenticating application users, and providing a high degree of security assurance in regards to the access of users to the application. To address security during software design/development, our previous work has proposed a model to incorporate role-based access control (RBAC) and mandatory access control (MAC) into the unified modeling language (UML) to support the definition of security for software applications. Included in this work is a series of design-time checks that insure that the defined RBAC/MAC security is always consistent as a UML design with security properties is created and modified. In this paper, we extend this effort by proposing a formal model that combines typed logic with active database language concepts in order to support the checking of constraints during design-time (as UML diagrams are created and modified) and postdesign (for the entire UML design that represents a version) towards the attainment of security assurance. To demonstrate the feasibility and utility of our work on secure software design, our RBAC/MAC enhancements and the constraint checking has been integrated into Borland's UML tool Together Control Center.

[1]  T. C. Ting,et al.  RBAC/MAC Security for UML , 2004 .

[2]  Ivar Jacobson,et al.  Unified Modeling Language , 2020, Definitions.

[3]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[4]  Jarred Adam Ligatti,et al.  More Enforceable Security Policies , 2002 .

[5]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[6]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[7]  BertinoElisa,et al.  A logical framework for reasoning about access control models , 2003 .

[8]  T. C. Ting A User-Role Based Data Security Approach , 1988, Database Security.

[9]  T. C. Ting,et al.  MAC and UML for secure software design , 2004, FMSE '04.

[10]  T. C. Ting,et al.  Role-Based Security in a Distributed Resource Environment , 2000, DBSec.

[11]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[12]  T. C. Ting,et al.  Towards a Definitive Paradigm for Security in Object-Oriented Systems and Applications , 1997, Journal of computing and security.

[13]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[14]  Duminda Wijesekera,et al.  authUML: a three-phased framework to analyze access control specifications in use cases , 2003, FMSE '03.

[15]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[16]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[17]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[18]  Indrakshi Ray,et al.  Using Parameterized UML to Specify and Compose Access Control Models , 2003, IICIS.

[19]  Duminda Wijesekera,et al.  Consistent and Complete Access Control Policies in Use Cases , 2003, UML.

[20]  Elisa Bertino,et al.  Temporal Authorization Bases: From Specification to Integration , 2000, J. Comput. Secur..

[21]  John F. Sowa,et al.  Knowledge representation: logical, philosophical, and computational foundations , 2000 .

[22]  Gail-Joon Ahn,et al.  UML-based representation of role-based access control , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[23]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[24]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[25]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.