Jürjens, Jan and Yu, Yijun
PDF (Version of Record)
- Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
|Google Scholar:||Look up in Google Scholar|
We present tools to support model-based security engineering on both the model and the code level. In the approach supported by these tools, one firstly specifies the security-critical part of the system (e.g. a crypto protocol) using the UML security extension UMLsec. The models are automatically verified for security properties using automated theorem provers. These are implemented within a framework that supports implementing verification routines, based on XMI output of the diagrams from UML CASE tools. Advanced users can use this open-source framework to implement verification routines for the constraints of self-defined security requirements.
In a second step, one verifies that security-critical parts of the model are correctly implemented in the code (which might be a legacy implementation), and applies security hardening transformations where is that not the case. This is supported by tools that (1) establish traceability through refactoring scripts and (2) modularize security hardening ad-vices through aspect-oriented programming. The proposed method has been applied to an open-source implementation of a cryptographic protocol implementation (Jessie)in Java to build up traceability mappings and security aspects. In that application, we found a security weakness which could be fixed using our approach. The resulting refactoring scripts and security aspects have found reusability in the Java Secure Socket Extension (JSSE) library.
|Item Type:||Conference Item|
|Copyright Holders:||The Authors/Owners|
|Keywords:||security; model-based software engineering; UML; verification framework; code analysis; refactoring; security hardening|
|Academic Unit/School:||Faculty of Science, Technology, Engineering and Mathematics (STEM) > Computing and Communications
Faculty of Science, Technology, Engineering and Mathematics (STEM)
|Interdisciplinary Research Centre:||Centre for Policing Research and Learning (CPRL)
Centre for Research in Computing (CRC)
|Depositing User:||Mary Mcmahon|
|Date Deposited:||29 May 2012 14:43|
|Last Modified:||27 Jan 2017 14:37|
|Share this page:|
Download history for this item
These details should be considered as only a guide to the number of downloads performed manually. Algorithmic methods have been applied in an attempt to remove automated downloads from the displayed statistics but no guarantee can be made as to the accuracy of the figures.