Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand...
Transcript of Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand...
![Page 1: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/1.jpg)
Secure Enterprise Applications with UML
Jan Jürjens(contributing P. Shabalin, S. Höhn, S. Meng)
Software & Systems EngineeringInformatics, TU Munich
Germany
[email protected]://www.jurjens.de/jan
![Page 2: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/2.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
A Need for Security
Society and economies rely on computernetworks for communication, finance, energy distribution, transportation...
Attacks threaten economical and physicalintegrity of people and organizations.
Interconnected systems can be attackedanonymously and from a safe distance.
Networked computers need to be secure.
![Page 3: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/3.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Problems
Many flaws found in designs of security-criticalsystems, sometimes years after publicationor use.
Spectacular Example (1997):
NSA hacker team breaks into U.S. Department of Defense computers and theU.S.electric power grid system. Simulatespower outages and 911 emergencytelephone overloads in Washington, D.C..
![Page 4: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/4.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Causes I
• Designing secure systems correctly isdifficult. Even experts may fail:
– Needham-Schroeder protocol (1978)– attacks found 1981 (Denning, Sacco),
1995 (Lowe)• Designers often lack background in security.• Security as an afterthought.
![Page 5: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/5.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Causes II
Cannot use security mechanisms „blindly“:• Security often compromised by circumventing
(rather than breaking) them.• Assumptions on system context, physical
environment.„Those who think that their problem can be
solved by simply applying cryptography don`tunderstand cryptography and don`t understandtheir problem“ (Lampson, Needham).
![Page 6: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/6.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Difficulties
Exploit information spreads quickly.
No feedback on delivered security fromcustomers.
![Page 7: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/7.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Previous approaches
„Penetrate-and-patch“: • insecure
• disruptive
Traditional formal methods: expensive.
• training people• constructing formal specifications.
![Page 8: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/8.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Goal: Security by design
Consider security
• from early on
• within development context
• taking an expansive view
• in a seamless way.
Secure design by model analysis.
Secure implementation by test generation.
![Page 9: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/9.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Holistic view on Security
„An expansive view of the problem is mostappropriate to help ensure that no gapsappear in the strategy“ (Saltzer, Schroeder 1975).
But „no complete method applicable to theconstruction of large general-purposesystems exists yet“ - since 1975.
![Page 10: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/10.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Using UML
UML: unprecedented opportunity forhigh-quality critical systems developmentfeasible in industrial context:
• De-facto standard in industrial modeling: large number of developers trained in UML.
• Relatively precisely defined (given the user community).
• Many tools in development (also for analysis, testing, simulation, transformation).
![Page 11: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/11.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Challenges
• Adapt UML to critical system application domains.
• Correct use of UML in the application domains.
• Conflict between flexibility and unambiguityin the meaning of a notation.
• Improving tool-support for critical systems development with UML.
![Page 12: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/12.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
This tutorial
Background knowledge on using UML for critical systems development.
• UML basics, including extension mechanisms.• Extensions of UML (UMLsec, UML-RT, ...)• UML as a formal design technique.• Tools.• Case studies.
Concentrate on security-critical systems.
![Page 13: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/13.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Roadmap
PrologueUMLUMLsec: The profile__________________________________
Security patternsCase studiesUsing Java security, CORBAsecTools
![Page 14: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/14.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Using UML
Unified Modeling Language (UML):• visual modelling language• different views on a system• high degree of abstraction possible• de-facto industry standard (OMG)• standard extension mechanisms
![Page 15: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/15.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
A glimpse at UML
![Page 16: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/16.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Used fragment of UML
Activity diagram: flow of control between systemcomponents
Class diagram: data structure of the systemSequence diagram: interaction between
components by message exchangeStatechart diagram: dynamic component behaviourDeployment diagram: Components in physical
environmentPackage: collect system parts into groups
Current: UML 1.5 (released Mar 2003)
![Page 17: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/17.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UML run–through: Activity diagrams
Specify the control flow between components within the system, at higher degree of abstraction than statecharts and sequence diagrams.
![Page 18: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/18.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UML run-through: Class diagrams
Data structure of system.
Components with attributes and operations/signals; relationships between components.
![Page 19: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/19.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Describe interaction between systemcomponents via message exchange.
UML run-through: Sequence Diagrams
![Page 20: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/20.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UML run-through: Statecharts
Dynamic behaviour of individual component.
Input events cause state change and outputactions.
![Page 21: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/21.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UML run-through: Deployment diagrams
Describe the physical layer on which thesystem is to be implemented.
![Page 22: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/22.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UML run-through: Package
May be used to organize modelelements into groups.
![Page 23: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/23.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UML Extension mechanisms
Stereotype: specialize model elementusing �label� .
Tagged value: attach {tag=value} pair to stereotyped element.
Constraint: refine semantics of stereotyped element.
Profile: gather above information.
![Page 24: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/24.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Roadmap
PrologueUMLUMLsec: The profile__________________________________
Security patternsCase studiesUsing Java security, CORBAsecTools
![Page 25: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/25.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UMLsec
UMLsec: extension for secure systemsdevelopment.
• evaluate UML specifications for vulnerabilities
• encapsulate security engineering patterns
• also for developers not specialized in security• security from early design phases, in system
context• make certification cost-effective
![Page 26: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/26.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Basic Security Requirements I
Secrecy
Information
Information
Integrity
Information
Availability
![Page 27: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/27.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Basic Security Requirements II
Information
Authenticity
Sender
Sender
Nonrepudiability
Informa-
tion
![Page 28: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/28.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
The UMLsec profile
Recurring security requirements as stereotypes with tags (secrecy, integrity,...).
Associated constraints to evaluate model, indicate possible vulnerabilities.
Ensures that stated security requirementsenforce given security policy.
Ensures that UML specification providesrequirements.
![Page 29: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/29.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Requirements on UML extension for security I
Mandatory requirements:• Provide basic security requirements such as
secrecy and integrity.• Allow considering different threat scenarios
depending on adversary strengths.• Allow including important security concepts
(e.g. tamper-resistant hardware).• Allow incorporating security mechanisms
(e.g. access control).
![Page 30: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/30.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Requirements on UML extension for security II
• Provide security primitives (e.g. (a)symmetric encryption).
• Allow considering underlying physicalsecurity.
• Allow addressing security management(e.g. secure workflow).
Optional requirements: Include domain-specificsecurity knowledge (Java, smart cards, CORBA, ...).
![Page 31: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/31.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UMLsec: general ideas
Activity diagram: secure control flow, coordination
Class diagram: exchange of datapreserves security levels
Sequence diagram: security-critical interactionStatechart diagram: security preserved
within objectDeployment diagram: physical security
requirementsPackage: holistic view on security
![Page 32: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/32.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UMLsec profile (excerpt)
access control usingguard objects
guarded objects acc.through guards.
Subsystemguardedaccess
enforce fairexchange
after start eventuallyreach stop
start,stop
packagefair exchange
basic datasecrequirements
provides secrecy,integrity
subsystemdatasecurity
information flowprevents down-flowhighsubsystemno down-flow
structural interactiondata security
call, send respectdata security
subsystemsecuredependency
assumes secrecydependencysecrecy
enforces securecommunication links
dependency securitymatched by links
subsystemsecure links
Internet connectionlinkInternet
DescriptionConstraintsTagsBase classStereotype
![Page 33: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/33.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
�Internet � , �encrypted� , …
Kinds of communication links resp. systemnodes.
For adversary type A, stereotype s, have setThreats (s) � {delete, read, insert, access} of actions that adversaries are capable of.
Default attacker:Internet
encrypted
LAN
smart card
{delete, read, insert}
{delete}
��
Threats ()Stereotype
A
default
![Page 34: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/34.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Requirements with use case diagrams
Capture security requirementsin use case diagrams.
Constraint: need to appear in corresponding activity diagram.
Sales application
Business
sells goods
Customer
buys goods
«fair exchange»
![Page 35: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/35.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
�fair exchange �
Ensures generic fair exchange condition.
Constraint: after a {buy} state in activitydiagram is reached, eventually reach{sell} state.
(Cannot be ensured for systems that an attacker can stop completely.)
![Page 36: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/36.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Example �fair exchange�
Customer buys a good from a business.
Fair exchange means: after payment, customer iseventually eitherdelivered good orable to reclaimpayment.
Pay
Wait untildelivery due
Reclaim
Deliver
Purchase
Request good
BusinessCustomer
«fair exchange»{buy={Pay}} {sell={Reclaim,Deliver}}
![Page 37: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/37.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
�secure links �
Ensures that physical layer meets securityrequirements on communication.
Constraint: for each dependency d with stereotype s � {�secrecy� , �integrity� } betweencomponents on nodes n � m, have a communication link l betweenn and m with stereotype t such that
• if s = �secrecy� : have read � Threats (t).
• if s = �integrity� : have insert � Threats (t).A
A
![Page 38: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/38.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Example �secure links�
Given default adversary type, constraintfor stereotype �secure links � violated:According to the Threatsdefault(Internet)scenario, �Internet � link does not providesecrecy against default adversary.
«secure links»
server machineclient machineget_password
browserclient apps
access controlweb server
Remote access
«call»
«Internet»
«secrecy»
![Page 39: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/39.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
�secure dependency�
Ensure that �call � and �send �dependencies between components respectsecurity requirements on communicated datagiven by tags {secrecy}, {integrity}.
Constraint: for �call � or �send � dependencyfrom C to D (and similarly for {secrecy}):
• Msg in D is {secrecy} in C if and only if also in D.
• If msg in D is {secrecy} in C, dependencystereotyped �secrecy� .
![Page 40: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/40.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Example �secure dependency�
Violates �secure dependency� : Randomgenerator and �call � dependency do not givesecurity level for random() to key generator.
Random generator
seed: Real
random(): Real
random(): Real
Random number«interface»newkey(): Key
«call»
Key generation
«critical»Key generator
newkey(): Key
«secure dependency»
{secrecy={newkey(),random()}
![Page 41: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/41.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
�no down–flow�
Enforce secure information flow. Constraint:
Value of any data specified in {secrecy}may influence only the values of dataalso specified in {secrecy}.
Formalize by referring to formal behavioural semantics.
![Page 42: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/42.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Example �no down-flow�
�no down–flow� violated: partial information on input of high wm() returned by non-high rx().
rx(): Boolean
Customer account
rx(): Boolean
Account
rm(): Datawm(x: Data)
ExtraServicemoney: Integer
rm()/return(money)rm(): Datawm(x: Data)
NoExtraService
/money:=0
rm()/return(money)
money+x/money:=
wm(x)
wm(x)/money:=money+xwm(x)
money+x/money:=
{secret={wm,rm,money}}«no down−flow»
rx()/return(true) rx()/return(false)
[money>=1000]
[money<=1000]
![Page 43: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/43.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
�data security�
Security requirements of data marked�critical� enforced against threatscenario from deployment diagram.
Constraints:
Secrecy of {secrecy} data preserved.
Integrity of {integrity} data preserved.
![Page 44: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/44.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Example �data security�
Variant of TLS (INFOCOM`99).
Violates {secrecy}of sagainst defaultadversary.
![Page 45: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/45.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
�guarded access �
Ensures that in Java, �guarded� classesonly accessed through {guard} classes.
Constraints:
• References of �guarded� objectsremain secret.
• Each �guarded� class has {guard}class.
![Page 46: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/46.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Example �guarded access �
Provides �guarded access� :Access to MicSi protected by MicGd.
![Page 47: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/47.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Does UMLsec meet requirements?
Security requirements: �secrecy� ,…
Threat scenarios: Use Threatsadv(ster).
Security concepts: For example �smart card � .
Security mechanisms: E.g. �guarded access � .
Security primitives: Encryption built in.
Physical security: Given in deployment diagrams.
Security management: Use activity diagrams.
Technology specific: Java, CORBA security.
![Page 48: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/48.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Roadmap
PrologueUMLUMLsec: The profile____________________________________
Security patterns: Rules, patternsCase studiesUsing Java security, CORBAsecTools
![Page 49: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/49.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Rules of prudent security engineering
Saltzer, Schroeder (1975):
Design principles for security-critical
systems.
Check how to enforce these with UMLsec.
![Page 50: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/50.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Economy of mechanism
Keep the design as simple and small as possible.
Often systems made complicated to make them (look) secure.
Method for reassurance may reduce this temptation.
Payoffs from formal evaluation may increase incentive for following the rule.
![Page 51: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/51.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Fail-safe defaults
Base access decisions on permission rather than exclusion.
Example: secure log-keeping for audit control in Common Electronic Purse Specifications(CEPS).
![Page 52: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/52.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Complete mediation
Every access to every object must be checked for authority.
E.g. in Java: use guarded objects. Use UMLsec to ensure proper use ofguards.More feasibly, mediation wrt. a set of sensitive objects.
![Page 53: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/53.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Open design
The design should not be secret.
Method of reassurance may help to
develop systems whose security does
not rely on the secrecy of its design.
![Page 54: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/54.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Separation of privilege
A protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key.
Example: signature of two or more principals required for privilege. Formulate requirements with activity diagrams.
Verify behavioural specifications wrt. them.
![Page 55: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/55.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Least privilege
Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
Least privilege: every proper diminishing of privileges gives system not satisfying functionality requirements.
Can make precise and check this.
![Page 56: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/56.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Least common mechanism
Minimize the amount of mechanism common to more than one user and depended on by all users.
Object-orientation:• data encapsulation• data sharing well-defined (keep at necessary
minimum).
![Page 57: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/57.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Psychological acceptability
Human interface must be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.
Wrt. development process: ease of use in development of secure systems.
User side: e.g. performance evaluation (acceptability of performance impact of security).
![Page 58: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/58.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Discussion
No absolute rules, but warnings.
Violation of rules symptom of potential trouble; review design to be sure that trouble accounted for or unimportant.
Design principles reduce number and seriousness of flaws.
![Page 59: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/59.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Security Patterns
Security patterns: use UML to encapsulate knowledgeof prudent security engineering.
Example:
Does not preserve security of account balance.
![Page 60: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/60.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Solution: Wrapper Pattern
Technically, pattern application is transformation of specification.
Use wrapper pattern to ensure that no low read after high write.Can check this is secure (once and for all).
![Page 61: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/61.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Secure channel pattern: problem
To keep d secret, must be sent encrypted.
![Page 62: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/62.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Secure channel pattern: (simple) solution
Exchange certificate and send encrypted data over Internet.
![Page 63: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/63.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Roadmap
PrologueUMLUMLsec: The profile____________________________________
Security patternsCase studiesUsing Java security, CORBAsecTools
![Page 64: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/64.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Example: Proposed Variant of TLS (SSL)
Apostolopoulos, Peris, Saha; IEEE Infocom 1999Goal: send secret s protected by session key Kj.
![Page 65: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/65.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
TLS Variant: Physical view
Deployment diagram.
![Page 66: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/66.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
TLS Variant: Structural view
Class diagram
![Page 67: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/67.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
TLS Variant: Coordination view
Activity diagram.
![Page 68: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/68.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
TLS Variant: Interaction view
Sequence diagram.
![Page 69: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/69.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
The flaw
Surprise: S does not keep secrecy of s against
default adversaries with
Man-in-the-middle attack.
![Page 70: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/70.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
The attack
![Page 71: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/71.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
The fix
Thm: S’ keeps secrecy of s against default adversaries with
![Page 72: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/72.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Common Electronic Purse Specifications
Global electronic purse standard (90% of market).Smart card contains account balance. Chip performs
cryptographic operations securing the transactions.More fraud protection than credit cards (transaction-
bound authorisation).
![Page 73: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/73.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Load protocolUnlinked, cash-based load transaction (on-line).
Load value onto card using cash at load device.
Load device contains Load Security Application Module (LSAM): secure data processing and storage.
Card account balance adjusted; transaction data logged and sent to issuer for financial settlement.
Uses symmetric cryptography.
![Page 74: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/74.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Load protocol
![Page 75: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/75.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Load protocol: Physical view
![Page 76: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/76.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Load protocol: Structural view
![Page 77: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/77.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Load protocol: Coordination view
![Page 78: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/78.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Load protocol: Interaction view
![Page 79: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/79.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Security Threat ModelCard, LSAM, issuer security module assumed
tamper-resistant.Intercept communication links, replace
components.Possible attack motivations:• Cardholder: charge without pay• Load acquirer: keep cardholder's money • Card issuer: demand money from load
acquirerMay coincide or collude.
![Page 80: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/80.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Audit security
No direct communication between card and cardholder. Manipulate load device display.
Use post-transaction settlement scheme.
Relies on secure auditing.
Verify this here (only executions completed without exception).
![Page 81: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/81.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Security conditions (informal)
Cardholder security If card appears to have been loaded with m according to its logs, cardholder can prove to card Issuer that a load acquirer owes m to card issuer.
Load acquirer security Load acquirer has to pay m to card issuer only if load acquirer has received m from cardholder.
Card issuer security Sum of balances of cardholder and load acquirer remains unchanged by transaction.
![Page 82: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/82.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Load acquirer securitySuppose card issuer I possesses
mln=Signrn(cep::nt::lda::mn::s1::hcnt::hln::h2ln) and card C possesses rln, where hln = Hash (lda::cep::nt::rln).
Then after execution either of following hold:• Llog(cep,lda,mn,nt) has been sent to l:LLog (so load
acquirer L has received and retains mn in cash) or• Llog (cep, lda, 0, nt) has been sent to l : LLog (so L
returns mn to cardholder) and L has received rcnt
with hcnt=Hash(lda::cep::nt::rcnt) (negating mln)."mln provides guarantee that load acquirer owes
transaction amount to card issuer" (CEPS)
![Page 83: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/83.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Flaw
Theorem. L does not provide load acquirer security against adversaries of type insider with
Modification: use asymmetric key in , include signature certifying .
Verify this version wrt. above conditions.
![Page 84: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/84.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Further applications
• Analysis of multi-layer security protocol forweb application of major German bank
• Analysis of SAP access control configurationfor major German bank
• Risk analysis of critical business processesfor Basel II / KontraG
• Risk analysis of digital control systems in nuclear power plants
• …
![Page 85: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/85.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Roadmap
PrologueUMLUMLsec: The profile____________________________________
Security patternsCase studiesUsing Java security, CORBAsecTools
![Page 86: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/86.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Java Security
Originally (JDK 1.0): sandbox.
Too simplistic and restrictive.
JDK 1.2/1.3: more fine-grained security control, signing, sealing, guarding objects, . . . )
BUT: complex, thus use is error-prone.
![Page 87: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/87.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Java Security policies
Permission entries consist of:
• protection domains (i. e. URL's and keys)• target resource (e.g. files on local machine)• corresponding permissions (e.g. read, write,
execute)
![Page 88: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/88.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Signed and Sealed Objects
Need to protect integrity of objects used asauthentication tokens or transported across JVMs.
A SignedObject contains an object and itssignature.
Similarly, need confidentiality.
A SealedObject is an encrypted object.
![Page 89: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/89.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Guarded Objects
java.security.GuardedObject protects accessto other objects.• access controlled by getObject method• invokes checkGuard method on the
java.security.Guard that is guarding access• If allowed: return
reference. Otherwise: SecurityException
![Page 90: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/90.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Problem: Complexity• Granting of permission depends on execution context.
• Access control decisions may rely on multiple threads.• A thread may involve several protection domains.• Have method doPrivileged() overriding execution
context.
• Guarded objects defer access control to run-time.• Authentication in presence of adversaries can be subtle.• Indirect granting of access with capabilities (keys).
Difficult to see which objects are granted permission.
use UMLsec
→
�
![Page 91: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/91.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Design Process(1) Formulate access control requirements for
sensitive objects.(2) Give guard objects with appropriate access
control checks.(3) Check that guard objects protect objects
sufficiently.(4) Check that access control is consistent with
functionality.(5) Check mobile objects are sufficiently
protected.
![Page 92: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/92.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Reasoning
Theorem.Suppose access to resource according to
Guard object specifications granted only to objects signed with K.
Suppose all components keep secrecy of K.
Then only objects signed with K are granted access.
![Page 93: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/93.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Example: Financial Application
Internet bank, Bankeasy, and financial advisor, Finance, offerservices to local user. Applets need certain Privileges (step1).• Applets from and signed by bank read and write financial data
between 1 pm and 2 pm.• Applets from and signed by Finance use micropayment key five times
a week.
![Page 94: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/94.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Financial Application: Class diagram
Sign and seal objects sent over Internet for Integrity and confidentiality.
GuardedObjects control access.
![Page 95: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/95.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Financial Application: Guard objects (step 2)
timeslot true between1pm and 2pm.
weeklimit true until access granted five times; inc ThisWeekincrements counter.
![Page 96: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/96.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Financial Application: ValidationGuard objects give sufficient protection (step 3).
Proposition. UML specification for guard objects only grants permissions implied by access permission requirements.
Access control consistent with functionality (step 4). Includes:
Proposition. Suppose applet in current execution context originates from and signed by Finance. Use of micropayment key requested (and less than five times before). Then permission granted.
Mobile objects sufficiently protected (step 5), since objects sent over Internet are signed and sealed.
![Page 97: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/97.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
CORBA access control
Object invocation access policy controls accessof a client to a certain object via a certain method.
Realized by ORB and Security Service.Use access decision functions to decide
whether access permitted. Depends on• called operation,• privileges of the principals in whose account
the client acts,• control attributes of the target object.
![Page 98: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/98.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Example: CORBA access control with UMLsec
![Page 99: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/99.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Further Applications
• Analysis of multi-layer security protocolfor web application of major German bank
• Analysis of SAP access controlconfigurations for major German bank
• Risk analysis of critical businessprocesses (for Basel II / KontraG)
• …
![Page 100: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/100.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Roadmap
PrologueUMLUMLsec: The profile____________________________________
Security patternsCase studiesUsing Java security, CORBAsecTools
![Page 101: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/101.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Security Analysis
Model classes of adversaries.
May attack different parts of the systemaccording to threat scenarios.
Example: insider attacker may interceptcommunication links in LAN.
To evaluate security of specification, simulate jointly with adversary model.
![Page 102: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/102.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Security Analysis II
Keys are symbols, crypto-algorithms areabstract operations.
• Can only decrypt with right keys.
• Can only compose with availablemessages.
• Cannot perform statistical attacks.
![Page 103: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/103.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Abstract adversary
Specify set of initial knowledge of an adversary of type A.
To test secrecy of M Exp\ againstattacker type A: Execute S with mostpowerful attacker of type A according to threat scenario from deployment diagram.
M kept secret by S if M never output in clear.
∈
![Page 104: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/104.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Example: secrecy
Component sending {m}K::K Exp over Internet does not preserve secrecy of m or K againstdefault attackers the Internet. Componentsending (only) {m}K does.
Suppose component receives key K encryptedwith its public key, sends back {m}K.Does not preserve secrecy of m againstattackers eavesdropping on and insertingmessages on the link, but against attackersunable to insert messages. �
∈
![Page 105: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/105.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Tool-support: Concepts
Meaning of diagrams stated informally in (OMG 2003).
Ambiguities problem for• tool support• establishing behavioral properties (safety,
security)
Need precise semantics for used part of UML, especially to ensure security requirements.
![Page 106: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/106.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Formal semantics for UML
Diagrams in context (using subsystems).Model actions and internal activities explicitly.
Message exchange between objects orcomponents (incl. event dispatching).
Include adversary model arising from physicalenvironment in deployment diagram.
Use Abstract State Machines (pseudo-code).
![Page 107: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/107.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Tool-supported analysis
Choose drawing tool for UML specifications.
Commercial modelling tools: so far mainly syntactic checks and code-generation.
Analyze specifications via XMI (XML
Metadata Interchange).
![Page 108: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/108.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UML Drawing Tools
Wide range of existing tools.
Consider some, selected under followingCriteria (Shabalin 2002):
• Support for all (UMLsec-) relevant diagramtypes.
• Support for custom UML extensions.• Availability (test version, etc).• Prevalence on the market.
![Page 109: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/109.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Selected Tools
• Rational Rose. Developed by major participant in development of UML; market leader.
• Visio for Enterprise Architect. Part of Microsoft Developer Studio .NET.
• Together. Often referenced as one of the best UML tools.
• ArgoUML. Open Source Project, therefore interesting for academic community. Commercial variant Poseidon.
![Page 110: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/110.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Comparison
Evaluated features:Support for custom UML extensions.• Model export; standards support; tool
interoperability.• Ability to enforce model rules, detect errors,
etc.• User interface quality.• Possibility to use the tool for free for academic
institutions.
![Page 111: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/111.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Rational Rose (Rational Software Corporation)
One of the oldest on the market.+ Free academic license.+ Widely used in the industry.+ Export to different XMI versions.- Insufficient support for UML extensions (customstereotypes yes; tags and constraints no).
- Limited support for checking syntactic correctness.- Very inconvenient user interface. Bad layout control.- Lack of compatibility between versions and with other
Rational products for UML modelling.
![Page 112: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/112.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Together from TogetherSoft
Widely used in the development community. Very good round-trip engineering between the UML model and the code.
+ Free academic license.+ Written in Java, therefore platform-independent.+ Nice, intuitive user interface.+ Export to different XMI versions; recommendations
which for which tool.- Insufficient support for UML extensions (custom
stereotypes yes; tags and constraints no).
![Page 113: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/113.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Visio from Microsoft Corporation
Has recently been extended with UML editing support.
+ Good user interface.+ Full support for UML extensions.+ Very good correspondence to UML standard.
Checks dynamically for syntactic correctness; suggestions for fixing errors.
- No free academic license.- Proprietary, undocumented file format; no export to
XMI or other tools.- No round-trip engineering support. No way back after
code generation.
![Page 114: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/114.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
ArgoUML / Poseidon
ArgoUML: Open Source Project. Commercialextension Poseidon (Gentleware), sameinternal data format.
+ Open Source.+ Written in Java, therefore platform-
independent.+ XMI default model format.+ Solid mature product with good UML
specification support.
![Page 115: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/115.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Tool-supported analysisCommercial modelling tools: so far mainly
syntactic checks and code-generation.
Goal: more sophisticated analysis; connection to verification tools.
Several possibilities:
• General purpose language with integrated XML parser (Perl, …)
• Special purpose XML parsing language (XSLT, …)
• Data Binding (Castor; XMI: e.g. MDR)
![Page 116: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/116.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Data-binding with MDR
Extracts data from XMI file into Java Objects, following UML 1.4 meta-model.
Access data via methods.
Advantage: No need to worry about XML.
![Page 117: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/117.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Definition
• MDR = MetaData Repository– Load and Store a MOF Metamodel– Instantiate and Populate a Metamodel– Generate a JMI (Java Metadata Interface)
Definition for a Metamodel– Access a Metamodel Instance
![Page 118: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/118.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
UML Processing
MDRMOF[UML 1.4] UML 1.4
MyUml
MyApp
generate
JMI
![Page 119: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/119.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
MDR Standards
• MOF (Meta Object Facility) Abstract format for describing metamodels
• XMI (XML Metadata Interchange)Defines XML format for a MOF metamodel
• JMI (Java Metadata Interface)Defines mapping from MOF to Java
![Page 120: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/120.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
MOF Architecture• Meta-Metamodel (M3)
– defined by OMG
• Metamodels (M2)
– user-defined– e.g. UML 1.5, MOF, CWM
– can be created with uml2mof
• Business Model (M1)
– instances of Metamodels
– e.g. UML class diagram• Information (M0)
– instance of model
– e.g. implementation of UML modelled classes in Java
![Page 121: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/121.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
MOF (Meta Object Facility)
OMG Standard for Metamodeling
(Bob Marley, 1975) (Bonn)- Running Program
Data
Person, House, City- UML model
Model
Class, Attribute, Dependency- UML (as language), CWM
Metamodel
MetaClass, MetaAssociation- MOF Model
Meta-Metamodel
![Page 122: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/122.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
JMI: MOF Interfaces• IDL mapping for
manipulating Metadata– API for manipulating
information contained in an instance of a Metamodel
– MOF is MOF compliant!– Metamodels can be
manipulated by this IDL mapping
– JMI is MOF to Java mapping
– JMI has same functionality
• Reflective APIs– manipulation of
complex information– can be used without
generating the IDL mapping
– MDR has implemented these interfaces
![Page 123: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/123.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Netbeans MDR-Explorer• Part of Netbeans IDE• Browse Repositories• Create Instances• Load XMI Data• Generate JMI
Interfaces• Shows
– Extents– Metamodels– Instances
![Page 124: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/124.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
MDR Repository: Loading Models• Metamodel is
instance of another Metamodel
• Loading Model = Loading Metamodel
• Needed Objects:– MDRepository– MofPackage– XMISaxReaderImpl
• Java Code-Snippet:MDRepos i t or y r ep;
Uml Package uml ;
/ / Obj ekt e er zeugen:
r ep =
MDRManager . get Def aul t ( ) . get Def aul t Reposi t or y ( );
r eader =
( XMI SaxReader I mpl ) Lookup. get Def aul t ( ) . l ookup(
Xmi Reader . c l ass) ;
/ / l oadi ng ext ent :
uml = ( Uml Package) r ep. get Ext ent ( „ name“ ) ;
/ / cr eat i ng Ext ent :
uml = ( Uml Package) r ep. cr eat eExt ent ( „ name“ ) ;
/ / l oadi ng XMI :
r eader . r ead( „ ur l “ , Mof Package) ; ,
![Page 125: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/125.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
MDR Repository: Reading Data• Requires open
Repository and Package• Requires JMI Interfaces• Problem: where is the
data I need?• To find Objects:
– open Model in MDR-Explorer
– browse to the desired Element
– use the getter Functions to retrieve the element
• Example: Loading UML Class:
I t er at or i t = uml . get Cor e( ) . get Uml Cl ass() . r ef Al l Of Cl ass( ) . i t er at or( ) ;
whi l e ( i t . hasNext ( ) ) {
Uml Cl ass uc = ( uml Cl ass) i t . next ( ) ;
/ / . . do anyt hi ng wi t h Uml Cl ass . .
}
![Page 126: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/126.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Connection with analysis tool
Industrial CASE tool with UML-like notation: AUTOFOCUS (http://autofocus. informatik.tu-muenchen.de)
• Simulation• Validation (Consistency, Testing, Model Checking)• Code Generation (e.g. Java, C, Ada)• Connection to Matlab
Connect UML tool to underlying analysisengine.
![Page 127: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/127.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
![Page 128: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/128.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Some resourcesBook: Jan Jürjens, Secure Systems Development
with UML, Springer- Verlag, due 2003
Follow- on Tutorials: Sept: FME (Pisa), FDL (Frankfurt), SAFECOMP (Edinburgh), FORTE (BERLIN); Oct: Informatik (Frankfurt)
Special SoSyM issue on Critical Systems Development with UML
CSDUML’03 @ UML’03 conference (Oct. in SFO)
More information (slides etc.): http://www4.in.tum.de/~juerjens/csdumltut (user Participant, password Iwasthere)
![Page 129: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/129.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Finally
We are always interested in industrial challenges for our tools, methods,and ideas to solve practical problems.More info: http://www4.in.tum.de/~secse
Contact me here or via Internet.
Thanks for your attention !
![Page 130: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/130.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
BREAK ! (until 3.30 pm)
Note:
We are always interested in industrial challenges for our tools, methods,and ideas to solve practical problems.More info: http://www4.in.tum.de/~secse
Contact me here or via Internet.
![Page 131: Secure Enterprise Applications with UMLsolved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham). ... Activity diagram:](https://reader030.fdocuments.in/reader030/viewer/2022040816/5e5dfd5655cf4f44695b9394/html5/thumbnails/131.jpg)
Jan Jürjens, TU Munich: Critical Systems Development with UML
Roadmap
PrologueUMLUMLsec: The profile_____________________________________
Security patternsCase studiesUsing Java security, CORBAsecTools