Abstract
We present a new approach to building secure systems. In our approach, which we call Model Driven Security, designers specify system models along with their security requirements and use tools to automatically generate system architectures from the models, including complete, configured access control infrastructures. Rather than fixing one particular modeling language for this process, we propose a general schema for constructing such languages that combines languages for modeling systems with languages for modeling security. We present several instances of this schema that combine (both syntactically and semantically) different UML modeling languages with a security modeling language for formalizing access control requirements. From models in the combined languages, we automatically generate access control infrastructures for server-based applications, built from declarative and programmatic access control mechanisms. The modeling languages and generation process are semantically well-founded and are based on an extension of Role-Based Access Control. We have implemented this approach in a UML-based CASE-tool and report on experiments.
- Ahn, G.-J. and Sandhu, R. S. 1999. The RSL99 language for role-based separation of duty constraints. In Proceedings of the 4th ACM Workshop on Role-based Access Control. ACM Press, 43--54.]] Google Scholar
- Ahn, G.-J. and Sandhu, R. S. 2000. Role-based authorization constraints specification. ACM Trans. Inform. Syst. Security 3, 4 (November), 207--226.]] Google Scholar
- Ahn, G.-J. and Shin, M. E. 2000. UML-based representation of role-based access control. In 9th IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 2000). IEEE Computer Society, 195--200.]] Google Scholar
- Ahn, G.-J. and Shin, M. E. 2001. Role-based authorization constraints specification using object constraint language. In 10th IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 2001). IEEE Computer Society, 157--162.]] Google Scholar
- Akehurst, D. and Kent, S. 2002. A relational approach to defining transformations in a metamodel. In UML 2002---The Unified Modeling Language. Model Engineering, Languages, Concepts, and Tools. 5th International Conference, Dresden, Germany, September/October 2002, Proceedings. LNCS, vol. 2460. Springer Verlag, 243--258.]] Google Scholar
- Beckert, B., Keller, U., and Schmitt, P. H. 2002. Translating the Object Constraint Language into first-order predicate logic. In Proceedings of the Second Verification Workshop: VERIFY'02 (Copenhagen, Denmark, July 25--26, 2002), S. Autexier and H. Mantel, Eds. DIKU technical reports, vol. 02-07. 113--123.]]Google Scholar
- Bell, D. E. and LaPadula, L. J. 1976. Secure computer systems: Unified exposition and multics interpretation. Tech. Rep. MTR-2997, The Mitre Corporation. March.]]Google Scholar
- Beyer, D. 2001. C# COM+ Programming, Book and CD-ROM (October 15, 2001) ed. John Wiley & Sons.]] Google Scholar
- Brewer, D. and Nash, M. 1989. The chinese wall security policy. In Proceedings of the 1989 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 206--214.]]Google Scholar
- Chen, F. and Sandhu, R. S. 1996. Constraints for role-based access control. In Proceedings of the 1st ACM Workshop on Role-based Access Control. ACM Press, 39--46.]] Google Scholar
- Damianou, N. 2002. A policy framework for management of distributed systems. Ph.D. thesis, Imperial College, University of London.]]Google Scholar
- Damianou, N., Dulay, N., Lupu, E., and Sloman, M. 2001. The ponder policy specification language. In Policies for Distributed Systems and Networks (POLICY 2001), M. Sloman, J. Lobo, and E. C. Lupu, Eds. Number 1995 in LNCS. Springer-Verlag, 18--38.]] Google Scholar
- Epstein, P. and Sandhu, R. S. 1999. Towards a UML based approach to role engineering. In Proceedings of the 4th ACM Workshop on Role-based Access Control. ACM Press, 135--143.]] Google Scholar
- Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., and Chandramouli, R. 2001. Proposed NIST standard for role-based access control. ACM Trans. Inform. Syst. Security (TISSEC) 4, 3, 224--274.]] Google Scholar
- Frankel, D. S. 2003. Model Driven Architecture#8482; : Applying MDA#8482; to Enterprise Computing. John Wiley & Sons.]] Google Scholar
- Goguen, J. A. and Meseguer, J. 1992. Order-sorted algebra I: equational deduction for multiple inheritance, overloading, exceptions and partial operations. Theor. Comput. Sci. 105, 2 (November), 217--273.]] Google Scholar
- Hubert, R. 2001. Convergent Architecture: Building Model Driven J2EE Systems with UML. John Wiley & Sons.]] Google Scholar
- Hunter, J. 2001. Java Servlet Programming, 2nd Edition. O'Reilly & Associates.]] Google Scholar
- Jaeger, T. 1999. On the increasing importance of constraints. In Proceedings of 4th ACM Workshop on Role-based Access Control. ACM Press, 33--42.]] Google Scholar
- Jürjens, J. 2001. Towards development of secure systems using UMLsec. In Fundamental Approaches to Software Engineering (FASE/ETAPS 2001), H. Hussmann, Ed. Number 2029 in LNCS. Springer-Verlag, 187--200.]] Google Scholar
- Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes, C., Loingtier, J.-M., and Irwin, J. 1997. Aspect-oriented programming. In Proceedings European Conference on Object-Oriented Programming, M. Akşit and S. Matsuoka, Eds. Vol. 1241. Springer-Verlag, 220--242.]]Google Scholar
- Krasner, G. E. and Pope, S. T. 1988. A cookbook for using the model-view controller user interface paradigm in smalltalk-80. J. Object Oriented Prog. 1, 3, 26--49.]] Google Scholar
- Lodderstedt, T. 2003. Model driven security: from UML models to access control architectures. Ph.D. thesis, University of Freiburg, Germany.]]Google Scholar
- Mayfield, T., Roskos, J. E., Welke, S. R., and Boone, J. M. 1991. Integrity in automated information systems. Tech. Rep. 79--91, National Computer Security Center. September.]]Google Scholar
- Monson-Haefel, R. 2001. Enterprise JavaBeans (3rd Edition). O'Reilly & Associates.]] Google Scholar
- Object Management Group 2002. Meta-Object Facility (MOF#8482;), version 1.4. Object Management Group. http://www.omg.org/technology/documents/formal/mof.htm.]]Google Scholar
- Rumbaugh, J., Jacobson, I., and Booch, G. 1998. The Unified Modeling Language Reference Manual. Addison-Wesley.]] Google Scholar
- von der Beeck, M. 1994. A comparison of statechart variants. In Formal Techniques in Real-Time and Fault-Tolerant Systems, H. Langmaack, W.-P. de Roever, and J. Vytopil, Eds. LNCS, vol. 863. Springer Verlag, 128--148.]] Google Scholar
Index Terms
- Model driven security: From UML models to access control infrastructures
Recommendations
Model driven security for process-oriented systems
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesModel Driven Architecture is an approach to increasing the quality of complex software systems based on creating high-level system models and automatically generating system architectures from the models. We show how this paradigm can be specialized to ...
A UML profile for role-based access control
SIN '09: Proceedings of the 2nd international conference on Security of information and networksWhen building an access control aware system, integrating access control specifications into the development process is problematic. Even if security modeling is structured at the early phases of development, security mechanisms are placed into the ...
A diagrammatic approach to model transformations
EATIS '08: Proceedings of the 2008 Euro American Conference on Telematics and Information SystemsThe raise of the abstraction level of programming languages has resulted in the usage of models and model transformations in software development processes. As a consequence of the usage of models as input to model transformation tools, there is a need ...
Comments