RBAC/MAC Security Analysis and Design for UML

In software construction, analysis investigates the boundary of a system (scope and requirements), its usage and access, and from a security perspective, who needs access to what when. Given sufficient analysis, a logical initial solution can be designed to capture system functionality including security capabilities. To facilitate the iterative process of analysis and design, one popular technique is the unified modeling language, UML, a language for specifying, visualizing, constructing and documenting software artifacts. In UML, diagrams provide alternate perspectives on the design, including: use-case diagrams for the interaction of users with system components, class diagrams for the static classes and relationships among them, and sequence diagrams for the dynamic behavior of objects. However, the ability to analyze and design security requirements in UML is not directly supported. In this paper, we propose an approach that incorporates rolebased access control (RBAC) and mandatory access control (MAC) into UML use-case and class diagrams, providing support for the design of roles (associated with use-case actors), and clearances and classifications for relevant UML elements. In addition, we provide analysis across the UML diagrams, as actors, use cases and classes are defined, to support a degree of security assurance (with mutual exclusion), and to upgrade the usage of UML for secure RBAC/MAC software design. To demonstrate the feasibility and utility of our work, we briefly report on the progress of our RBAC/MAC enhancements into the Borland’s UML tool Together Control Center.

[1]  Grady Booch,et al.  Object-Oriented Design with Applications , 1990 .

[2]  T. C. Ting A User-Role Based Data Security Approach , 1988, Database Security.

[3]  Serban I. Gavrila,et al.  Formal specification for role based access control user/role and role/role relationship management , 1998, RBAC '98.

[4]  T. C. Ting,et al.  Safety and Liveness for an RBAC/MAC Security Model , 2003, DBSec.

[5]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[6]  李幼升,et al.  Ph , 1989 .

[7]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[8]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[9]  T. C. Ting,et al.  Role-Based Security in a Distributed Resource Environment , 2000, DBSec.

[10]  T. C. Ting,et al.  Towards a Definitive Paradigm for Security in Object-Oriented Systems and Applications , 1997, Journal of computing and security.

[11]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[12]  Timothy A. Budd,et al.  An introduction to object-oriented programming , 1991 .

[13]  T. C. Ting Application Information Security Semantics: A Case of Mental Health Delivery , 1989, DBSec.

[14]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[15]  Gail-Joon Ahn,et al.  UML-based representation of role-based access control , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[16]  Ivar Jacobson,et al.  Object-oriented software engineering - a use case driven approach , 1993, TOOLS.

[17]  William E. Lorensen,et al.  Object-Oriented Modeling and Design , 1991, TOOLS.

[18]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[20]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[21]  T. C. Ting,et al.  MAC and UML for secure software design , 2004, FMSE '04.

[22]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[23]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .