Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Cyberspace Safety and Security

CSS 2012: Cyberspace Safety and Security pp 279–295Cite as

MDSE@R: Model-Driven Security Engineering at Runtime

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7672))

Abstract

New security threats arise frequently and impact on enterprise software security requirements. However, most existing security engineering approaches focus on capturing and enforcing security requirements at design time. Many do not address how a system should be adapted to cope with new unanticipated security requirements that arise at runtime. We describe a new approach - Model Driven Security Engineering at Runtime (MDSE@R) - enabling security engineers to dynamically specify and enforce system security requirements based on current needs. We introduce a new domain-specific visual language to model customer security requirements in a given application. Moreover, we introduce a new UML profile to help capturing system architectural characteristics along with security specifications mapped to system entities. Our MDSE@R toolset supports refinement and merger of these visual models and uses model-driven engineering to take the merged model and specify security controls to be enforced on the target system components. A combination of interceptors (via generated configurations) and injected code (using aspect-oriented programming) are used to integrate the specified security controls within the target system. We describe MDSE@R, give an example of using it in securing an ERP system, describe its implementation, and discuss an evaluation of applying MDSE@R on a set of open source applications.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R.: What is Security Engineering? In: Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn., pp. 3–12. Wiley and Sons, Indianapolis (2001)

    Google Scholar 

  2. Phan, T., Han, J., et al.: SOABSE: An approach to realizing business-oriented security requirements with Web Service security policies. In: Proc. Int. Conf. on Service-Oriented Computing and Applications, Taipei, Taiwan, pp. 1–10 (2009)

    Google Scholar 

  3. Jürjens, J.: Towards Development of Secure Systems Using UMLsec. In: Hussmann, H. (ed.) FASE 2001. LNCS, vol. 2029, pp. 187–200. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  4. Mouratidis, H., Jurjens, J.: From goal-driven security requirements engineering to secure design. Int. Journal of Intelligent Systems 25, 813–840 (2010)

    Article  Google Scholar 

  5. Sanchez-Cid, F., Mana, A.: SERENITY Pattern-Based Software Development Life-Cycle. In: Proc. 19th Int. Workshop on Database and Expert Systems Application, Italy, pp. 305–309 (2008)

    Google Scholar 

  6. Guo, J., Yuan, J., Johnson, R.: Pre-patched software. In: Proc. 4th USENIX Conf. on Hot Topics in Security, Canada, p. 6 (2009)

    Google Scholar 

  7. Morin, B., Barais, O., et al.: Taming Dynamically Adaptive Systems using models and aspects. In: Proc. 31st IEEE Int. Conf. on Software Engineering, Vancouver, BC, pp. 122–132 (2009)

    Google Scholar 

  8. Mouelhi, T., Fleurey, F., Baudry, B., Le Traon, Y.: A Model-Based Framework for Security Policy Specification, Deployment and Testing. In: Czarnecki, K., Ober, I., Bruel, J.-M., Uhl, A., Völter, M. (eds.) MODELS 2008. LNCS, vol. 5301, pp. 537–552. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  9. Hafner, M., Memon, M., et al.: SeAAS - A Reference Architecture for Security Services in SOA. Journal of Universal Computer Science 15, 2916–2936 (2009)

    Google Scholar 

  10. Morin, B., Mouelhi, T., et al.: Security-driven model-based dynamic adaptation. In: Proc. 25th Int. Conf. on Automated Software Engineering, Belgium, pp. 205–214 (2010)

    Google Scholar 

  11. Lamsweerde, A., Brohez, S., et al.: System Goals to Intruder Anti-Goals: Attack Generation and Resolution for Security Requirements Engineering. In: Proc. RE 2003 Workshop on Requirements for High Assurance Systems, Monterey, pp. 49–56 (2003)

    Google Scholar 

  12. Liu, L., Eric, S., et al.: Secure!’*: Engineering Secure Software Systems through Social Analysis. Int. Journal of Software and Informatics 3, 89–120 (2009)

    Google Scholar 

  13. Mouratidis, H., Giorgini, P.: Secure Tropos: A security-oriented Extension of the Tropos Methodology. Int. Journal of SW Eng. and Knowledge Engineering 17, 285–309 (2007)

    Article  Google Scholar 

  14. Sindre, G., Opdahl, A.: Eliciting security requirements with misuse cases. Journal RE 10, 34–44 (2005)

    Google Scholar 

  15. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  16. Almorsy, M., Grundy, J., Ibrahim, A.S.: Supporting Automated Vulnerability Analysis using Formalized Vulnerability Signatures. In: Proc. 27th Int. Conf. on Automated Software Engineering, Essen, Germany (2012)

    Google Scholar 

  17. Almorsy, M., Grundy, J., Ibrahim, A.S.: Supporting Automated Software Re-Engineering Using Re-Aspects. In: Proc. 27th Int. Conf. on Automated Software Engineering, Essen, Germany (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre for Computing & Engineering Software Systems, Swinburne University of Technology, Melbourne, Australia

    Mohamed Almorsy, John Grundy & Amani S. Ibrahim

Authors
  1. Mohamed Almorsy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John Grundy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Amani S. Ibrahim
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Technology, Deakin University, 221 Burwood Highway, 3125, Burwood, VIC, Australia

    Yang Xiang  & Wanlei Zhou  & 

  2. Computer Science Department, ETSI Informatica, University of Malaga, Campus de Teatinos, 29170, Malaga, Spain

    Javier Lopez

  3. Ming Hsieh Department of Electrical Engineering, University of Southern California, 3740 McClintock Ave., 90089-2564, Los Angeles, CA, USA

    C.-C. Jay Kuo

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Almorsy, M., Grundy, J., Ibrahim, A.S. (2012). MDSE@R: Model-Driven Security Engineering at Runtime. In: Xiang, Y., Lopez, J., Kuo, CC.J., Zhou, W. (eds) Cyberspace Safety and Security. CSS 2012. Lecture Notes in Computer Science, vol 7672. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35362-8_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-35362-8_22

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-35361-1

  • Online ISBN: 978-3-642-35362-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation