UMLsec

From HandWiki

UMLsec is an extension to the Unified Modeling Language for integrating security related information in UML specifications. This information can be used for model-based security engineering. Most security information is added using stereotypes and covers many security properties including secure information flow, confidentiality, and access control. Using an attacker model these properties can be checked on a model level.

Development

It was first proposed by Jürjens et al. in 2002[1] and later revised and extended by the same author.[2]

Profile definition

UMLsec is defined as a lightweight extension for UML.[3]

The profile is defined through a set of prototypes with properties (tag definitions) and constraints. UMLsec defines 21 stereotypes listed below.

Stereotype Base class Tags Description
fair exchange subsystem start, stop, adversary enforce the fair exchange principle on communication. That is, ensure no cheating of cooperating parties.
provable subsystem action, cert, adversary provide evidence of activities to obtain non-repudiation.
rbac subsystem protected, role, right enforce role-based access control.
Internet
link Internet connection. It is assumed to be susceptible to message deletion, addition, and content exposure by the default attacker.
encrypted link model an encrypted connection. It is assumed to be susceptible to message deletion by the default attackers.
LAN link, node LAN connection or a LAN network (node). It is assumed to be unaffected by the default external attacker.
wire link wire connection. It is assumed to be unaffected by the default external attacker.
smart card
POS device
issuer node
node Nodes with varying protection mechanisms. Adversary definitions determine to what extent these nodes may be tampered with. They are assumed to be unaffected by the default external attacker.
secrecy
integrity
high
dependency dependency that indicates an assumption of secrecy and integrity as well as high sensitivity.
critical object
subsystem
secrecy,
integrity,
authenticity,
high, fresh
label a system or object as critical. Tags are used to define in what respect the system/object is critical.
secure links subsystem adversary enforce secure communication links under the defined adversary model.
secure dependencies subsystem ensure that secure dependencies are met.
data security subsystem adversary,
integrity,
authenticity
enforce basic security requirements under the defined adversary model.
no down-flow,
no up-flow
subsystem ensure secure information flow.
guarded access subsystem ensure that guarded objects are accessed only through their guards.
guarded object guard specify a guarded object that can only be accessed through the object specified by the guard tag.

Adversary model

To ensure security it is necessary to specify what kind of attacker is assumed. In UMLsec, the attacker model is defined through the threats that it poses. The table below defines the default adversary. Other adversaries may of course be defined.

Stereotype Threatsdefault()
Internet {delete, read, insert}
encrypted {delete}
LAN
wire
smart card
POS device
issuer node

References

  1. Jürjens, J. UMLsec: Extending UML for secure systems development. UML 2002 —The Unified Modeling Language (2002), 1–9.
  2. Jürjens, J. Secure Systems Development with UML, 1 ed. Springer, 2005.
  3. OMG. Unified Modeling Language Superstructure version 2.2. The Object Management Group, February 2009. http://www.omg.org/spec/UML/2.2/Superstructure