130 likes | 143 Views
Model Based Security with. UMLsec Pankaj Chechani 005240093. Agenda. Approach for secure software Security requirements provided by UMLsec UML Extension Mechanism UMLsec Analysis Conclusion. Approach for secure software. Penetrate-and-Patch insecure, delay, annoying
E N D
Model Based Security with UMLsec Pankaj Chechani 005240093
Agenda • Approach for secure software • Security requirements provided by UMLsec • UML Extension Mechanism • UMLsec Analysis • Conclusion
Approach for secure software • Penetrate-and-Patch • insecure, delay, annoying • Formal verification • Very expensive • Security at design time
Security requirements provided by UMLsec • Fair Exchange • Secure Information Flow • Secure Communication Link • Role-based Access Control • Authenticity
Uml extension mechanism “Light-Weight” Extension Mechanism • Constrains • Properties that have to hold • {xor} • Tagged values • Describe properties of model elements • {username=“abc”, pass =“xyz”} • Stereotypes “Lots of” constraints and tagged values • Class + <<interface>> = Interface
Example <<secure link>>[1] • Security requirements • dependency stereotypes • Physical layer • link stereotypes • Communication partners • Node stereotypes
UMLsec Analysis • Two popular approaches: • Formulate requirements with a special logic • Use term-algebra Ref: [2] • UMLsec follows term-algebra approach • Both are quite successful
Cont… • Term algebra generated by Variables, Keys and Data • Operations: • _::_(concatenation), • Head(_) and Tail (_), • {_}_ (encryption), • Dec_{_} (decryption), Ref:[1] & [3] • Equations(some): Deck-1 ({E}K) = E (for K E Keys), ExtK (SignK-1(E)) = E(for K E Keys). Ref:[1] & [3]
Conclusion • UMLsec provide security at design phase • Automatisms security analysis by tool support • Concentrates on data security, e-commerce scenarios, protocols • UMLsec itself is extensible
Reference [1] Jan Jurjens, TU Munich: UMLsec - Presenting the Profile [2] Jan Jurjens, Secure System Development With UML [3]Matthias Wurm, Seminar Advanced System: Development of Secure Systems with UMLsec [4] Joe Combs, 15 Feb 2006: Discussing “Developing Secure Systems with UMLSec”