The Open UniversitySkip to content

Tools for model-based security engineering: models vs. code

Jürjens, Jan and Yu, Yijun (2007). Tools for model-based security engineering: models vs. code. In: 22nd IEEE/ACM International Conference on Automated Software Engineering, 5-9 Nov 2007, Atlanta, Georgia, USA.

Full text available as:
PDF (Version of Record) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
Download (56kB)
Google Scholar: Look up in Google Scholar


We present tools to support model-based security engineering on both the model and the code level. In the approach supported by these tools, one firstly specifies the security-critical part of the system (e.g. a crypto protocol) using the UML security extension UMLsec. The models are automatically verified for security properties using automated theorem provers. These are implemented within a framework that supports implementing verification routines, based on XMI output of the diagrams from UML CASE tools. Advanced users can use this open-source framework to implement verification routines for the constraints of self-defined security requirements.
In a second step, one verifies that security-critical parts of the model are correctly implemented in the code (which might be a legacy implementation), and applies security hardening transformations where is that not the case. This is supported by tools that (1) establish traceability through refactoring scripts and (2) modularize security hardening ad-vices through aspect-oriented programming. The proposed method has been applied to an open-source implementation of a cryptographic protocol implementation (Jessie)in Java to build up traceability mappings and security aspects. In that application, we found a security weakness which could be fixed using our approach. The resulting refactoring scripts and security aspects have found reusability in the Java Secure Socket Extension (JSSE) library.

Item Type: Conference or Workshop Item
Copyright Holders: The Authors/Owners
Keywords: security; model-based software engineering; UML; verification framework; code analysis; refactoring; security hardening
Academic Unit/School: Faculty of Science, Technology, Engineering and Mathematics (STEM) > Computing and Communications
Faculty of Science, Technology, Engineering and Mathematics (STEM)
Research Group: Centre for Research in Computing (CRC)
Related URLs:
Item ID: 33460
Depositing User: Mary Mcmahon
Date Deposited: 29 May 2012 14:43
Last Modified: 10 Dec 2018 21:14
Share this page:

Download history for this item

These details should be considered as only a guide to the number of downloads performed manually. Algorithmic methods have been applied in an attempt to remove automated downloads from the displayed statistics but no guarantee can be made as to the accuracy of the figures.

Actions (login may be required)

Policies | Disclaimer

© The Open University   contact the OU