Abstract
New security threats arise frequently and impact on enterprise software security requirements. However, most existing security engineering approaches focus on capturing and enforcing security requirements at design time. Many do not address how a system should be adapted to cope with new unanticipated security requirements that arise at runtime. We describe a new approach - Model Driven Security Engineering at Runtime (MDSE@R) - enabling security engineers to dynamically specify and enforce system security requirements based on current needs. We introduce a new domain-specific visual language to model customer security requirements in a given application. Moreover, we introduce a new UML profile to help capturing system architectural characteristics along with security specifications mapped to system entities. Our MDSE@R toolset supports refinement and merger of these visual models and uses model-driven engineering to take the merged model and specify security controls to be enforced on the target system components. A combination of interceptors (via generated configurations) and injected code (using aspect-oriented programming) are used to integrate the specified security controls within the target system. We describe MDSE@R, give an example of using it in securing an ERP system, describe its implementation, and discuss an evaluation of applying MDSE@R on a set of open source applications.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Anderson, R.: What is Security Engineering? In: Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn., pp. 3–12. Wiley and Sons, Indianapolis (2001)
Phan, T., Han, J., et al.: SOABSE: An approach to realizing business-oriented security requirements with Web Service security policies. In: Proc. Int. Conf. on Service-Oriented Computing and Applications, Taipei, Taiwan, pp. 1–10 (2009)
Jürjens, J.: Towards Development of Secure Systems Using UMLsec. In: Hussmann, H. (ed.) FASE 2001. LNCS, vol. 2029, pp. 187–200. Springer, Heidelberg (2001)
Mouratidis, H., Jurjens, J.: From goal-driven security requirements engineering to secure design. Int. Journal of Intelligent Systems 25, 813–840 (2010)
Sanchez-Cid, F., Mana, A.: SERENITY Pattern-Based Software Development Life-Cycle. In: Proc. 19th Int. Workshop on Database and Expert Systems Application, Italy, pp. 305–309 (2008)
Guo, J., Yuan, J., Johnson, R.: Pre-patched software. In: Proc. 4th USENIX Conf. on Hot Topics in Security, Canada, p. 6 (2009)
Morin, B., Barais, O., et al.: Taming Dynamically Adaptive Systems using models and aspects. In: Proc. 31st IEEE Int. Conf. on Software Engineering, Vancouver, BC, pp. 122–132 (2009)
Mouelhi, T., Fleurey, F., Baudry, B., Le Traon, Y.: A Model-Based Framework for Security Policy Specification, Deployment and Testing. In: Czarnecki, K., Ober, I., Bruel, J.-M., Uhl, A., Völter, M. (eds.) MODELS 2008. LNCS, vol. 5301, pp. 537–552. Springer, Heidelberg (2008)
Hafner, M., Memon, M., et al.: SeAAS - A Reference Architecture for Security Services in SOA. Journal of Universal Computer Science 15, 2916–2936 (2009)
Morin, B., Mouelhi, T., et al.: Security-driven model-based dynamic adaptation. In: Proc. 25th Int. Conf. on Automated Software Engineering, Belgium, pp. 205–214 (2010)
Lamsweerde, A., Brohez, S., et al.: System Goals to Intruder Anti-Goals: Attack Generation and Resolution for Security Requirements Engineering. In: Proc. RE 2003 Workshop on Requirements for High Assurance Systems, Monterey, pp. 49–56 (2003)
Liu, L., Eric, S., et al.: Secure!’*: Engineering Secure Software Systems through Social Analysis. Int. Journal of Software and Informatics 3, 89–120 (2009)
Mouratidis, H., Giorgini, P.: Secure Tropos: A security-oriented Extension of the Tropos Methodology. Int. Journal of SW Eng. and Knowledge Engineering 17, 285–309 (2007)
Sindre, G., Opdahl, A.: Eliciting security requirements with misuse cases. Journal RE 10, 34–44 (2005)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Almorsy, M., Grundy, J., Ibrahim, A.S.: Supporting Automated Vulnerability Analysis using Formalized Vulnerability Signatures. In: Proc. 27th Int. Conf. on Automated Software Engineering, Essen, Germany (2012)
Almorsy, M., Grundy, J., Ibrahim, A.S.: Supporting Automated Software Re-Engineering Using Re-Aspects. In: Proc. 27th Int. Conf. on Automated Software Engineering, Essen, Germany (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Almorsy, M., Grundy, J., Ibrahim, A.S. (2012). MDSE@R: Model-Driven Security Engineering at Runtime. In: Xiang, Y., Lopez, J., Kuo, CC.J., Zhou, W. (eds) Cyberspace Safety and Security. CSS 2012. Lecture Notes in Computer Science, vol 7672. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35362-8_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-35362-8_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35361-1
Online ISBN: 978-3-642-35362-8
eBook Packages: Computer ScienceComputer Science (R0)