nach oben

Innovations in Systems and Software Engineering

Erschienen in:

08.10.2015 | Original Paper

Security patterns modeling and formalization for pattern-based development of secure software systems

verfasst von: B. Hamid, S. Gürgens, A. Fuchs

Erschienen in: Innovations in Systems and Software Engineering | Ausgabe 2/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Pattern-based development of software systems has gained more attention recently by addressing new challenges such as security and dependability. However, there are still gaps in existing modeling languages and/or formalisms dedicated to modeling design patterns and the way how to reuse them in the automation of software development. The solution envisaged here is based on combining metamodeling techniques and formal methods to represent security patterns at two levels of abstraction to fostering reuse. The goal of the paper is to advance the state of the art in model and pattern-based security for software and systems engineering in three relevant areas: (1) develop a modeling language to support the definition of security patterns using metamodeling techniques; (2) provide a formal representation and its associated validation mechanisms for the verification of security properties; and (3) derive a set of guidelines for the modeling of security patterns within the integration of these two kinds of representations.

Vorheriger Artikel Capturing autonomy features for unmanned spacecraft with ARE, the autonomy requirements engineering approach

Nächster Artikel Run-time monitoring using bounded constraint instance discovery within big data streams

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

http://www.semcomdt.org.

http://www.teresa-project.org/.

Yoder J, Barcalow J (1998) Architectural patterns for enabling application security. In: Conference on pattern languages of programs (PLoP 1997)

Schumacher M (2003) Security engineering with patterns—origins, theoretical models, and new applications, vol 2754 of Lecture notes in computer science. Springer http://www.springerlink.com/openurl.asp?genre=issue&issn=0302-9743&volume=2754

Selic B (2003) The pragmatics of model-driven development. IEEE Softw 20(5):19–25CrossRef

Atkinson C, Kühne T (2003) Model-driven development: a metamodeling foundation. IEEE Softw 20(5):36–41CrossRef

Uzunov AV, Fernandez EB, Falkner K (2012) Securing distributed systems using patterns: a survey. J Comput Secur 31(5):681–703CrossRef

Hamid B, Geisel J, Ziani A, Bruel J, Perez J (2013) Model-driven engineering for trusted embedded systems based on security and dependability patterns. In: SDL Forum, pp 72–90

The TLS protocol version 1.2, rfc5246 (2008)

Hamid B, Gürgens S, Jouvray C, Desnos N (2011) Enforcing S&D pattern design in RCES with modeling and formal approaches. In: Whittle J (ed) ACM/IEEE international conference on model driven engineering languages and systems (MODELS), Wellington, 16/10/2011-21/10/2011, vol 6981, Springer, pp 319–333

Giacomo VD et al (2008) Using security and dependability patterns for reaction processes. IEEE Computer Society, pp 315–319

10.

Yoshioka N, Washizaki H, Maruyama K (2008) A survey of security patterns. Prog Inform 5:35–47CrossRef

11.

Daniels F (1997) The reliable hybrid pattern: a generalized software fault tolerant design pattern. In: Proceedings of pattern language of programs, pp 1–9

12.

Tichy M et al (2004) Design of self-managing dependable systems with uml and fault tolerance patterns, ACM, pp 05–109

13.

Maña A, Fernandez E, Ruiz J, Rudolph C (2013) Towards computer-oriented security patterns. In: The 20th international conference on pattern languages of programs PLoP13

14.

Guennec AL, Sunyé G, Jézéquel J-M (2000) Precise modeling of design patterns. In: Proceedings of the unified modeling language (UML 00), vol 1939, Springer, pp 482–496

15.

Kim D-K, France R, Ghosh S, Song E (2004) A uml-based meta-modeling language to specify design patterns. In: Proceedings of the Workshop on Software Model Engineering (WiSME) at UML 2003

16.

Gasparis AHEE, Nicholson J (2008) Lepus3: an object-oriented design description language. In: Stapleton G et al (eds) DIAGRAMS, LNAI 5223, pp 364–367

17.

Gamma E, Helm R, Johnson RE, Vlissides J (1995) Design patterns: elements of reusable object-oriented software. Addison-Wesley, Longman Publishing Co., Inc., BostonMATH

18.

Douglass BP (1998) Real-time UML: developing efficient objects for embedded systems. Addison-Wesley, Longman Publishing Co., Inc., Boston

19.

Mapelsden JGD, Hosking J (2002) Design pattern modelling and instantiation using dpml. In: CRPIT ’02: Proceedings of the 40th international conference on tools Pacific, Australian Computer Society, Inc., pp 3–11

20.

Serrano D, Mana A, Sotirious A-D (2008) Towards precise and certified security patterns. In: Proceedings of 2nd international workshop on secure systems methodologies using patterns (Spattern 2008), IEEE Computer Society, pp 287–291

21.

Boussaidi GE, Mili H (2005) Representing and applying design patterns: what is the problem?. In: Proceedings of the ACM/IEEE 8th international conference on model driven engineering languages and systems (MODELS), Springer, pp 186–200

22.

Maña A, Damiani E, Gürgens S, Spanoudakis G (2014) Extensions to pattern formats for cyber physical systems. In: Proceedings of the 31st conference on pattern languages of programs (PLoP 14)

23.

Jürjens J (2002) Umlsec: extending uml for secure systems development. In: Proceedings of the 5th international conference on the unified modeling language, UML ’02, Springer-Verlag, London, UK, pp 412–425

24.

Lodderstedt T, Basin D, Doser J (2002) Secureuml: a uml-based modeling language for model-driven security. In: Proceedings of the 5th international conference on the unified modeling language, UML ’02, Springer-Verlag, London, UK, pp 426–441

25.

Hamid B, Radermacher A, Lanusse A, Jouvray C, Gérard S, Terrier F (2008) Designing fault-tolerant component based applications with a model driven approach. In: The IFIP workshop on software technologies for future embedded and ubiquitous systems (SEUS). Lecture notes in computer science, Springer, pp 9–20

26.

Basin D, Doser J, Lodderstedt T (2006) Model driven security: from UML models to access control infrastructures. ACM Trans Softw Eng Methodol (TOSEM) 15(1):39–91CrossRef

27.

Basin D, Clavel M, Doser J, Egea M (2009) Automated analysis of security-design models. Inf Softw Technol 51:815–831CrossRef

28.

Jensen J, Jaatun MG (2011) Security in model driven development: a survey. In: Proceedings of the 2011 6th international conference on availability, reliability and security. ARES ’11, IEEE Computer Society, pp 704–709

29.

Lucio L, Zhang Q, Nguyen PH, Amrani M, Klein J, Vangheluwe H, Traon YL (2014) Advances in model-driven security. Adv Comput 93:103–152CrossRef

30.

McDonald J, Oualha N, Puccetti A, Hecker A, Planchon F (2013) Application of ebios for the risk assessment of ict use in electrical distribution sub-stations. In: PowerTech (POW- ERTECH), IEEE, pp 1–6

31.

Braber F, Hogganvik I, Lund MS, Stlen K, Vraalsen F (2007) Model-based security analysis in seven steps—a guided tour to the corasc method. BT Technol J 25(1):101–117CrossRef

32.

Srivatanakul T, Clark JA, Polack F (2004) Effective security requirements analysis: Hazop and use cases, information security. Lect Notes Comput Sci 3225:416–427CrossRef

33.

Schneier B Attack trees, modeling security threats. Dr. Dobbs J December 1999

34.

Rodano M, Giammarc K (2013) A formal method for evaluation of a modeled system architecture. Procedia Comput Sci 20:210–215CrossRef

35.

Landwehr CE (1981) Formal models for computer security. ACM Comput Surv 13:247–278CrossRef

36.

Devanbu P, Stubblebine S, Premkumar SS, Devanbu T (2000) Software engineering for security—a roadmap. In: Proceedings of the conference on the future of software engineering, ICSE ’00, ACM, pp 227–239

37.

Lee AJ, Boyer JP, Olson LE, Gunter CA (2006) Defeasible security policy composition for web services. In: Proceedings of the 4th ACM workshop on formal methods in security, ACM, pp 45–54

38.

Bruns G, Dantas DS, Huth M (2007) A simple and expressive semantic framework for policy composition in access control. In: Proceedings of the 2007 ACM workshop on formal methods in security engineering, ACM, pp 12–21

39.

Bruns G, Huth M (2011) Access control via belnap logic: intuitive, expressive, and analyzable policy composition. ACM Trans Inf Syst Secur (TISSEC) 14(1):1–27CrossRef

40.

Burrows M, Abadi M, Needham R (1990) A logic of authentication. ACM Trans Comput Syst 8(1):18–36CrossRefMATH

41.

Paulson L (1996) Proving properties of security protocols by induction. Technical report 409, Computer Laboratory, University of Cambridge

42.

Lowe G (1995) An attack on the Needham-Schroeder public-key protocol. Inf Process Lett 56(3):131–133CrossRefMATH

43.

Roscoe B, Ryan P, Schneider S, Goldsmith M, Lowe G (2000) The modelling and analysis of security protocols. Addison Wesley, Boston

44.

AVISPA The HLPSL tutorial. A beginner’s guide to modelling and analysing internet security protocols. http://www.avispa-project.org

45.

Chevalier Y, Compagna L, Cuellar J, Hankes DP, Mantovani J, Mdersheim S, Vigneron L (2004) A high level protocol specification language for industrial security-sensitive protocols. In: Workshop on specification and automated processing of security requirements (SAPS 2004)

46.

Gürgens S, Rudolph C Security analysis of (un-) fair non-repudiation protocols. In: Proceedings of Formal Aspects of Security, vol 2629, Springer 2003, pp 97–114

47.

Gürgens S, Rudolph C, Scheuermann D, Atts M, Plaga R (2007) Security evaluation of scenarios based on the TCG’s TPM specification. In: Biskup J, Lopez J (eds) Computer security—ESORICS 2007, vol 4734 of Lecture notes in computer science, Springer Verlag

48.

Fuchs A, Gürgens S, Apvrille L, Pedroza G (2010) D3.4.3—on-board architecture and protocols verification. Technical report. EVITA-Project

49.

Gürgens S, Ochsenschläger P, Rudolph C (2005) On a formal framework for security properties. Int Comput Stand Interface J (CSI). Special issue on formal methods, techniques and tools for secure and reliable applications 27(5):457–466

50.

Zdun U, Avgeriou P (2005) Modeling architectural patterns using architectural primitives. In: Proceedings of the 20th annual ACM SIGPLAN conference on object-oriented programming, systems, languages, and applications, OOPSLA ’05, ACM, New York, NY, USA, pp 133–146

51.

Ziani A, Hamid B, Trujillo S (2011) Towards a unified meta-model for resources-constrained embedded systems. In: 37th EUROMICRO conference on software engineering and advanced applications, IEEE, pp 485–492

52.

OMG, Omg (2008) A uml profile for marte: modeling and analysis of real-time embedded systems,beta 2. http://www.omgmarte.org/Documents/Specifications/08-06-09.pdf

53.

OMG, OCL 2.2 Specification (2010) http://www.omg.org/spec/OCL/2.2

54.

Avizienis A, Laprie J-C, Randell B, Landwehr C (2004) Basic concepts and taxonomy of dependable and secure computing. IEEE Trans Dependable Secure Comput 1:11–33CrossRef

55.

Schumacher M, Fernandez-Buglioni E, Hybertson D, Buschmann F, Sommerlad P (2006) Security patterns: integrating security and systems engineering. John Wiley & Sons, Chichester

56.

Fuchs A, Gürgens S, Rudolph C (2010) A formal notion of trust—enabling reasoning about security properties. In: Preceedings of 4th IFIP WG 11.1 international conference on trust management

57.

Fuchs A, Gürgens S, Lincke N, Weber D (2012) D5.2 & d5.4—application of formal validation to relevant examples & guidelines for platform dependent implementation v1. Technical report. TERESA-Project

58.

Gürgens S, Ochsenschläger P, Rudolph C (2003) Parameter confidentiality. In: Informatik 2003—Teiltagung Sicherheit, Gesellschaft für Informatik

59.

Gürgens S, Ochsenschläger P, Rudolph C (2002) Authenticity and provability—a formal framework. In: Infrastructure security conference InfraSec 2002, vol 2437 of Lecture notes in computer science. Springer Verlag, pp 227–245

60.

Gürgens S, Ochsenschläger P, Rudolph C (2005) Abstractions preserving parameter confidentiality. In: European symposium on research in computer security (ESORICS 2005), pp 418–437

61.

Fuchs A, Gürgens S (2011) D05.1 Formal models and model composition. Technical report. ASSERT4SOA Project

62.

Fuchs A, Gürgens S (2012) D5.1v2.5—formal validation approach. Technical report. TERESA-Project

63.

Fuchs A, Gürgens S, Rudolph C (2011) Formal notions of trust and confidentiality—enabling reasoning about system security. J Inf Process 19:274–291

64.

Powel DB (2003) Real-time design patterns: robust scalable architecture for real-time systems. The Addison-Wesley object technology series. Addison-Wesley, Boston, San Francisco, Paris

65.

Compagna L, El Khoury P, Harjani R, Kloukinas C, Li K, Maña A, Muñoz A, Pujol G, Ruiz JF, Saidane A, Serrano D, Sinha SK, Spanoudakis G (2008) A5.D2.5—patterns and integration schemes languages. Technical report. SERENITY-Project

66.

OMG, OMG Unified Modeling Language (OMG UML) (2009) Superstructure. http://www.omg.org/spec/UML/2.2/Superstructure

67.

OMG, OCL 2.2 Specification (2010)

Titel: Security patterns modeling and formalization for pattern-based development of secure software systems
verfasst von: B. Hamid
S. Gürgens
A. Fuchs
Publikationsdatum: 08.10.2015
Verlag: Springer London
Erschienen in: Innovations in Systems and Software Engineering / Ausgabe 2/2016
Print ISSN: 1614-5046
Elektronische ISSN: 1614-5054
DOI: https://doi.org/10.1007/s11334-015-0259-1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 2/2016

Regression test size reduction using improved precision slices

Run-time monitoring using bounded constraint instance discovery within big data streams

Metrics for V&V of cyber defenses

Capturing autonomy features for unmanned spacecraft with ARE, the autonomy requirements engineering approach