UMLsec is an extension to the Unified Modelling Language for integrating security related information in UML specifications. This information can be used for model based security engineering. Most security information is added using stereotypes and cover many security properties including secure information flow, confidentiality and access control. Using an attacker model these properties can be checked on a model level.
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but it has the added dimension of preventing misuse and malicious behavior. Those constraints and restrictions are often asserted as a security policy.
Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits access or places restrictions on certain types of information.
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.
It was first proposed by Jürjens et al. in 2002 [1] and later revised and extended by the same author. [2]
UMLsec is defined as lightweight extension for UML. [3]
The profile is defined through a set of prototypes with properties (tag definitions) and constraints. UMLsec defines 21 stereotypes listed below.
Stereotype | Base class | Tags | Description |
---|---|---|---|
fair exchange | subsystem | start, stop, adversary | enforce the fair exchange principle on communication. That is, ensure no cheating of cooperating parties. |
provable | subsystem | action, cert, adversary | provide evidence of activities to obtain non-repudiation. |
rbac | subsystem | protected, role, right | enforce role-based access control. |
Internet | link | Internet connection. It is assumed to be susceptible to message deletion, addition and content exposure by the default attacker. | |
encrypted | link | model an encrypted connection. It is assumed to be susceptible to message deletion by the default attackers. | |
LAN | link, node | LAN connection or a LAN network (node).It is assumed to be unaffected by the default external attacker. | |
wire | link | wire connection. It is assumed to be unaffected by the default external attacker. | |
smart card POS device issuer node | node | Nodes with varying protection mechanisms. Adversary definitions determine to what extent these nodes may be tampered with. They are assumed to be unaffected by the default external attacker. | |
secrecy integrity high | dependency | dependency that indicates an assumption of secrecy and integrity as well as high sensitivity . | |
critical | object subsystem | secrecy, integrity, authenticity, high, fresh | label a system or object as critical. Tags are used to define in what respect the system/object is critical. |
secure links | subsystem | adversary | enforce secure communication links under the defined adversary model. |
secure dependencies | subsystem | ensure that secure dependencies are met. | |
data security | subsystem | adversary, integrity, authenticity | enforce basic security requirements under the defined adversary model. |
no down-flow, no up-flow | subsystem | ensure secure information flow. | |
guarded access | subsystem | ensure that guarded objects are accessed only through their guards. | |
guarded | object | guard | specify a guarded object that can only be accessed through the object specified by the guard tag. |
To ensure security it is necessary to specify what kind of attacker is assumed. In UMLsec, the attacker model is defined through the threats that it poses. The table below defines the default adversary. Other adversaries may of course be defined.
Stereotype | Threatsdefault() |
---|---|
Internet | {delete, read, insert} |
encrypted | {delete} |
LAN | ∅ |
wire | ∅ |
smart card | ∅ |
POS device | ∅ |
issuer node | ∅ |
An object-modeling language is a standardized set of symbols used to model a software system using an object-oriented framework. The symbols can be either informal or formal ranging from predefined graphical templates to formal object models defined by grammars and specifications.
The Unified Modeling Language (UML) is a general-purpose, developmental, modeling language in the field of software engineering that is intended to provide a standard way to visualize the design of a system.
The Object Constraint Language (OCL) is a declarative language describing rules applying to Unified Modeling Language (UML) models developed at IBM and is now part of the UML standard. Initially, OCL was merely a formal specification language extension for UML. OCL may now be used with any Meta-Object Facility (MOF) Object Management Group (OMG) meta-model, including UML. The Object Constraint Language is a precise text language that provides constraint and object query expressions on any MOF model or meta-model that cannot otherwise be expressed by diagrammatic notation. OCL is a key component of the new OMG standard recommendation for transforming models, the Queries/Views/Transformations (QVT) specification.
A stereotype is one of three types of extensibility mechanisms in the Unified Modeling Language (UML), the other two being tags and constraints. They allow designers to extend the vocabulary of UML in order to create new model elements, derived from existing ones, but that have specific properties that are suitable for a particular domain or otherwise specialized usage. The nomenclature is derived from the original meaning of stereotype, used in printing. For example, when modeling a network you might need to have symbols for representing routers and hubs. By using stereotyped nodes you can make these things appear as primitive building blocks.
A sequence diagram shows object interactions arranged in time sequence. It depicts the objects and classes involved in the scenario and the sequence of messages exchanged between the objects needed to carry out the functionality of the scenario. Sequence diagrams are typically associated with use case realizations in the Logical View of the system under development. Sequence diagrams are sometimes called event diagrams or event scenarios.
In software engineering, a class diagram in the Unified Modeling Language (UML) is a type of static structure diagram that describes the structure of a system by showing the system's classes, their attributes, operations, and the relationships among objects.
A package diagram in the Unified Modeling Language depicts the dependencies between the packages that make up a model.
In Unified Modeling Language (UML), a component diagram depicts how components are wired together to form larger components or software systems. They are used to illustrate the structure of arbitrarily complex systems.
Activity diagrams are graphical representations of workflows of stepwise activities and actions with support for choice, iteration and concurrency. In the Unified Modeling Language, activity diagrams are intended to model both computational and organizational processes, as well as the data flows intersecting with the related activities. Although activity diagrams primarily show the overall flow of control, they can also include elements showing the flow of data between activities through one or more data stores.
Executable UML is both a software development method and a highly abstract software language. It was described for the first time in 2002 in the book "Executable UML: A Foundation for Model-Driven Architecture". The language "combines a subset of the UML graphical notation with executable semantics and timing rules." The Executable UML method is the successor to the Shlaer–Mellor method.
The Systems Modeling Language (SysML) is a general-purpose modeling language for systems engineering applications. It supports the specification, analysis, design, verification and validation of a broad range of systems and systems-of-systems.
Composite structure diagram in the Unified Modeling Language (UML) is a type of static structure diagram, that shows the internal structure of a class and the collaborations that this structure makes possible.
In the Unified Modeling Language 1.x, powertype is a keyword for a specific UML stereotype, and applies to a class or dependency. Powertype shows a classifier whose instances (objects) are children of the given parent.
A profile in the Unified Modeling Language (UML) provides a generic extension mechanism for customizing UML models for particular domains and platforms. Extension mechanisms allow refining standard semantics in strictly additive manner, preventing them from contradicting standard semantics.
In the Unified Modeling Language (UML), a Dependency is a relationship that shows that an element, or set of elements, requires other model elements for their specification or implementation. The element is dependent upon the independent element, called the supplier. Two or more elements in this relationship are called tuples.
Modeling and Analysis of Real Time and Embedded systems also known as MARTE is the OMG standard for modeling real-time and embedded applications with UML2.
EAST-ADL is an Architecture Description Language (ADL) for automotive embedded systems, developed in several European research projects. It is designed to complement AUTOSAR with descriptions at higher level of abstractions. Aspects covered by EAST-ADL include vehicle features, functions, requirements, variability, software components, hardware components and communication. Currently, it is maintained by the EAST-ADL Association in cooperation with the European FP7 MAENAD project.
A component in the Unified Modeling Language "represents a modular part of a system, that encapsulates its content and whose manifestation is replaceable within its environment. A component defines its behavior in terms of provided and required interfaces".
An artifact in the Unified Modeling Language (UML) is the specification of a physical piece of information that is used or produced by a software development process, or by deployment and operation of a system."
Model-driven security (MDS) means applying model-driven approaches to security.