In comparison with the remarkable progress of sequential programming towards simplicity and abstraction

Tutorial B - DAIS - FMOODS 2003 - 18 November 2003

Developping Security Critical Systems with UML: Methods and Tools

by Jan Jurjens

1 Motivation

The high quality development of security-critical distributed systems is difficult. Many critical systems are developed, deployed, and used that do not satisfy their security requirements, sometimes with weaknesses leading to spectacular attacks. Part of the difficulty of secure systems development is that correctness is often in conflict with cost. Where thorough methods of system design pose high cost through personnel training and use, they are all too often avoided. UML off ers an unprecedented opportunity for high-quality secure systems development that is feasible in an industrial context.

As the de-facto standard in industrial modeling, a large number of developers is trained in UML.
Compared to previous notations with a user community of comparable size, UML is relatively precisely defined.
A number of tools are developed to assist the every-day work using UML. However, there are some challenges one has to overcome to exploit this opportunity, which include the following
Adaptation of UML to critical system application domains.
Correct use of UML in the application domains.
Conflict between flexibility and unambiguity in the meaning of a notation.
Improving tool-support for critical systems development with UML (for analysis, testing, simulation, transformation etc.).

The tutorial aims to give background knowledge on using UML for developing security-critical distributed systems and to contribute to overcoming these challenges. It includes an interactive tool demo with advanced tool support for UML.

2 Outline

The tutorial presents the current academic research and industrial best practice

by addressing the following seven main subtopics (of each about 20-30

min. duration):

UML basics, including extension mechanisms
Applications of UML to
- dependable systems
- security-critical systems
- real-time systems
- performance-critical systems
Extensions of UML (UML-RT, UMLsec, UMLsafe, . . . )
Using UML as a formal design technique for the development of critical systems
Critical systems development methods.
Modeling, synthesis, code generation, testing, validation, and verification of critical systems using UML, in particular: Using the standard model interchange formats (XMI) for tool integration and to connect to validation engines. Existing tools.
Case studies.
Interactive tool demo.

As an example application domain, we focus on security-critical systems. We also show how to generalize the approach to the other application domains mentioned above. We indicate how one might take advantage of new concepts expected to be introduced into UML with the future version 2.0.

2.1 Secure systems development with UML

We present an extension of the Unified Modeling Language (UML) for secure systems development, called UMLsec, using UML’s standard extension mechanisms. We start by giving an overview of UML (the UML diagrams) and model management (packages, subsystems). We explain the UML extension mechanisms (stereotypes, tags, constraints, profiles). We proceed to outline UMLsec, after discussing the requirements on an UML extension for secure systems development. We give the UMLsec profile. We show how to formulate security requirements on a system and security assumptions on underlying layer in UMLsec. We explain how to use this information for risk analysis and how to evaluate the system specification against the security requirements, by making use of a formal behavioral model for a core of UML. Being able to formulate security concepts in the context of a general-purpose modeling language allows encapsulation of established principles of security engineering to avoid common vulnerabilities introduced by developers without in-depth training in security issues. The formal foundation of the approach allows the discovery of even non-obvious weaknesses that security experts may not detect without use of formal tools. We sketch a design process to be used with the UML extension and discuss applicability of the approach with examples from various application domains (such as Java security and electronic payment schemes). We discuss tool-support and present applications and examples (Java security, electronic purses).

2.2 Other Critical System Domains

We demonstrate how to generalize the approach to other critical systems domains, with a focus on dependable systems.

3 Goals and Objectives

By the end of the tutorial, the participants will have knowledge on issues and problems in critical systems development. They will be able to address these problems when developing or analyzing critical systems, by making use of existing solutions and of sound methods of critical systems development, in particular patterns and UML. More generally, they will have learned how to tailor UML to specific application domains using the standard extension mechanisms. They will have an idea what changes are to be expected from UML 2.0 in this application domain.