A Systematic Review of Model-Driven Security

To face continuously growing security threats and requirements, sound methodologies for constructing secure systems are required. In this context, Model-Driven Security (MDS) has emerged since more than a decade ago as a specialized Model-Driven Engineering approach for supporting the development of secure systems. MDS aims at improving the productivity of the development process and quality of the resulting secure systems, with models as the main artifact. This paper presents how we systematically examined existing published work in MDS and its results. The systematic review process, which is based on a formally designed review protocol, allowed us to identify, classify, and evaluate different MDS approaches. To be more specific, from thousands of relevant papers found, a final set of the most relevant MDS publications has been identified, strictly selected, and reviewed. We present a taxonomy for MDS, which is used to synthesize data in order to classify and evaluate the selected MDS approaches. The results draw a wide picture of existing MDS research showing the current status of the key aspects in MDS as well as the identified most relevant MDS approaches. We discuss the main limitations of the existing MDS approaches and suggest some potential research directions based on these insights.

[1]  Mario Piattini,et al.  Using UML Packages for Designing Secure Data Warehouses , 2006, ICCSA.

[2]  Jean-Pierre Seifert,et al.  A Model-Driven Framework for Trusted Computing Based Systems , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[3]  Jean Bézivin,et al.  Model Driven Engineering: An Emerging Technical Space , 2005, GTTSE.

[4]  Claes Wohlin,et al.  Systematic literature reviews in software engineering , 2013, Inf. Softw. Technol..

[5]  Thomas Neubauer,et al.  Model-Driven Development Meets Security: An Evaluation of Current Approaches , 2011, 2011 44th Hawaii International Conference on System Sciences.

[6]  Viviane Torres da Silva,et al.  Model-Driven Security in Practice: An Industrial Experience , 2008, ECMDA-FA.

[7]  Kurt Stenzel,et al.  Generating formal specifications for security-critical applications - A model-driven approach , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[8]  Eduardo Fernández-Medina,et al.  Designing Secure Data Warehouses by Using MDA and QVT , 2009, J. Univers. Comput. Sci..

[9]  Kurt Stenzel,et al.  Model-Driven Code Generation for Secure Smart Card Applications , 2009, 2009 Australian Software Engineering Conference.

[10]  Dae-Kyoo Kim,et al.  A Pattern-Based Technique for Developing UML Models of Access Control Systems , 2006, 30th Annual International Computer Software and Applications Conference (COMPSAC'06).

[11]  Julio Cesar Sampaio do Prado Leite,et al.  Non-functional requirements: from elicitation to modelling languages , 2002, Proceedings of the 24th International Conference on Software Engineering. ICSE 2002.

[12]  Kurt Stenzel,et al.  Formal Verification of Application-Specific Security Properties in a Model-Driven Approach , 2010, ESSoS.

[13]  Kurt Stenzel,et al.  Incremental development of large, secure smart card applications , 2012, MDsec '12.

[14]  Christian Wagner,et al.  Model-driven security for Web services in e-Government system: Ideal and real , 2011, 2011 7th International Conference on Next Generation Web Services Practices.

[15]  Jan Jürjens,et al.  Systematic Development of UMLsec Design Models Based on Security Requirements , 2011, FASE.

[16]  Rajeev Alur,et al.  A model-based approach to integrating security policies for embedded devices , 2004, EMSOFT '04.

[17]  Jan Jürjens,et al.  Developing secure networked Web-based systems using model-based risk assessment and UMLsec , 2003, Tenth Asia-Pacific Software Engineering Conference, 2003..

[18]  Kurt Stenzel,et al.  SecureMDD: A Model-Driven Development Method for Secure Smart Card Applications , 2009, 2009 International Conference on Availability, Reliability and Security.

[19]  Achim D. Brucker,et al.  A model transformation semantics and analysis methodology for SecureUML , 2006, MoDELS'06.

[20]  Kai-Yuan Cai,et al.  An analysis of research topics in software engineering - 2006 , 2008, J. Syst. Softw..

[21]  Ruth Breu,et al.  Model-Driven Security Engineering of Service Oriented Systems , 2008, UNISCON.

[22]  Pearl Brereton,et al.  Protocol for a Tertiary study of Systematic Literature Reviews and Evidence-based Guidelines in IT and Software Engineering , 2009 .

[23]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[24]  Mario Piattini,et al.  A set of QVT relations to transform PIM to PSM in the Design of Secure Data Warehouses , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[25]  Jan Jürjens,et al.  Model-Based Security Engineering with UML , 2004, FOSAD.

[26]  Lidia Fuentes,et al.  Model-driven development for early aspects , 2010, Inf. Softw. Technol..

[27]  Brice Morin,et al.  Security-driven model-based dynamic adaptation , 2010, ASE '10.

[28]  Mario Piattini,et al.  Applying an MDA-Based Approach to Consider Security Rules in the Development of Secure DWs , 2009, 2009 International Conference on Availability, Reliability and Security.

[29]  Mario Piattini,et al.  Application of QVT for the Development of Secure Data Warehouses: A case study , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[30]  Ruth Breu,et al.  Modeling permissions in a (U/X)ML world , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[31]  Ruth Breu,et al.  Model-Driven Configuration of SELinux Policies , 2009, OTM Conferences.

[32]  Martin Gilje Jaatun,et al.  Security in Model Driven Development: A Survey , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[33]  Mario Piattini,et al.  A Framework for the Development of Secure Data Warehouses based on MDA and QVT , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[34]  Bashar Nuseibeh,et al.  Model-Based Security Engineering of Distributed Information Systems Using UMLsec , 2007, 29th International Conference on Software Engineering (ICSE'07).

[35]  AMIR A. KHWAJA,et al.  A Synthesis of Evaluation Criteria for Software Specifications and Specification Techniques , 2002, Int. J. Softw. Eng. Knowl. Eng..

[36]  David A. Basin,et al.  A metamodel-based approach for analyzing security-design models , 2007, MODELS'07.

[37]  Mark Rouncefield,et al.  Empirical assessment of MDE in industry , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[38]  David A. Basin,et al.  A decade of model-driven security , 2011, SACMAT '11.

[39]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[40]  Jan Jürjens,et al.  Model-Based Security Engineering for Real , 2006, FM.

[41]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[42]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[43]  David A. Basin,et al.  Model driven security for process-oriented systems , 2003, SACMAT '03.