Marian Borek

Model-Driven Development of Secure Service Applications

The development of a secure service application is a difficult task and designed protocols are very error-prone. To develop a secure SOA application, application-independent protocols (e.g. TLS or Web service security protocols) are used. These protocols guarantee standard security properties like integrity or confidentiality but the critical properties are applicationspecific (e.g. “a ticket can not be used twice”). For that, security has to be integrated in the whole development process and application-specific security properties have to be guaranteed. This paper illustrates the modeling of a security-critical service application with UML. The modeling is part of an integrated software engineering approach that encompasses model-driven development. Using the approach, an application based on service-oriented architectures (SOA) is modeled with UML. From this model executable code as well as a formal specification to prove the security of the application is generated automatically. Our approach, called SecureMDD, supports the development of security-critical applications and integrates formal methods to guarantee the security of the system. The modeling guidelines are demonstrated with an online banking example.

Model Checking of Security-Critical Applications in a Model-Driven Approach

This paper illustrates the integration of model checking in SecureMDD, a model-driven approach for the development of security-critical applications. In addition to a formal model for interactive verification as well as executable code, a formal system specification for model checking is generated automatically from a UML model. Model checking is used to find attacks automatically and interactive verification is used by an expert to guarantee security properties. We use AVANTSSAR for model checking and KIV for interactive verification. The integration of AVANTSSAR in SecureMDD and the advantages and disadvantages over interactive verification with KIV are demonstrated with a smart card based electronic ticketing example.

Incremental development of large, secure smart card applications

SecureMDD is a model-driven approach to develop security-critical applications. The focus lies on the development of smart card and service applications. Those are inherently security-critical and are based on cryptographic protocols. These protocols are difficult to design and error-prone. To guarantee the security of an application, formal verification is an inherent part of our software engineering approach. In this paper we illustrate that the SecureMDD approach is applicable for the development of large and complex applications as well. To handle the size and complexity, an incremental development method is suggested. This is illustrated with the German electronic health card application as case study.

Security requirements formalized with OCL in a model-driven approach

Security requirements are properties that have to be guaranteed for an application. Such guarantees can be given using verification. But there is a huge gap between security requirements expressed with human language and formal security properties that can be verified. This paper presents the use of OCL to formalize security requirements in a model-driven approach for security-critical applications. SecureMDD is such a model-driven approach. It uses UML to model the application and OCL to specify the security requirements. From the application model and the contained OCL constraints, a formal specification of the application including the security properties is generated automatically. This specification is used to verify application-specific security properties that matches a lot of security requirements much better than application-independent security properties like secrecy, integrity and confidentiality. We demonstrate how to concretize security requirements as well as the use of OCL constraints to specify security requirements, the transformation from OCL constraints into algebraic specifications and the use of those specifications to verify the security requirements using an electronic ticketing system as a case study.

Model-Driven Testing of Security Protocols with SecureMDD

Designing and executing test cases for security protocols is a tedious and technically complicated process. The SecureMDD approach allows intuitive, model-driven development of security-critical applications based on cryptographic protocols. With this paper we introduce a method which combines the model-driven approach used in SecureMDD with the design of functional and security tests. We construct and evaluate new modeling guidelines that allow the modeler to easily define such test cases during the modeling stage. We also implement model transformation routines to generate runnable tests for applications developed with SecureMDD.

Modeling test cases for security protocols with SecureMDD

Designing and executing test cases for security-critical protocols is a technically complicated and tedious process. SecureMDD is a model-driven approach that enables development of security-critical applications based on cryptographic protocols. In this paper we introduce a method which combines the model-driven approach used in SecureMDD with the design of functional and security tests. We construct and evaluate new modeling guidelines that allow the modeler to easily define such test cases during the modeling stage. We also implement model transformation routines to generate runnable tests for actual implementation of applications developed with SecureMDD.

Integrating a Model-Driven Approach and Formal Verification for the Development of Secure Service Applications

We present SecureMDD, a development method for secure service applications that integrates a model-driven approach with formal specification techniques using abstract state machines (ASMs), refinement to code and verification with the interactive theorem prover KIV. A larger case study is used to highlight various aspects of the method with a focus on services and their formal verification.

Declassification of Information with Complex Filter Functions

Many applications that handle private or confidential data release part of this data in a controlled manner through filter functions. However, it can be difficult to reason formally about exactly what or how much information is declassified. Often, anonymity is measured by reasoning about the equivalence classes of all inputs to the filter that map to the same output. An observer or attacker that sees the output of the filter then only knows that the secret input belongs to one of these classes, but not the exact input. We propose a technique suitable for complex filter functions together with a proof method, that additionally can provide meaningful guarantees. We illustrate the technique with a DistanceTracker app in a leaky and a non-leaky version.

Modeling information flow properties with UML

Providing guarantees regarding the privacy of sensitive information in a distributed system consisting of mobile apps and services is a challenging task. Our IFlow approach allows the model-driven development of such systems, as well as the automatic generation of code and a formal model. In this paper, we introduce modeling guidelines for the design of intuitive, flexible and expressive information flow properties with UML. Further, we show how these properties can be guaranteed using a combination of automatic language-based information flow control and model-based interactive verification.

Abstracting security-critical applications for model checking in a model-driven approach

Model checking at the design level makes it possible to find protocol flaws in security-critical applications automatically. But depending on the size of the application and especially on the abstraction of the application model, model checking may need a lot of resources, primarily time. To reduce the complexity, the application models are usually highly abstracted. But in a model-driven approach with automatic generation of runnable applications the application models need to be detailed and are often too complex to check in reasonable time. In this paper we describe an approach to handle this problem by using additional UML models to restrict the protocol runs, the attacker abilities and the numbers of participants. This makes model checking of large applications in our model-driven approach called SecureMDD possible without manual abstraction of the generated specifications. For model checking we use AVANTSSAR and show how the restrictions modeled within UML are translated. We demonstrate our approach with a smart card based electronic ticketing example.