This Article 
 Bibliographic References 
 Add to: 
Verification and Trade-Off Analysis of Security Properties in UML System Models
May/June 2010 (vol. 36 no. 3)
pp. 338-356
Geri Georg, Colorado State University, Fort Collins, CO
Kyriakos Anastasakis, University of Birmingham, Birmingham, UK
Behzad Bordbar, University of Birmingham, Birmingham, UK
Siv Hilde Houmb, Telenor GBDR, Trondheim, Norway
Indrakshi Ray, Colorado State University, Fort Collins, CO
Manachai Toahchoodee, Colorado State University, Fort Collins, CO
Designing secure systems is a nontrivial task. Incomplete or faulty designs can cause security mechanisms to be incorrectly incorporated in a system, allowing them to be bypassed and resulting in a security breach. We advocate the use of the Aspect-Oriented Risk-Driven Development (AORDD) methodology for developing secure systems. This methodology begins with designers defining system assets, identifying potential attacks against them, and evaluating system risks. When a risk is unacceptable, designers must mitigate the associated threat by incorporating security mechanisms methodically into the system design. Designers next formally evaluate the resulting design to ensure that the threat has been mitigated, while still allowing development to meet other project constraints. In this paper, we focus on the AORDD analysis, which consists of: 1) a formal security evaluation and 2) a trade-off analysis that enables system designers to position alternative security solutions against each other. The formal security evaluation uses the Alloy Analyzer to provide assurance that an incorporated security mechanism performs as expected and makes the system resilient to previously identified attacks. The trade-off analysis uses a Bayesian Belief Network topology to allow equally effective security mechanisms to be compared against system security requirements and other factors such as time-to-market and budget constraints.

[1] ISO 14508, Common Criteria for Information Technology Security Evaluation, in Version 3.1, Revision 2, 2007.
[2] ISO 14508-4, Common Methodology for Information Technology Security Evaluation: Evaluation Methodology, in Version 3.1, Revision 2, 2007.
[3] AS/NZS, Australian/New Zealand Standard for Risk Management AS/NZS 4360:2004, ANZ Standard, ed., 2004.
[4] AS/NZS, Australian/New Zealand Standard HB 436:2004 Risk Management Guidelines—Companion to AS/NZS 4360:2004, ANZ Standard, ed., 2004.
[5] S.H. Houmb, "Decision Support for Choice of Security Solution: The Aspect-Oriented Risk Driven Development (AORDD) Framework," Dept. of Math. Sciences, Norwegian Univ. of Science and Tech nology, 2007.
[6] S.H. Houmb et al., "Cost-Benefit Trade-Off Analysis Using BBN for Aspect-Oriented Risk-Driven Development," Proc. IEEE Int'l Conf. Eng. Complex Computer Systems, pp. 195-204, 2005.
[7] S.H. Houmb et al., "An Integrated Security Verification and Security Solution Design Trade-Off Analysis Approach," Integrating Security and Software Eng.: Advances and Future Vision, H. Mouratidis and P. Giorgini, eds., IGI Global, 2007.
[8] OMG, Unified Modeling Language: Superstructure Version 2.1.2 Formal/07/11/02, 2002.
[9] ISO/IEC 13335-5, Information Technology—Guidelines for Management of IT Security, 2001.
[10] 1CORAS, IST-2000-25031, 2003.
[11] K. Stølen et al., "Model Based Risk Assessment in a Component-Based Software Engineering Process: The CORAS Approach to Identify Security Risks," Business Component-Based Software Eng., F. Barbier, ed., pp. 189-207, Kluwer, 2002.
[12] R. France et al., "A UML-Based Pattern Specification Technique," IEEE Trans. Software Eng., vol. 30, no. 3, pp. 193-206, Mar. 2004.
[13] R. France et al., "Aspect-Oriented Approach to Design Modeling," IEE Proc. Software, vol. 151, no. 4, pp. 173-186, 2004.
[14] G. Georg, J. Bieman, and R. France, "Using Alloy and UML/OCL to Specify Run-Time Configuration Management: A Case Study," Proc. Workshop pUML-Group Held Together with the UML, A. Evans et al., eds., pp. 128-141, 2001.
[15] G. Georg et al., "An Aspect-Oriented Methodology for Designing Secure Applications," Information and Software Technology, vol. 51, no. 5, pp. 846-864, 2009.
[16] G. Straw et al., "Model Composition Directives," The Unified Modelling Language: Modelling Languages and Applications (UML), T. Baar et al., eds., pp. 84-97, Springer, 2004.
[17] Alloy, http:/, 2009.
[18] D. Jackson, Software Abstractions: Logic, Lanaguage, and Analysis. MIT Press, 2006.
[19] B.D. Finetti, Theory of Probability, vols. 1 and 2. John Wiley and Sons, 1973.
[20] F. Jensen, An Introduction to Bayesian Network. UCL Press, 1996.
[21] J. Pearl, Probabilistic Reasoning in Intelligent Systems. Cambridge Univ. Press, 1998.
[22] B.A. Gran, "The Use of Bayesian Belief Networks for Combining Disparate Sources of Information in the Safety Assessment of Software Based System," Dept. of Math. Science, Norwegian Univ. of Science and Tech nology, 2002.
[23] SERENE, SERENE: Safety and Risk Evaluation Using Bayesian Nets, p. ESPIRIT Framework IV nr. 22187, 1999.
[24] OMG, XML Metadata Interchange (XMI) V2.0 Formal/05-05-01, 2005.
[25] OMG, Object Constraint Language Version 2.0 Formal/06/05/01, 2006.
[26] ArgoUML, http:/, 2009.
[27] K. Anastasakis et al., "UML2Alloy: A Challenging Model Transformation," Proc. 10th Int'l Conf. Model Driven Eng. Languages and Systems, G. Engels et al., eds., pp. 436-450, 2007.
[28] B. Bordbar and K. Anastasakis, "UML2ALLOY: A Tool for Light-Weight Modelling of Discrete Event System," Proc. Int'l Conf. Applied Computing, N. Guimarães and P.T. Isaías, eds., pp. 209-216, 2005.
[29] P. Ziemann and M. Gogolla, "An Extension of OCL with Temporal Logic," Proc. Workshop Critical Systems Development with UML, J. Jürjens, ed., pp. 53-62, 2002.
[30] HUGIN, Hugin Expert A/S, 2007.
[31] T. Dimitrakos et al., "Integrating Model-Based Security Risk Management into Ebusiness Systems Development: The CORAS Approach," Proc. IFIP Conf. E-Commerce, E-Business, E-Government, J. Monteiro, P. Swatman, and L. Tavares, eds., pp. 159-175, 2002.
[32] T. Wu, "The Secure Remote Password Protocol," Proc Internet Soc. Network and Distributed System Security Symp., pp. 97-111, 1998.
[33] T. Wu, The SRP Authentication and Key Exchange Systems, N.W. Group, ed., 2000.
[34] TLSWG, SSL 3.0 Specification, 1996.
[35] G. Georg et al., Security Property Verification and Trade-Off Analysis Using UML. Colorado State Univ., 2008.
[36] M. Vaziri and D. Jackson, "Some Shortcomings of OCL, the Object Constraint Language of UML," Proc. Int'l Conf. Technology of Object-Oriented Languages and Systems, Q. Li et al., eds., pp. 555-562, 2000.
[37] E. Torlak et al., Knowledge Flow Analysis for Security Protocols. Computer Science and Artificial Intelligence Laboratory, MIT, 2005.
[38] R.M. Needham and M.D. Schroeder, "Using Encryption for Authentication in Large Networks of Computers," Comm. ACM, vol. 21, no. 12, pp. 993-999, 1978.
[39] B. Littlewood et al., "Towards Operational Measures of Computer Security," J. Computer Security, vol. 2, nos. 2/3, pp. 211-230, 1993.
[40] R. Kazman, M. Klein, and P. Clements, "ATAM: Method for Architecture Evaluation," Technical Report CMU/SEI-2000-TR-004, Carnegie Mellon Univ./Software Eng. Inst., 2000.
[41] R. Kazman, J. Asundi, and M. Klein, "Making Architecture Design Decisions: An Economic Approach," Technical Report CMU/SEI-2002-TR-035, Carnegie Mellon Univ./Software Eng. Inst., 2002.
[42] M. Daneva, "Applying Real Options Thinking to Information Security in Networked Organizations," CTIT Report TR-CTIT-06-11, Univ. of Twente, 2006.
[43] M. Benaroch, "Managing Information Technology Investment Risk: A Real Options Perspective," J. Management Information Systems, vol. 19, no. 2, pp. 43-84, 2002.
[44] W. Sonnenreich, J. Albanese, and B. Stout, "Return on Security Investment (ROSI)—A Practical Quantitative Model," J. Research and Practice in Information Technology, vol. 38, no. 1, pp. 45-56, 2006.
[45] B. Barber and J. Davey, "The Use of the CCTA Risk Analysis and Management Methodology CRAMM in Health Information Systems," Proc. Medical Informatics Conf., K.C. Lun et al., eds., pp. 1589-1593, 1992.
[46] ISO/IEC, Information Technology—Code of Practice for Information Security Management, 2000.
[47] T. Massoni, R. Gheyi, and P. Borba, "A UML Class Diagram Analyzer," Proc. Int'l Workshop Critical Systems Development with UML at UML, pp. 100-114, 2004.
[48] G. Lowe, "Breaking and Fixing the Needham-Schröeder Public-Key Protocol Using FDR," Proc. Int'l Conf. Tools and Algorithms for Construction and Analysis of Systems, T. Margaria and B. Steffen, eds., pp. 147-166, 1996.
[49] M. Gogolla, J. Bohling, and M. Richters, "Validating UML and OCL Models in USE by Automatic Snapshot Generation," Software and System Modeling, vol. 4, no. 4, pp. 386-398, 2005.
[50] D. Basin, J. Doser, and T. Lodderstedt, "Model Driven Security: From UML Models to Access Control Infrastructures," ACM Trans. Software Eng. and Methodology, vol. 15, no. 1, pp. 39-91, 2006.
[51] D. Basin et al., "Automated Analysis of Security-Design Models," Information and Software Technology, vol. 51, no. 5, pp. 815-831, 2009.

Index Terms:
Aspect-oriented modeling (AOM), Bayesian belief network (BBN), security analysis, trade-off analysis.
Geri Georg, Kyriakos Anastasakis, Behzad Bordbar, Siv Hilde Houmb, Indrakshi Ray, Manachai Toahchoodee, "Verification and Trade-Off Analysis of Security Properties in UML System Models," IEEE Transactions on Software Engineering, vol. 36, no. 3, pp. 338-356, May-June 2010, doi:10.1109/TSE.2010.36
Usage of this product signifies your acceptance of the Terms of Use.