Model-to-model transformation approach for systematic integration of security aspects into UML 2.0 design models

Security is a challenging task in software engineering. Traditionally, security concerns are considered as an afterthought to the development process and thus are fitted into pre-existing software without the consideration of whether this would jeopardize the main functionality of the software or even produce additional vulnerabilities. Enforcing security policies should be taken care of during early phases of the software development life cycle in order to decrease the development costs and reduce the maintenance time. In addition to cost saving, this way of development will produce more reliable software since security related concepts will be considered in each step of the design. Similarly, the implications of inserting such mechanisms into the existing system's requirements will be considered as well. Since security is a crosscutting concern that pervades the entire software, integrating security solutions at the software design level may result in the scattering and tangling of security features throughout the entire design. Additionally, traditional hardening approaches are tedious and error-prone as they involve manual modifications. In this context, the need for a systematic way to integrate security concerns into the process of developing software becomes crucial. In this thesis, we define an aspect-oriented modeling approach for specifying and integrating security concerns into UML design models. The proposed approach makes use of the expertise of the software security specialist by providing him with the means to specify generic UML aspects that are going to be incorporated "weaved" into the developers' models. Model transformation mechanisms are instrumented in order to have an efficient and a fully automatic weaving process.

[1]  Jean Bézivin,et al.  AMW: a generic model weaver , 2005 .

[2]  Krzysztof Czarnecki,et al.  Classification of Model Transformation Approaches , 2003 .

[3]  I. Ray,et al.  An Aspect-Oriented Approach to Early Design Modeling , 2004 .

[4]  Thuong Doan,et al.  A Formal Framework for Secure Design and Constraint Checking in UML , .

[5]  Philippe Kruchten,et al.  The 4+1 View Model of Architecture , 1995, IEEE Softw..

[6]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[7]  Joerg Evermann,et al.  A meta-level specification and profile for AspectJ in UML , 2007, J. Object Technol..

[8]  Ivan Kurtev,et al.  State of the Art of QVT: A Model Transformation Language Standard , 2008, AGTIVE.

[9]  Joaquin Miller,et al.  MDA Guide Version 1.0.1 , 2003 .

[10]  Anneke Kleppe,et al.  The Object Constraint Language: Getting Your Models Ready for MDA , 2003 .

[11]  Tom Mens,et al.  A Taxonomy of Model Transformation , 2006, GRaMoT@GPCE.

[12]  Thomas Ledoux,et al.  Aspect-Oriented Software Development , 2003 .

[13]  Hironori Washizaki,et al.  A survey on security patterns , 2008 .

[14]  Tim Weilkiens,et al.  Systems engineering with SysML / UML - modeling, analysis, design , 2007 .

[15]  T. C. Ting,et al.  MAC and UML for secure software design , 2004, FMSE '04.

[16]  João Araújo,et al.  Engineering Aspect-Oriented Systems , 2005 .

[17]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[18]  Manachai Toahchoodee,et al.  An aspect-oriented methodology for designing secure applications , 2009, Inf. Softw. Technol..

[19]  Lirong Dai,et al.  Modeling and analysis of non-functional requirements as aspects in a UML based architecture design , 2005, Sixth International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing and First ACIS International Workshop on Self-Assembling Wireless Network.

[20]  Wouter Joosen,et al.  A study of aspect-oriented design approaches , 2006 .

[21]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[22]  Carlos José Pereira de Lucena,et al.  A Metamodel for Aspect-Oriented Modeling , 2002 .

[23]  Lidia Fuentes,et al.  Designing and Weaving Aspect-Oriented Executable UML Models , 2007, J. Object Technol..

[24]  Harold Ossher,et al.  Multi-Dimensional Separation of Concerns and the Hyperspace Approach , 2002 .

[25]  YAN Han A Meta Model and Modeling Notation for AspectJ , 2004 .

[26]  Tzilla Elrad,et al.  Aspect-oriented programming: Introduction , 2001, CACM.

[27]  Markus Völter,et al.  Model-Driven Software Development: Technology, Engineering, Management , 2006 .

[28]  Krzysztof Czarnecki,et al.  Feature-based survey of model transformation approaches , 2006, IBM Syst. J..

[29]  Nora Koch,et al.  Aspect-Oriented Modeling of Access Control in Web Applications , 2005 .

[30]  Jon Whittle,et al.  MATA: A Tool for Aspect-Oriented Modeling Based on Graph Transformation , 2007, MoDELS Workshops.

[31]  Indrakshi Ray,et al.  An aspect-based approach to modeling access control concerns , 2004, Inf. Softw. Technol..

[32]  Dianxiang Xu,et al.  Modeling and integrating aspects with UML activity diagrams , 2009, SAC '09.

[33]  Jeffrey G. Gray,et al.  Aspect Composition in the Motorola Aspect-Oriented Modeling Weaver , 2007, J. Object Technol..

[34]  Stefan Hanenberg,et al.  A UML-based aspect-oriented design notation for AspectJ , 2002, AOSD '02.

[35]  Indrakshi Ray,et al.  Aspect-Oriented Risk Driven Development of Secure Applications , 2006, DBSec.

[36]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[37]  Jean-Marc Jézéquel,et al.  Weaving executability into object-oriented meta-languages , 2005, MoDELS'05.

[38]  Antonia M. Reina Quintero,et al.  Towards developing generic solutions with aspects , 2004 .

[39]  Jacques Klein,et al.  A generic weaver for supporting product lines , 2008, EA '08.

[40]  Zhiyi Ma,et al.  A metamodel for the notation of graphical modeling languages , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[41]  M. Wimmer,et al.  A Survey on Aspect-Oriented Modeling Approaches , 2006 .

[42]  Yi Deng,et al.  Applying Aspect-Orientation in Designing Security Systems: A Case Study , 2004, SEKE.

[43]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .

[44]  Matt Bishop,et al.  The Art and Science of Computer Security , 2002 .

[45]  Shane Sendall,et al.  Model Transformation: The Heart and Soul of Model-Driven Software Development , 2003, IEEE Softw..

[46]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[47]  Iris Groher,et al.  XWeave: models and aspects in concert , 2007, AOM@AOSD.

[48]  Mourad Debbabi,et al.  Security crosscutting concerns and AspectJ , 2006, PST.

[49]  Bernhard Rumpe,et al.  Model-driven Development of Complex Software : A Research Roadmap , 2007 .

[50]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[51]  Frédéric Jouault,et al.  On the interoperability of model-to-model transformation languages , 2007, Sci. Comput. Program..

[52]  Klaus Pohl,et al.  Software Product Line Engineering - Foundations, Principles, and Techniques , 2005 .

[53]  Mourad Debbabi,et al.  Security Design Patterns: Survey and Evaluation , 2006, 2006 Canadian Conference on Electrical and Computer Engineering.

[54]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[55]  Wouter Joosen,et al.  Generic Reusable Concern Compositions , 2008, ECMDA-FA.

[56]  Bashar Nuseibeh,et al.  Security patterns: comparing modeling approaches , 2010 .

[57]  Robert B. France,et al.  A Generic Approach for Automatic Model Composition , 2008, MoDELS.

[58]  Indrakshi Ray,et al.  Using Parameterized UML to Specify and Compose Access Control Models , 2003, IICIS.

[59]  Anneke Kleppe,et al.  MDA explained - the Model Driven Architecture: practice and promise , 2003, Addison Wesley object technology series.

[60]  Eduardo B. Fernandez,et al.  A pattern language for security models , 2001 .

[61]  Jean-Marc Jézéquel,et al.  On Executable Meta-Languages applied to Model Transformations , 2005 .