Abstract
We show how UML (the industry standard in object-oriented modelling) can be used to express security requirements during system development. Using the extension mechanisms provided by UML, we incorporate standard concepts from formal methods regarding multi-level secure systems and security protocols. These definitions evaluate diagrams of various kinds and indicate possible vulnerabilities.
On the theoretical side, this work exemplifies use of the extension mechanisms of UML and of a (simplified) formal semantics for it. A more practical aim is to enable developers (that may not be security specialists) to make use of established knowledge on security engineering through the means of a widely used notation.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
M. Abadi. Security protocols and their properties. In F.L. Bauer and R. Steinbrueggen, editors, Foundations of Secure Computation, pages 39–60. IOS Press, 2000. 20th Int. Summer School, Marktoberdorf, Germany.
M. Abadi and Jan Jurjens. Formal eavesdropping and its computational interpretation, 2000. submitted.
R. Anderson. Why cryptosystems fail. Communications of the ACM, 37(11):32–40, November 1994.
V. Apostolopoulos, V. Peris, and D. Saha. Transport layer security: How much does it really cost? In Conference on Computer Communications (IEEE Infocom), New York, March 1999.
E. Astesiano and G. Reggio. Formalism and method, 2000. to appear in Theoretical Computer Science.
M. Burrows, M. Abadi, and R. Needham. A logic of authentication. Proceedings of the Royal Society of London A, 426:233–271, 1989.
C. Bolton and J. Davies. Using relational and behavioural semantics in the verification of object models. In C. Talcott and S. Smith, editors, Proceedings of FMOODS. Kluwer, 2000.
R. Breu, R. Grosu, F. Huber, B. Rumpe, and W. Schwerin. Systems, views and models of UML. In M. Schader and A. Korthaus, editors, The Unified Modeling Language, Technical Aspects and Applications, pages 93–109. Physica Verlag, Heidelberg, 1998.
M. Broy and K. St∅len. Specification and Development of Interactive Systems. Springer, 2000. (to be published).
S. Cook, A. Kleppe, R. Mitchell, B. Rumpe, J. Warmer, and A. Wills. Defining UML family members using prefaces. In Ch. Mingins and B. Meyer, editors, TOOLS’99 Pacific. IEEE Computer Society, 1999.
P. Devanbu and S. Stubblebine. Software engineering for security: a roadmap. In The Future of Software Engineering, 2000. Special volume (ICSE 2000).
A. Evans, R. France, K. Lano, and B. Rumpe. The UML as a formal modeling notation. In J. Bezivin and P.-A. Muller, editors, The Unified Modeling Language-Workshop UML’98: Beyond the Notation, LNCS. Springer, 1999.
UML Revision Task Force. OMG UML Specification 1.3. Available at http://www.omg.org/uml, 1999.
J. Goguen and J. Meseguer. Security policies and security models. In Symposium on Security and Privacy, pages 11–20. IEEE Computer Society, 1982.
M. Gogolla and F. Parisi-Presicce. State diagrams in UML: A formal semantics using graph transformations. In M. Broy, D. Coleman, T. Maibaum, and B. Rumpe, editors, PSMT’98. TU Munchen, TUM-I9803, 1998.
H. Hußmann. Formale Beschreibungstechniken und praktische Softwaretechnik-eine ungluckliche Verbindung? In K. Spies and B. Schatz, editors, Formale Beschreibungstechniken’ 99, pages 1–6. Herbert Utz Verlag, 1999.
ITU-T. Z.120 B-Message Sequence Chart Algebraic Semantics. ITU-T, Geneva, 1995.
Jan Jurjens. Secure information flow for concurrent processes. In C. Palamidessi, editor, CONCUR 2000 (11th International Conference on Concurrency Theory), volume 1877 of LNCS, pages 395–409, Pennsylvania, 2000. Springer.
Jan Jurjens. Object-oriented modelling of audit security-a smart-card case study. 2001. submitted.
Jan Jurjens. Principles of Secure Systems Design. PhD thesis, Oxford University Computing Laboratory, 2001. in preparation.
Jan Jurjens. Secrecy-preserving refinement. In J. Fiadeiro and P. Zave, editors, Formal Methods Europe, LNCS. Springer, 2001. to be published.
G. Lowe. Breaking and fixing the Needham-Schroeder Public-Key Protocol using FDR. In Margaria and Steffen, editors, TACAS, volume 1055 of LNCS, pages 147–166. Springer, 1996.
G. Overgaard. Formal specification of object-oriented meta-modelling. In FASE2000, volume 1783 of LNCS. Springer, 2000.
A. Pfitzmann, A. Schill, A. Westfeld, G. Wicke, G. Wolf, and J. Zollner. A Java-based distributed platform for multilateral security. In IFIP/GI Working Conference “Trends in Electronic Commerce”, volume 1402 of LNCS, pages 52–64. Springer, 1998.
G. Reggio, E. Astesiano, C. Choppy, and H. Hußmann. Analysing UML active classes and associated state machines-A lightweight formal approach. In FASE2000, volume 1783 of LNCS. Springer, 2000.
G. Reggio, M. Cerioli, and E. Astesiano. An algebraic semantics of UML supporting its multiview approach. In D. Heylen, A. Nijholt, and G. Scollo, editors, AMiLP 2000, 2000.
J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Language Reference Manual. Addison-Wesley, 1999.
A. Roscoe, J. Woodcock, and L. Wulf. Non-interference through determinism. In ESORICS 94, volume 875 of LNCS. Springer, 1994.
P. Stevens and R. Pooley. Using UML. Addison-Wesley, 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jürjens, J. (2001). Towards Development of Secure Systems Using UMLsec. In: Hussmann, H. (eds) Fundamental Approaches to Software Engineering. FASE 2001. Lecture Notes in Computer Science, vol 2029. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45314-8_14
Download citation
DOI: https://doi.org/10.1007/3-540-45314-8_14
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41863-4
Online ISBN: 978-3-540-45314-7
eBook Packages: Springer Book Archive