The Open UniversitySkip to content
 

Tools for model-based security engineering: models vs. code

Jürjens, Jan and Yu, Yijun (2007). Tools for model-based security engineering: models vs. code. In: 22nd IEEE/ACM International Conference on Automated Software Engineering, 5-9 November 2007, Atlanta, Georgia, USA.

Full text available as:
[img]
Preview
PDF (Version of Record) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
Download (54Kb)
URL: http://www.cse.msu.edu/ase2007/welcome.html
Google Scholar: Look up in Google Scholar

Abstract

We present tools to support model-based security engineering on both the model and the code level. In the approach supported by these tools, one firstly specifies the security-critical part of the system (e.g. a crypto protocol) using the UML security extension UMLsec. The models are automatically verified for security properties using automated theorem provers. These are implemented within a framework that supports implementing verification routines, based on XMI output of the diagrams from UML CASE tools. Advanced users can use this open-source framework to implement verification routines for the constraints of self-defined security requirements.
In a second step, one verifies that security-critical parts of the model are correctly implemented in the code (which might be a legacy implementation), and applies security hardening transformations where is that not the case. This is supported by tools that (1) establish traceability through refactoring scripts and (2) modularize security hardening ad-vices through aspect-oriented programming. The proposed method has been applied to an open-source implementation of a cryptographic protocol implementation (Jessie)in Java to build up traceability mappings and security aspects. In that application, we found a security weakness which could be fixed using our approach. The resulting refactoring scripts and security aspects have found reusability in the Java Secure Socket Extension (JSSE) library.

Item Type: Conference Item
Copyright Holders: The Authors/Owners
Keywords: security; model-based software engineering; UML; verification framework; code analysis; refactoring; security hardening
Academic Unit/Department: Mathematics, Computing and Technology > Computing & Communications
Interdisciplinary Research Centre: Centre for Research in Computing (CRC)
Related URLs:
Item ID: 33460
Depositing User: Mary Mcmahon
Date Deposited: 29 May 2012 14:43
Last Modified: 30 May 2012 04:11
URI: http://oro.open.ac.uk/id/eprint/33460
Share this page:

Actions (login may be required)

View Item
Report issue / request change

Policies | Disclaimer

© The Open University   + 44 (0)870 333 4340   general-enquiries@open.ac.uk