Thuong Doan

MAC and UML for secure software design

Security must be a first class citizen in the design of large scale, interacting, software applications, at early and all stages of the lifecycle, for accurate and precise policy definition, authorization, authentication, enforcement, and assurance. One of the dominant players in software design is the <i>unified modeling language, UML,</i> a language for specifying, visualizing, constructing and documenting software artifacts. In UML, diagrams provide alternate perspectives for different stakeholders, e.g.: <i>use case diagrams</i> for the interaction of users with system components, class diagrams for the static classes and relationships among them, and <i>sequence diagrams</i> for the dynamic behavior of instances of the class diagram. However, UMLs support for the definition of security requirements for these diagrams and their constituent elements (e.g., actors, systems, use cases, classes, instances, include/extend/generalize relationships, methods, data, etc.) is lacking. In this paper, we address this issue by incorporating <i>mandatory access control (MAC)</i> into use case, class, and sequence diagrams, providing support for the definition of clearances and classifications for relevant UML elements. In addition, we provide a framework for security assurance as users are defining and evolving use case, class, and sequence diagrams, bridging the gap between software engineers and an organizations security personnel in support of <i>secure software design</i>. To demonstrate the feasibility and utility of our work on secure software design, our MAC enhancements for UML have been integrated into Borlands Together Control Center Environment.

RBAC/MAC Security for UML

In software construction, analysis investigates system requirements and design captures system functionality. To facilitate analysis and design, one popular technique is the unified modeling language, UML. In UML, there are use-case diagrams for the interaction of users with system components, class diagrams for the static classes and relations among them, and sequence diagrams for the dynamic behavior of objects. However, analyzing and designing security requirements in UML is not directly supported. In this chapter, we incorporate role-based access control (RBAC) and mandatory access control (MAC) into UML use-case and class diagrams. In addition, we provide analysis across the UML diagrams, as actors, use cases and classes are defined, to support a degree of security assurance (with mutual exclusion), thereby realizing secure software design in UML. We briefly report on our RBAC/MAC enhancements into Borland’s UML tool Together Control Center.In software construction, analysis investigates the boundary of a system (scope and requirements), its usage and access, and from a security perspective, who needs access to what when. Given sufficient analysis, a logical initial solution can be designed to capture system functionality including security capabilities. To facilitate the iterative process of analysis and design, one popular technique is the unified modeling language, UML, a language for specifying, visualizing, constructing and documenting software artifacts. In UML, diagrams provide alternate perspectives on the design, including: use-case diagrams for the interaction of users with system components, class diagrams for the static classes and relationships among them, and sequence diagrams for the dynamic behavior of objects. However, the ability to analyze and design security requirements in UML is not directly supported. In this paper, we propose an approach that incorporates rolebased access control (RBAC) and mandatory access control (MAC) into UML use-case and class diagrams, providing support for the design of roles (associated with use-case actors), and clearances and classifications for relevant UML elements. In addition, we provide analysis across the UML diagrams, as actors, use cases and classes are defined, to support a degree of security assurance (with mutual exclusion), and to upgrade the usage of UML for secure RBAC/MAC software design. To demonstrate the feasibility and utility of our work, we briefly report on the progress of our RBAC/MAC enhancements into the Borland’s UML tool Together Control Center.

Role slices: a notation for RBAC permission assignment and enforcement

During the past decade, there has been an explosion in the complexity of software applications, with an increasing emphasis on software design via model-driven architectures, patterns, and models such as the unified modeling language (UML). Despite this, the integration of security concerns throughout the product life cycle has lagged, resulting in software infrastructures that are untrustworthy in terms of their ability to authenticate users and to limit them to their authorized application privileges. To address this issue, we present an approach to integrate role-based access control (RBAC) into UML at design-time for permission assignment and enforcement. Specifically, we introduce a new UML artifact, the role slice, supported via a new UML role-slice diagram, to capture RBAC privileges at design time within UML. Once captured, we demonstrate the utilization of aspect-oriented programming (AOP) techniques for the automatic generation of security enforcement code. Overall, we believe that our approach is an important step to upgrading security to be an indispensable part of the software process.

Integrating Access Control into UML for Secure Software Modeling and Analysis

Access control models are often an orthogonal activity when designing, implementing, and deploying software applications. Role-based access control RBAC which targets privileges based on responsibilities within an application and mandatory access control MAC that emphasizes the protection of information via security tags are two dominant approaches in this regard. The integration of access control into software modeling and analysis is often loose and significantly lacking, particularly when security is such a high-priority concern in applications. This article presents an approach to integrate RBAC and MAC into use-case, class, and sequence diagrams of the unified modeling language UML, providing a cohesive approach to secure software modeling that elevates security to a first-class citizen in the process. To insure that a UML design with security does not violate RBAC or MAC requirements, design-time analysis checks security constraints whenever a new UML element is added or an existing UML element is modified, while post-design analysis checks security constraints across the entire design for conflicts and inconsistencies. These access control extensions and security analyses have been prototyped within a UML tool.

Giving Students with Disabilities a Voice in the Selection of Arithmetical Content

educational technology? Where are the huge gains that people hoped for, particularly for students with disabilities? What are the most effective ways to encourage students to learn math concepts and skills, using technology? What other benefits can accrue from technology—particularly when combined with other techniques like cooperative learning and self-regulated learning? The program we describe here capitalizes on the achievements gained by students in many combined approaches to math-technology instruction. Further, it allows students to use their present level of functioning to select the content they use to create, manage, and evaluate their own performance. The evaluation piece focuses on students’ creativity and production by using procedures such as counting the number of files students create, the number of different students who use each file, and the expanding diversity of the components of the file, such as novel and individualized types of arithmetic problems. Many researchers and educators have explored the use of technology in math instruction (see box, “What Does the Literature Say?”). What is noticeable in much of this work is that the content is prepared by teachers and other professionals; and the students respond to the material that is presented to them. What is missing is a way for students to select their own content and then monitor and evaluate their own performance or that of others. This article describes one approach that provides active, selfregulatory learning experiences for students. The approach is similar to what many teachers use in writing instruction, where students create stories and then work with their teacher to enhance and improve their respective stories. The Story of My Math

Applying LSI and data reduction to XML for counter terrorism

Data reduction is a critical problem for counter-terrorism; large collections of documents must be analyzed and processed, raising issues related to performance, lossless reduction, polysemy (the meaning of individual words being influenced by their surrounding words), and synonymy (the possibility of the same term being described in different ways). In this paper, we begin by presenting a survey of latent semantic indexing (LSI) techniques and strategies. Next, we highlight a subset of LSI software packages that are available (commercially and academically). Then, we explore approaches that apply LSI to eXtensible Markup Language (XML) data. Using this as a basis, the paper proposes an approach that applies LSI and data reduction to XML documents by transitioning from support vector machines (SVM) to random projections to LSI, and also postulates on the exploitation of semantics of Web-based documents that are captured via XML tags