Abstract
Security requirements have become an integral part of most modern software systems. In order to produce secure systems, it is necessary to provide software engineers with the appropriate systematic support. We propose a methodology to integrate the specification of access control policies into Unified Modeling Language (UML) and provide a graph-based formal semantics for the UML access control specification which permits to reason about the coherence of the access control specification. The main concepts in the UML access control specification are illustrated with an example access control model for distributed object systems.
Similar content being viewed by others
References
Bottoni, P., Koch, M., Parisi-Presicce, F., Taentzer, G.: A visualization of ocl using collaborations. In: Proceedings of UML 2001 – The Unified Modeling Language, number 2185 in LNCS, pp. 257–271. Springer, Berlin Heidelberg New York (2001)
Brose, G.: A typed access control model for CORBA. In: Proceedings of ESORICS, LNCS 1895, pp. 88–105. Springer, Berlin Heidelberg New York (2000)
Brose, G.: Access control management in distributed object systems. PhD Thesis, Freie Universität (2001)
Brose, G.: Raccoon—An infrastructure for managing access control in CORBA. In: Proceedings of International Conference on Distributed Applications and Interoperable Systems (DAIS). Kluwer, Dordrecht (2001)
Brose G. (2002) Manageable Access Control for CORBA. J. Comput. Secur. 4, 301–337
Brose, G., Koch, M., Löhr, K.-P.: Integrating access control design into the software development process. In: Proceedings of 6th International Conference on Integrated Design and Process Technology (IDPT) (2002)
Brose, G., Koch, M., Löhr, K.-P.: Entwicklung und Verwaltung von Zugriffsschutz in verteilten Objektsystemen – eine Krankenhausfallstudie. PIK – Praxis der Informationsverarbeitung und Kommunikation, (1/03) (2003)
Devanbu, P.T., Stubblebine, S.: Software engineering for security: a roadmap. In: Finkelstein, A. (ed.), The Future of Software Engineering. ACM Press (2000)
D’Souza D., Wills A. (1998) Components and Frameworks: The Catalysis Approach. Addison-Wesley, Reading
Ehrig H., Engels G., Kreowski H.-J., Rozenberg G. (eds) (1999) Handbook of Graph Grammars and Computing by Graph Transformations, vol. II: Applications, Languages, and Tools. World Scientific, Singapore
Epstein, P., Sandhu, R.: Towards a UML based approach to role engineering. In: Proceedings of ACM RBAC (1999)
Fernandez-Medina, E., Martinez, A., Medina, C., Piattini, M.: Uml for the design of secure databases: integrating security levels, user roles, and constraints in the database design process. In: Jürjens, Cengarle, Fernandez, Rumpe, Sandner, (eds) Proceedings of CSDUML02, number TUM-I0208 in technical report TU München, pp. 93–106 (2002)
Heckel, R., Wagner, A.: Ensuring consistency of conditional graph grammars – a constructive approach. In: Proceedings of SEGRAGRA’95 Graph Rewriting and Computation, Number 2. Electronic Notes of TCS, 1995. http://www.elsevier.nl/locate/entcs/volume2.html
Jürjens, J.: Towards Development of secure systems using UMLsec. In: Proceedings of FASE’01, number 2029 in LNCS, pp. 187–200. Springer, Berlin Heidelberg New York (2001)
Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: Proceedings of UML 2002, number 2460 in LNCS, pp. 412–425. Springer, Berlin Heidelberg New York (2002)
Koch M., Mancini L., Parisi-Presicce F. (2001) Foundations for a graph-based approach to the specification of access control policies. In: Honsell F., Miculan M. (eds) Proceedings of Foundations of Software Science and Computation Structures (FoSSaCS 2001), number 2030 in Lect. Notes in Comp. Sci. Springer, Berlin Heidelberg New York
Koch M., Mancini L., Parisi-Presicce F. (2002) Conflict detection and resolution in access control specifications. In: Nielsen M., Engberg U. (eds) Proceedings of Foundations of Software Science and Computation Structures (FoSSaCS 2002), number 2303 in Lect. Notes in Comp. Sci. Springer, Berlin Heidelberg New York, pp. 223–237
Koch M., Mancini L., Parisi-Presicce F. (2002) Decidability of safety in graph-based models for access control. In: Proceedings of 7th European Symposium on Research in Computer Security (ESORICS), number 2502 in Lect. Notes in Comp. Sci., pp. 229–243. Springer, Berlin Heidelberg New York
Lodderstedt, T., Basin, D., Doser, J.: SecureUML:A UML-based modeling language for model-driven security. In: Proceedings of 5th International Conference on the Unified Modeling Language, number 2460 in LNCS. Springer, Berlin Heidelberg New York (2002)
OMG: CORBA 3.0 New components chapters, TC document ptc/99-10-04. OMG, (1999)
OMG: OMG Unified Modeling Language Specification, Version 1.5. OMG, (2003)
Rozenberg G. (ed) (1997) Handbook of Graph Grammars and Computing by Graph Transformation, Vol. 1: Foundations. World Scientific, Singapore
Sandhu R.S., Coyne E.J., Feinstein H.L., Youman C.E. (1996) Role–based access control models. IEEE Comput. 29(2): 38–47
Sun Microsystems. Enterprise JavaBeans Specification, Version 2.0, Final Draft, (2000)
Taentzer, G.: Towards common exchange formats for graphs and graph transformation systems. In: Proceedings of Uniform Approaches to Graphical Process Specification Techniques UNIGRA’01, number 47 in ENTCS (2001)
Tsiolakis, A.: Consistency analysis of UML class and sequence diagrams based on attributed typed graphs and their transformation. Technical Report 2000/3, TU Berlin (2000)
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Jan Jürjens.
Rights and permissions
About this article
Cite this article
Koch, M., Parisi-Presicce, F. UML specification of access control policies and their formal verification. Softw Syst Model 5, 429–447 (2006). https://doi.org/10.1007/s10270-006-0030-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10270-006-0030-z