Skip to main content
SpringerLink
Log in

UML specification of access control policies and their formal verification

  • Regular Paper
  • Published:
Software & Systems Modeling Aims and scope Submit manuscript

Abstract

Security requirements have become an integral part of most modern software systems. In order to produce secure systems, it is necessary to provide software engineers with the appropriate systematic support. We propose a methodology to integrate the specification of access control policies into Unified Modeling Language (UML) and provide a graph-based formal semantics for the UML access control specification which permits to reason about the coherence of the access control specification. The main concepts in the UML access control specification are illustrated with an example access control model for distributed object systems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bottoni, P., Koch, M., Parisi-Presicce, F., Taentzer, G.: A visualization of ocl using collaborations. In: Proceedings of UML 2001 – The Unified Modeling Language, number 2185 in LNCS, pp. 257–271. Springer, Berlin Heidelberg New York (2001)

  2. Brose, G.: A typed access control model for CORBA. In: Proceedings of ESORICS, LNCS 1895, pp. 88–105. Springer, Berlin Heidelberg New York (2000)

  3. Brose, G.: Access control management in distributed object systems. PhD Thesis, Freie Universität (2001)

  4. Brose, G.: Raccoon—An infrastructure for managing access control in CORBA. In: Proceedings of International Conference on Distributed Applications and Interoperable Systems (DAIS). Kluwer, Dordrecht (2001)

  5. Brose G. (2002) Manageable Access Control for CORBA. J. Comput. Secur. 4, 301–337

    Google Scholar 

  6. Brose, G., Koch, M., Löhr, K.-P.: Integrating access control design into the software development process. In: Proceedings of 6th International Conference on Integrated Design and Process Technology (IDPT) (2002)

  7. Brose, G., Koch, M., Löhr, K.-P.: Entwicklung und Verwaltung von Zugriffsschutz in verteilten Objektsystemen – eine Krankenhausfallstudie. PIK – Praxis der Informationsverarbeitung und Kommunikation, (1/03) (2003)

  8. Devanbu, P.T., Stubblebine, S.: Software engineering for security: a roadmap. In: Finkelstein, A. (ed.), The Future of Software Engineering. ACM Press (2000)

  9. D’Souza D., Wills A. (1998) Components and Frameworks: The Catalysis Approach. Addison-Wesley, Reading

    Google Scholar 

  10. Ehrig H., Engels G., Kreowski H.-J., Rozenberg G. (eds) (1999) Handbook of Graph Grammars and Computing by Graph Transformations, vol. II: Applications, Languages, and Tools. World Scientific, Singapore

    Google Scholar 

  11. Epstein, P., Sandhu, R.: Towards a UML based approach to role engineering. In: Proceedings of ACM RBAC (1999)

  12. Fernandez-Medina, E., Martinez, A., Medina, C., Piattini, M.: Uml for the design of secure databases: integrating security levels, user roles, and constraints in the database design process. In: Jürjens, Cengarle, Fernandez, Rumpe, Sandner, (eds) Proceedings of CSDUML02, number TUM-I0208 in technical report TU München, pp. 93–106 (2002)

  13. Heckel, R., Wagner, A.: Ensuring consistency of conditional graph grammars – a constructive approach. In: Proceedings of SEGRAGRA’95 Graph Rewriting and Computation, Number 2. Electronic Notes of TCS, 1995. http://www.elsevier.nl/locate/entcs/volume2.html

  14. Jürjens, J.: Towards Development of secure systems using UMLsec. In: Proceedings of FASE’01, number 2029 in LNCS, pp. 187–200. Springer, Berlin Heidelberg New York (2001)

  15. Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: Proceedings of UML 2002, number 2460 in LNCS, pp. 412–425. Springer, Berlin Heidelberg New York (2002)

  16. Koch M., Mancini L., Parisi-Presicce F. (2001) Foundations for a graph-based approach to the specification of access control policies. In: Honsell F., Miculan M. (eds) Proceedings of Foundations of Software Science and Computation Structures (FoSSaCS 2001), number 2030 in Lect. Notes in Comp. Sci. Springer, Berlin Heidelberg New York

    Google Scholar 

  17. Koch M., Mancini L., Parisi-Presicce F. (2002) Conflict detection and resolution in access control specifications. In: Nielsen M., Engberg U. (eds) Proceedings of Foundations of Software Science and Computation Structures (FoSSaCS 2002), number 2303 in Lect. Notes in Comp. Sci. Springer, Berlin Heidelberg New York, pp. 223–237

    Google Scholar 

  18. Koch M., Mancini L., Parisi-Presicce F. (2002) Decidability of safety in graph-based models for access control. In: Proceedings of 7th European Symposium on Research in Computer Security (ESORICS), number 2502 in Lect. Notes in Comp. Sci., pp. 229–243. Springer, Berlin Heidelberg New York

  19. Lodderstedt, T., Basin, D., Doser, J.: SecureUML:A UML-based modeling language for model-driven security. In: Proceedings of 5th International Conference on the Unified Modeling Language, number 2460 in LNCS. Springer, Berlin Heidelberg New York (2002)

  20. OMG: CORBA 3.0 New components chapters, TC document ptc/99-10-04. OMG, (1999)

  21. OMG: OMG Unified Modeling Language Specification, Version 1.5. OMG, (2003)

  22. Rozenberg G. (ed) (1997) Handbook of Graph Grammars and Computing by Graph Transformation, Vol. 1: Foundations. World Scientific, Singapore

    Google Scholar 

  23. Sandhu R.S., Coyne E.J., Feinstein H.L., Youman C.E. (1996) Role–based access control models. IEEE Comput. 29(2): 38–47

    Google Scholar 

  24. Sun Microsystems. Enterprise JavaBeans Specification, Version 2.0, Final Draft, (2000)

  25. Taentzer, G.: Towards common exchange formats for graphs and graph transformation systems. In: Proceedings of Uniform Approaches to Graphical Process Specification Techniques UNIGRA’01, number 47 in ENTCS (2001)

  26. Tsiolakis, A.: Consistency analysis of UML class and sequence diagrams based on attributed typed graphs and their transformation. Technical Report 2000/3, TU Berlin (2000)

Download references

Author information

Authors and Affiliations

  1. Freie Universität Berlin, Berlin, Germany

    Manuel Koch

  2. Fairfax, George Mason University, Mason, VA, USA

    Francesco Parisi-Presicce

  3. University di Roma La Sapienza, Rome, Italy

    Francesco Parisi-Presicce

Authors
  1. Manuel Koch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Francesco Parisi-Presicce
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Manuel Koch.

Additional information

Communicated by Jan Jürjens.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Koch, M., Parisi-Presicce, F. UML specification of access control policies and their formal verification. Softw Syst Model 5, 429–447 (2006). https://doi.org/10.1007/s10270-006-0030-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-006-0030-z

Keywords

Search

Navigation