This document presents a UML profile called UMLassure that can be used to model security requirements in software systems. UMLassure extends UML with stereotypes and tagged values to represent security concepts like cross-site scripting and SQL injection. The profile helps automate the translation of non-functional security requirements from design artifacts into code. An example application demonstrates how UMLassure can be used to model threats and avoid vulnerabilities in a case study.

1. UMLassure: A UML profile to model security requirements in software systems Presented by Manish Thaper(2007068) Supervised by Prof. ChandrashekarRamanathan International Institute of Information Technology, Bangalore

2. Welcome HARDWARE SOFTWARE EVERYWARE++ ++ http://designmind.frogdesign.com/events/software-hardware-everyware.html

3. So are …..

4. Whatever ! the Information flow must continue.

5. Hence a business case to…. Furthermore, the need for an expert software solution provider will never die.

6. Thesis background

7. A software solution…. …is composed of [2] Functional requirement (FR) A software should increase information availability Non-functional requirement (NFR) Security, reliability, performance, usability

8. Software development phases. Thesis focused at transition from Design to Construction

9. Problem Statement Software fraternity has long been attempting an improved translation of requirements and design artifacts into construction and deployment phases. A successful examples exists on automating translation of functional requirements. Our research is on devising an approach to automate translation of the forgotten non-functional requirements from artifacts into construction.

10. Literature survey “If I have seen further it is by standing on the shoulders of giants.” Newton - 1675

11. Literature survey Goal requirement languages[23] Threat modeling[11] Misuse Case [5] cited in [19] Control Case[14] UMLsec [15, 16, 17] UMLintr [12], other citations [18, 21] Using uml to reflect nonfunctional Requirements [2] (using LEL)

12. Proposed approach“UMLassure” – A UML profile

13. UMLassure: helps in modeling… Software System Figure1 Actions, Actors and Assets [4] UMLassure[20] aid in modeling secure Actions. Related work focused on modeling Actors and Assets

15. Benefits of UMLassure

16. Code comments, alerts – Helps developers, testers

17. A controlled access to expensive Assets by Actors through secure Actions

18. Potential applications of UMLassure

19. Higher translation from model to code

21. Software implementation

22. Results – UML profile Stereotype <STEREOTYPE> <NAME>xss</NAME> <DESCRIPTION> To check ’cross-site scripting’ </DESCRIPTION> <BASECLASSES> <BASECLASS>UMLClass</BASECLASS> </BASECLASSES> </STEREOTYPE> Tagged value <TAGDEFINITIONSET> <NAME>xss</NAME> <BASECLASSES> <BASECLASS>UMLAttribute</BASECLASS> </BASECLASSES> <TAGDEFINITIONLIST> <TAGDEFINITION> <NAME>AttributeName</NAME> <TAGTYPE>String</TAGTYPE> </TAGDEFINITION>

23. Results – XML stylesheet (XSLT) XSLT sample file <xsl:apply-templates select="//XMI.content"/> </body> </html> </xsl:template> <xsl:template match="XMI.content"> <xsl:for-each select="UML:Model/UML:Namespace.ownedElement/UML:Model /UML:Namespace.ownedElement/UML:Class">

24. Results – XML stylesheet (XSLT) <xsl:value-of select="@visibility"/> <xsl:text disable-output-escaping="yes">   class  </xsl:text> <xsl:value-of select="@name"/> <xsl:text disable-output-escaping="yes"> ….. cntd

25. Results – Sample code representation public class Organization { // Here goes the class contents X.53 organizationName X.53 organizationURL public getOrganizationName ( ) { // Method code goes here } public getOrganizationURL ( ) { // Method code goes here

26. Results – Sample code representation } private setOrganizationName ( ) { // Method code goes here …. cntd

27. Conclusion Non-functional requirements are critical for successful software development Static analysis tools remove bugs in software However, more efforts are required to minimize the design flaws

29. Purely mathematical modeling languages are not well understood by ALLstakeholders without sufficient mathematical backgroundUML profile provides an extension to UML at meta-model level UML profile being specific to a platform, provides higher model to codetranslation

30. Limitations Number of security threats run into hundreds This work demonstrated using four only. Security threats are tightly coupled to software under development Two out of four threats considered in this thesis are applicable to web applications only. At this stage approach may be too naïve yet it’s a good beginning.

31. Future work This work demonstrates using class diagrams only… An extension over to behavioral diagram will be a necessary work in near future. Translations from design to construction phase discussed here can be improvised further. Extend this work to augment construction and deployment phases.

32. Image references World map http://onearth.jpl.nasa.gov/examples/wms_gm_r2.jpeg Bug http://i.zdnet.com/blogs/istock_000002369355xsmall.jpg Crimeware http://www.cigital.com/justiceleague/wp-content/uploads/2008/04/crimeware.jpg Telegraph http://www.thecanadianencyclopedia.com/featuremedia/feature137/TelegraphMachine.jpg

33. Image references Apple iPhone http://noiseblogger.com/wp-content/uploads/2009/02/apple-iphone-keyboard.jpg Information rings http://www.future-gadgets.com/wp-content/uploads/2008/01/information-ring1.jpg Issac Newton http://www.linnaeus.uu.se/online/matematik/bilder/newton.jpg

34. Literature references [1] Yu E. Chung L, Nixon B and Mylopoulos J., Non-functional requirements in software engineering, Kluwer Academic Publishers, 2000. [2] LuizMarcioCysneiros and Julio Cesar Sampaio do Prado Leite, Using uml to reflect nonfunctional requirements, Proceedings of the 2001 conference of the Centre for Advanced Studies on Collaborative research, Centre for Advanced Studies Toronto, November 05-07, 2001. [3] J. Doser D. Basin and T. Lodderstedt., Model driven security: From uml models to access control infrastructures., ACM Transactions on Software Engineering and Methodology. Vol.15, No. 1, January 2006, ACM, 2006, p. pp 3991. [4] Markus Schumacher et. al., Security patterns: integrating security and systems engineering, John Wiley and Sons, Ltd., 2006.

35. Literature references [5] Sindre G. and Opdahl A.L., Eliciting security requirements by misuse cases, Proceedings of the TOOLS Pacific 2000, TOOLS Pacific, November 20-23, 2000, pp. pp 120–131. [6] Object Management Group, Model driven architecture., Object Management Group, 2002. [7] _________, Omgs official uml documentation site., Object Management Group, 2002. [8] _________, Omgsuml profile catalogue., Object Management Group, 2002. [9] _________, Uml profile for schedulability,performance and time, Object Management Group, 2002. [10] Kim Hamilton and Russel Miles, Learning uml 2.0, O’Reilly. [11] Michael Howard and David LeBlanc, Writing secure code, Microsoft Press, 2003. [12] Mohammed Hussein and Mohammad Zulkernine, Umlintr:auml profile for specifying intrusions, Proceedings of the 13th Annual IEEE International Symposium and Workshop on Engineering

36. Literature references of Computer Based Systems (ECBS06), IEEE, 2006. [13] Leite J.C.S.P. and A.P.M. Franco, A strategy for conceptual model acquisition, Proceedings of the First IEEE International Symposium on Requirements Engineering, SanDiego, Ca, IEEE Computer Society Press, 1993, pp. pp 243–246. [14] Christopher J. Pavlovski. Joe Zou, Modeling architectural non functional requirements: From use case to control case, IEEE International Conference on eBusiness Engineering (ICEBE06), IEEE, 2006. [15] J. Jurjens, Towards development of secure systems using uml., In H. Hubmann, editor, Fundamental Approaches to Software Engineering (FASE/ETAPS, International conference), Springer, Genova, Italy, 2001, p. pp 3991.

37. Literature references [16] _________ , Using umlsec and goal trees for secure systems development, SAC 2002, Madrid, Spain, ACM, 2002. [17] _________ , Secure system development with uml, Springer-Verlag, 2005. [18] Axelsson S., Intrusion detection systems: A survey and taxonomy, Technical report 99-15, Department of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden, March 2000. [19] Asoke K. Talukder and Manish Chaitanya, Architecting secure software systems, Auerbach Publications, 2008. [20] Manish Thaper and ChandrashekarRamanathan, Umlassure: A uml profile assuring a secure software, Proceedings of the 2009 International Conference on Software Technology and

38. Literature references Engineering ”to appear”, World Scientific Press, July 24-26, 2009. [21] Eckmann S.T. Vigna G and Kemmerer R.A., Attack languages, Proceedings of the IEEE Information Survivability Workshop, Boston, MA, IEEE, 2000. [22] ManoochAzmoodehXiaoqing (Frank) Liu and NektariosGeorgalas, Specification of nonfunctional requirements for contract specification in the ngoss framework for quality management and product evaluation, Fifth International Workshop on Software Quality, IEEE, 2007. [23] University of Toronto, Canada website - http://www.cs.toronto.edu/km/GRL/