Usability of Security Specification Approaches for UML Design: A Survey

Since it is the de facto language for software specification and design, UML is the target language used by almost all state of the art contributions handling security at specification and design level. However, these contributions differ in the covered security requirements, specification approaches, verification tools, etc. This paper investigates the main approaches adopted for specifying and enforcing security at UML design and surveys the related state of the art. The main contribution of this paper is a discussion of these approaches from usability viewpoint. A set of criteria has been defined and used in this usability discussion. The discussed UML approaches are stereotypes and tagged values, OCL, and behavior diagrams. Extending the UML meta-language or creating new meta-languages for security specification are also covered by this study.

[1]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification using Object Constraint Language , 2001, Proceedings Tenth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. WET ICE 2001.

[2]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[3]  John Mullins,et al.  SOCLe: Integrated Design of Software Applications and Security , 2005 .

[4]  Ruth Breu,et al.  Security-critical system development with extended use cases , 2003, Tenth Asia-Pacific Software Engineering Conference, 2003..

[5]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[6]  Stuart Kent,et al.  Reflections on the Object Constraint Language , 1998, UML.

[7]  Thuong Doan,et al.  A Formal Framework for Secure Design and Constraint Checking in UML , .

[8]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[9]  Mikael Buchholtz,et al.  For-LySa: UML for Authentication Analysis , 2004, Global Computing.

[10]  Lam-for Kwok,et al.  Integrating security design into the software development process for e-commerce systems , 2001, Inf. Manag. Comput. Secur..

[11]  Indrakshi Ray,et al.  Verifiable composition of access control and application features , 2005, SACMAT '05.

[12]  Bernhard Westfechtel,et al.  Beyond stereotyping: metamodeling approaches for the UML , 2001, Proceedings of the 34th Annual Hawaii International Conference on System Sciences.

[13]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[14]  José A. Montenegro,et al.  Towards a Business Process-Driven Framework for Security Engineering with the UML , 2003, ISC.

[15]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[16]  Mario Piattini,et al.  Security requirement with a UML 2.0 profile , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[17]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[18]  Nancy A. Lynch,et al.  Mechanical Translation of I/O Automaton Specifications into First-Order Logic , 2002, FORTE.

[19]  Andrea Zisman A Static Verification Framework for Secure Peer-to-Peer Applications , 2007, Second International Conference on Internet and Web Applications and Services (ICIW'07).

[20]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[21]  Indrakshi Ray,et al.  Using Parameterized UML to Specify and Compose Access Control Models , 2003, IICIS.

[22]  Jaime A. Pavlich-Mariscal,et al.  Enhancing UML to Model Custom Security Aspects [ Position Paper ] , 2007 .

[23]  Duminda Wijesekera,et al.  Consistent and Complete Access Control Policies in Use Cases , 2003, UML.

[24]  Régine Laleau,et al.  An attempt to combine UML and formal methods to model airport security , 2006, CAiSE Forum.

[25]  Eduardo B. Fernández,et al.  A Methodology for Secure Software Design , 2004, Software Engineering Research and Practice.

[26]  Martin Gogolla,et al.  Analysis of UML Stereotypes within the UML Metamodel , 2002, UML.

[27]  Martin Gogolla,et al.  An Extension of OCL with Temporal Logic , 2002 .