Tutorial B - DAIS - FMOODS 2003 - 18 November 2003
Developping Security Critical Systems with UML: Methods and Tools
The high quality development of security-critical distributed systems is difficult. Many critical systems are developed, deployed, and used that do not satisfy their security requirements, sometimes with weaknesses leading to spectacular attacks. Part of the difficulty of secure systems development is that correctness is often in conflict with cost. Where thorough methods of system design pose high cost through personnel training and use, they are all too often avoided. UML off ers an unprecedented opportunity for high-quality secure systems development that is feasible in an industrial context.
The tutorial aims to give background knowledge on using UML for developing security-critical distributed systems and to contribute to overcoming these challenges. It includes an interactive tool demo with advanced tool support for UML.
The tutorial presents the current academic research and industrial best practice
by addressing the following seven main subtopics (of each about 20-30
As an example application domain, we focus on security-critical systems. We also show how to generalize the approach to the other application domains mentioned above. We indicate how one might take advantage of new concepts expected to be introduced into UML with the future version 2.0.
We present an extension of the Unified Modeling Language (UML) for secure systems development, called UMLsec, using UMLís standard extension mechanisms. We start by giving an overview of UML (the UML diagrams) and model management (packages, subsystems). We explain the UML extension mechanisms (stereotypes, tags, constraints, profiles). We proceed to outline UMLsec, after discussing the requirements on an UML extension for secure systems development. We give the UMLsec profile. We show how to formulate security requirements on a system and security assumptions on underlying layer in UMLsec. We explain how to use this information for risk analysis and how to evaluate the system specification against the security requirements, by making use of a formal behavioral model for a core of UML. Being able to formulate security concepts in the context of a general-purpose modeling language allows encapsulation of established principles of security engineering to avoid common vulnerabilities introduced by developers without in-depth training in security issues. The formal foundation of the approach allows the discovery of even non-obvious weaknesses that security experts may not detect without use of formal tools. We sketch a design process to be used with the UML extension and discuss applicability of the approach with examples from various application domains (such as Java security and electronic payment schemes). We discuss tool-support and present applications and examples (Java security, electronic purses).
We demonstrate how to generalize the approach to other critical systems domains, with a focus on dependable systems.
3 Goals and Objectives
By the end of the tutorial, the participants will have knowledge on issues and problems in critical systems development. They will be able to address these problems when developing or analyzing critical systems, by making use of existing solutions and of sound methods of critical systems development, in particular patterns and UML. More generally, they will have learned how to tailor UML to specific application domains using the standard extension mechanisms. They will have an idea what changes are to be expected from UML 2.0 in this application domain.