skip to main content
10.1145/1029133.1029144acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

MAC and UML for secure software design

Published:29 October 2004Publication History

ABSTRACT

Security must be a first class citizen in the design of large scale, interacting, software applications, at early and all stages of the lifecycle, for accurate and precise policy definition, authorization, authentication, enforcement, and assurance. One of the dominant players in software design is the <i>unified modeling language, UML,</i> a language for specifying, visualizing, constructing and documenting software artifacts. In UML, diagrams provide alternate perspectives for different stakeholders, e.g.: <i>use case diagrams</i> for the interaction of users with system components, class diagrams for the static classes and relationships among them, and <i>sequence diagrams</i> for the dynamic behavior of instances of the class diagram. However, UML's support for the definition of security requirements for these diagrams and their constituent elements (e.g., actors, systems, use cases, classes, instances, include/extend/generalize relationships, methods, data, etc.) is lacking. In this paper, we address this issue by incorporating <i>mandatory access control (MAC)</i> into use case, class, and sequence diagrams, providing support for the definition of clearances and classifications for relevant UML elements. In addition, we provide a framework for security assurance as users are defining and evolving use case, class, and sequence diagrams, bridging the gap between software engineers and an organization's security personnel in support of <i>secure software design</i>. To demonstrate the feasibility and utility of our work on secure software design, our MAC enhancements for UML have been integrated into Borland's Together Control Center Environment.

References

  1. Alghathbar, K. and Wijesekera, D. AuthUML: A Three-phased Framework to model Secure Use Cases. In Proc. of the Formal Methods in Security Engineering Wksp (FMSE'03), Washington D.C., USA, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Alghathbar, K. and Wijesekera, D. Consistent and Complete Access Control Policies in Use Cases. In Proc. of UML 2003, San Francisco, CA, LNCS, 2003.Google ScholarGoogle ScholarCross RefCross Ref
  3. Bell, D. and La Padula, L. Secure Computer Systems: Mathematical Foundations Model. M74-244, Mitre Corp., 1975.Google ScholarGoogle Scholar
  4. Biba, K. Integrity Considerations for Secure Computer Systems. TR-3153, Mitre Corp., 1977.Google ScholarGoogle Scholar
  5. Booch, G. Object-Oriented Design With Applications. Benjamin/Cummings, 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Booch G., et al. The Unified Modeling Language User Guide. Addison Wesley, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Budd, T. An Introduction to Object-Oriented Programming. Addison-Wesley, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Cormen, T., et al. Introduction to Algorithms. The MIT Press and McGraw-Hill, 1990. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Doan, T., et al. RBAC/MAC Security for UML. In Proc. of the 18th Annual IFIP WG 11.3 Working Conference on Data and Applications Security. Sitges, Spain, July, 2004.Google ScholarGoogle Scholar
  10. http://www.engr.uconn.edu/ steve/DSEC/dsec.html.Google ScholarGoogle Scholar
  11. Epstein, P. and Sandhu, R. Towards A UML Based Approach to Role Engineering. In Proc. of the 4th ACM workshop on Role-based Access Control, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Ferraiolo, D., et al. Proposed NIST Standard for Role-Based Access Control. ACM Trans. on Information and System Security, Vol. 4, No. 3. August 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Gurevich, Y. Evolving algebras 1993: Lipari guide. In E. Borger, editor, Specification and Validation Methods. Oxford University Press, 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Jacobson, I., et al. Object-Oriented Software Engineering: A Use Case Driven Approach. Addison-Wesley, 1992. Google ScholarGoogle Scholar
  15. Jürjens, J. Principles for Secure Systems Design. Ph.D. dissertation. Oxford University Computing Laboratory. Oxford University, 2002.Google ScholarGoogle Scholar
  16. Jürjens, J. UMLsec: Extending UML for Secure Systems Development. In Proc. of UML 2002, LNCS, Sept. 30 - Oct. 4, 2002.Google ScholarGoogle Scholar
  17. Lodderstedt, T., et al. SecureUML: A UML-Based Modeling Language for Model-Driven Security. In Proc. of UML 2002, LNCS, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. OMG. Unified Modeling Language, v.1.5. UML Resource Page. http://www.omg.org/uml/Google ScholarGoogle Scholar
  19. Osborn, S., et al. Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies. ACM Trans. on Information and System Security. Vol. 3, No. 2, May 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Osborn, S. Information Flow Analysis of an RBAC System. In Proc. of SACMAT'02, June, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Phillips, C., et al. Security Assurance for an RBAC/MAC Security Model. In Proc. of the 2003 IEEE Info. Assurance Wksp., 2003.Google ScholarGoogle ScholarCross RefCross Ref
  22. Ray, I., et al. Using Parameterized UML to Specify and Compose Access Control Models. In Proc. of the 6th IFIP Working Conference on Integrity & Internal Control in Info. Systems, 2003.Google ScholarGoogle Scholar
  23. Rumbaugh, J., et al. Object-Oriented Modeling and Design. Prentice-Hall, 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Shin, M. and Ahn, G. UML-Based Representation of Role-Based Access Control. In Proc. of the IEEE 9th Intl. Wksp. on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Thuraisingham, B. Mandatory Security in Object-Oriented Database Systems. In Proc. of 1989 OOPSLA Conf., 1989. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Zdonik, S. and Maier, D. Fundamentals of Object-Oriented Databases, in Readings in Object-Oriented Database Systems, S. Zdonik and D. Maier (eds.), Morgan Kaufmann, 1990. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. MAC and UML for secure software design

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in
            • Published in

              cover image ACM Conferences
              FMSE '04: Proceedings of the 2004 ACM workshop on Formal methods in security engineering
              October 2004
              102 pages
              ISBN:1581139713
              DOI:10.1145/1029133

              Copyright © 2004 ACM

              Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 29 October 2004

              Permissions

              Request permissions about this article.

              Request Permissions

              Check for updates

              Qualifiers

              • Article

              Upcoming Conference

              CCS '24
              ACM SIGSAC Conference on Computer and Communications Security
              October 14 - 18, 2024
              Salt Lake City , UT , USA

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader