Abstract
Quality assurance for security-critical systems is particularly challenging: many systems are developed, deployed, and used that do not satisfy their security requirements. A number of software engineering approaches have been developed over the last few years to address this challenge, both in the context of model-level and code-level security assurance. However, there is little experience so far in using these approaches in an industrial context, the challenges and benefits involved and the relative advantages and disadvantages of different approaches. This paper reports on experiences from a practical application of two of these security assurance approaches. As a representative of model-based security analysis, we considered the UMLsec approach and we investigated the JML annotation language as a representative of a code-level assurance approach. We applied both approaches to the development and security analysis of a biometric authentication system and performed a comparative evaluation based on our experiences.
Empirical results category paper.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)
Viti, C., Bistarelli, S.: Study and development of a remote biometric authentication protocol, Technical Report IIT B4-04/2003, Consiglio Nazionale delle Ricerche,Istituto di Informatica e Telematica (September 2003)
Grünbauer, J., Hollmann, H., Jürjens, J., Wimmel, G.: Modelling and Verification of Layered Security Protocols: A Bank Application. In: Anderson, S., Felici, M., Littlewood, B. (eds.) SAFECOMP 2003. LNCS, vol. 2788, pp. 116–129. Springer, Heidelberg (2003)
Deubler, M., Grünbauer, J., Jürjens, J., Wimmel, G.: Sound Development of Secure Service-based Systems. In: 2nd International Conference on Service Oriented Computing (ICSOC 2004), pp. 115–124. ACM, New York (2004)
Best, B., Jürjens, J., Nuseibeh, B.: Model-based Security Engineering of Distributed Information Systems using UMLsec. In: 29th International Conference on Software Engineering (ICSE 2007), pp. 581–590. ACM, New York (2007)
Houmb, S., Georg, G., France, R., Bieman, J., Jürjens, J.: Cost-Benefit Trade-Off Analysis Using BBN for Aspect-Oriented Risk-Driven Development, Engineering of Complex Computer Systems. In: 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 195–204 (2005)
Leavens, G., Cheon, Y.: Design by Contract with JML (2006), ftp://ftp.cs.iastate.edu/pub/leavens/JML/jmldbc.pdf
Leavens, G., Baker, A., Ruby, C.: JML: A Notation for Detailed Design. In: Behavioral Specifications of Businesses and Systems, ch. 12, pp. 175–188. Kluwer, Dordrecht (1999)
Leavens, G., Baker, A., Ruby, C.: Preliminary Design of JML: A Behavioural Interface Specification Language for Java. ACM SIGSOFT Software Engineering Notes 31(3) (May 2006)
Leavens, G., Poll, E., Clifton, C., Cheon, Y., Ruby, C., Cok, D., Muller, P., Kiniry, J., Chalin, P.: JML Reference Manual, DRAFT, Release 1.210, 2007/7/01 Ames, Iowa State University
Schmidt, R.: Modellbasierte Sicherheitsanalyse mit UMLsec: ein Biometrisches Zugangskontrollsystem (Model-based Security Analysis with UMLsec: a Biometric Access Control System) Ludwig-Maxim. Univ. München (2004)
Jürjens, J.: Model-based Security Engineering with UML. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2005. LNCS, vol. 3655, pp. 42–77. Springer, Heidelberg (2005)
Agarwal, P., Rubio-Medrano, C., Cheon, Y., Teller, P.: A Formal Specification in JML of the Java Security Package. Computer, Information, and Systems Sciences and Engineering, December 4–14 (2006)
Warnier, M.: Language Based Security for Java and JML, PhD thesis, Radboud University Nijmegen (2006)
Glass, R.: Inspections - Some Surprising Findings. Commun. ACM 42(4), 17–19 (1999)
Burdy, L., Cheon, Y., Cok, D., Ernst, M., Kiniry, J., Leavens, G., Rustan, K., Leino, M., Poll, E.: An overview of JML tools and applications. STTT 7(3), 212–232 (2005)
JML common tools, December 10 (2007), http://sourceforge.net/projects/jmlspecs/
Yu, Y., Jürjens, J., Mylopoulos, J.: Application of Traceability to Maintenance of Secure Software. In: Int. Conf. for Software Maintenance (ICSM). IEEE, Los Alamitos (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lloyd, J., Jürjens, J. (2009). Security Analysis of a Biometric Authentication System Using UMLsec and JML. In: Schürr, A., Selic, B. (eds) Model Driven Engineering Languages and Systems. MODELS 2009. Lecture Notes in Computer Science, vol 5795. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04425-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-04425-0_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04424-3
Online ISBN: 978-3-642-04425-0
eBook Packages: Computer ScienceComputer Science (R0)