Designing Secure Software using UML-1

1
Designing Secure Software using UML-1

• Papers of Eduardo Fernández-Medina et al.
• includes
• Object Security Constraint Language
• and
• Secure Multi-level Databases

2
Table of Contents

• Group Working on this topic
• Eduardo Fernández-Medina, Alfonso Martínez,
  Carlos Medina, and Mario Piattini from University
  of Castilla-La Mancha, Ciudad Real. (SPAIN).
  http//www.inf-cr.uclm.es
• Papers Used for this lecture
• Specification of Security Constraints in UML
• 35th Carnahan Conference on Security Technology
• INTEGRATING MULTILEVEL SECURITY IN THE DATABASES
  DESIGN PROCESS
• Integrated Design and Process Technology,
  IDPT-2002

3
Object Security Constraint Language- OSCL -

• Design for security must occupy the entire life
  cycle.
• Secure systems have explicit constraints. OSCL is
  claimed to have the necessary syntax to specify
  them.
• Has more depth in the meta-modeling side, but
  coverage of security is limited to
  multi-databases.
• Claim that previous solutions in database
  security have been partial, isolated and
  disconnected but theirs is a methodological
  approach.

4
Objectives and Aims of OSCL

• To be able to represent multi-level systems using
  constraints.
• Requirements
• To be able to define security levels for
• Classes, attributes, operations and associations.
• Provide tools to specify some properties related
  to levels

5
Carrying out OSCL Objectives

• Security levels
• Top Secret, Secret, Confidential, Unclassified
• Every class has a security level or a range of
  levels.
• Instances of classes will inherit security
  levels, unless there are constraints indicating
  otherwise

6
Classes and OSCL Objectives

• In any case, the level of an object cannot be
  lower than that of a class.
• Same with
• attributes and values
• Associations and links

7
OSCL Objectives and the Metamodel-1

• Will access the metamodel via OclType
• Need to modify the following
• Type.associationEnds Set(OclType) instead of
  Set(String)
• Notice, now we interpret strings that have
  levels.
• Need to access all classes of a model
• Introduce the class Model
• Specify constraint on Model to be able to specify
  security levels

8
Model Element
9
OSCL Objectives and the Metamodel-2

• Specifying constraints on model
• Model.levelsSequence(Strings)
• Why strings and NOT OclType?
• Want to enforce security level is an intrinsic
  element of a class (same status as attribute or
  method)
• In order to do so, need to broaden the class
  OclType

10
OSCL Objectives and the Metamodel-3

• Broadening OclType
• type.levels Sequence (String)
• Post Model.levels-gt subsequences
  (type.levelsgtfirst, type.levels-last) result
• type.levelsString
• Post type.levels-gtfirstresult
• We specify that security levels specified are
  correct

11
OSCL Objectives and the Metamodel-4

• Need similar operations to specify the levels of
  attributes, operations and associations.
• For example
• type.(arrtibute,operation,asociationEnd).levels
  Sequence (String)
• Post Model.levels-gt subsequences
  (type.levelsgtfirst, type.levels-last) result
• type. .(arrtibute,operation,asociationEnd).levels
  String
• Post type.levels-gtfirstresult

12
OSCL and Inheritance

• When a class is created
• It directly inherits the security level of the
  class,
• unless there is a constraint raising the level
• Example
• Self.level if salary lt 1,500 then Unclassified
• else if salary lt 4,000 then confidential
• else secret

13
OSCL and Levels of Instances

• All objects objects in a class has a level that
  is within the level specified in the class
• OSCL Statement
• Class
• Self.OclType.levels-gt exists(self.level)
• Model
• Self..class-gtforAll(COclType
• C.allInstances-gtcount(OClass
• C.levels-gtnotexists(O.level0)

14
OSCL and Levels of Associations

• Association shave a level that is at least as the
  objects that they relate to
• OSCL Statement
• Model
• Self..class-gtforAll(COclType
• C.associationEnds-gtForAll
• (C2OclType C1.C2.level .gtC1.level
• and C1.C2.level gt C2.level)

15
Generalization

• Security level of the subclass must not be less
  than the security level of the super class.
• Model
• Self.class-gt forAll(C1OclType
• C1.SuperTypesgtforAll(C2.OclTypes
• C1.levelgtc2.level)

16
(No Transcript)
17
Example Using a Hospital Database

• Four levels (U, C, S, TS)
• Classes Person, Patient, Illness also have same
  range of classifications.
• Doctors, Administrators and Nurses have levels
  (C..S)
• Appointments, MedicalAction has levels (U..S)

18
Constraints in the Example

• Worker
• Self.level (if self.salary lt 3000 then C else
  S)
• Patient
• Self.level (if self.illness AIDS or
  Self.illness Cancer then S else U)

19
Extension to Use Case Models

• Use case stereo-typed by ltltsafe UCgtgt and actor
  stereotyped by ltltaccredited-actorgtgt

20
Accreditation of Actors

• Actors belong to Security levels ?
• (my understanding)
• Do safe use cases have levels ?
• If so, what is the connection between an
  accredited actors level and the levels of the
  safe use cases?
• Use cases are supported by sequence diagrams. How
  do we extend the levels?
• How about state charts of classes that have
  levels?
• Poly Instantiation ?
• Statistical databases.

21
(No Transcript)
22
Case Tool for OSCL