Abstract
We present a way to support the development of software applications that takes into account confidentiality issues, and how the developed code can be automatically verified. We use the Unified Modelling Language (UML) together with annotations to permit confidentiality to be considered during the whole development process from requirements to code. We have provided support for software development using UML diagrams so that the code produced can be be validated by a language-based checker, in our case Jif (Java information flow). We demonstrate that the combination of model-based and language-based security is compelling.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bell, D., LaPadula, L.: Secure Computer Systems:Mathematical Foundations and Model. Technical Report MTR 2547 v2, The MITRE Corporation (November 1973)
Blobel, B., Pharow, P., Roger-France, F.: Security Analysis and Design Based on a General Conceptual Security Model and UML. In: Sloot, P.M.A., Hoekstra, A.G., Bubak, M., Hertzberger, B. (eds.) HPCN-Europe 1999. LNCS, vol. 1593, pp. 918–930. Springer, Heidelberg (1999)
Cockburn, A.: Writing Effective Use Cases. Addison-Wesley, Reading (2001)
Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)
Epstein, P., Sandhu, R.: Towards A UML Based Approach to Role Engineering. In: RBAC 1999, Proceedings of the Fourth ACM Workshop on Role-Based Access Control, October 28-29, pp. 135–143 (1999)
Gosling, J., Joy, B., Steele, G.: The Java Language Specification. Addison-Wesley, Reading (1996)
Génova, G., Llorens, J., O̧uintana, V.: Digging into use case relationships. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 115–127. Springer, Heidelberg (2002)
Houmb, S.H., Braber, F., Soldal Lund, M., Stolen, K.: Towards a UML Profile for Model-Based Risk Assessment. In: Critical Systems Development with UML-Proceedings of of the UML 2002 workshop, pp. 79–91 (September 2002)
Jacobson, I., Booch, G., Rumbaugh, J.: The Unified Software Development Process. Number ISBN 0-201-57169-2 in Object Technology. Addison-Wesley, Reading (1999)
Jürjens, J.: Secure Java Development with UMLsec. In: De Decker, B., Piessens, F., Smits, J., Van Herrenweghen, E. (eds.) Advances in Network and Distributed Systems Security, Leuven (Belgium), November 26-27, pp. 107–124 (2001); International Federation for Information Processing (IFIP) TC-11 WG 11.4, klu. Proceedings of the First Annual Working Conference on Network Security (I-NetSec 2001) (2001)
Jürjens, J.: Towards Development of Secure Systems using UMLsec. In: Hußmann, H. (ed.) FASE 2001. LNCS, vol. 2029, pp. 187–200. Springer, Heidelberg (2001)
Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)
Biba, K.J.: Integrity consideration for secure computer system. Technical Report ESDTR-76-372,MTR-3153, The MITRE Corporation, Bedford,MA (April 1977)
Kozen, D.: Language-Based Security. In: Mathematical Foundations of Computer Science, pp. 284–298 (1999)
Lampson, B.W.: A Note on the Confinement Problem. Communications of the ACM 16(10), 613–615 (1973)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UMLBased Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Myers, A.C., Liskov, B.: A Decentralized Model for Information Flow Control. In: Symposium on Operating Systems Principles, pp. 129–142 (1997)
Myers, A.C., Liskov, B.: Complete, Safe Information Flow with Decentralized Labels. In: RSP: 19th IEEE Computer Society Symposium on Research in Security and Privacy (1998)
Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology 9(4), 410–442 (2000)
Mantel, H., Sabelfeld, A.: A Generic Approach to the Security of Multi- Threaded Programs. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada, pp. 126–142. IEEE Computer Society Press, Los Alamitos (2001)
Myers, A.: Mostly-Static Decentralized Information Flow Control. Technical Report MIT/LCS/TR-783, MIT (1999)
Myers, A.C.: JFlow: Practical Mostly-Static Information Flow Control. In: Symposium on Principles of Programming Languages, pp. 228–241 (1999)
OMG. Unified Modeling Language Specification
Rumbaugh, J., Jacobson, I., Booch, G.: The Unified Modeling Language Reference Manual. Number ISBN 0-201-30998-X in Object Technology. Addison-Wesley, Reading (1999)
Sabelfeld, A., Myers, A.C.: Language-Based Information-Flow Security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)
Schneider, F.B., Morrisett, G., Harper, R.: A Language-Based Approach to Security. In: Wilhelm, R. (ed.) Informatics: 10 Years Back, 10 Years Ahead. LNCS, vol. 2000, pp. 86–101. Springer, Heidelberg (2001)
Volpano, D.M., Smith, G.: Verifying Secrets and Relative Secrecy. In: Symposium on Principles of Programming Languages, pp. 268–276 (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Heldal, R., Hultin, F. (2003). Bridging Model-Based and Language-Based Security. In: Snekkenes, E., Gollmann, D. (eds) Computer Security – ESORICS 2003. ESORICS 2003. Lecture Notes in Computer Science, vol 2808. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-39650-5_14
Download citation
DOI: https://doi.org/10.1007/978-3-540-39650-5_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20300-1
Online ISBN: 978-3-540-39650-5
eBook Packages: Springer Book Archive