AUTOMATED THREAT IDENTIFICATION FOR UML

George Yee, Xingli Xie, Shikharesh Majumdar

2010

Abstract

In tandem with the growing important roles of software in modern society is the increasing number of threats to software. Building software systems that are resistant to these threats is one of the greatest challenges in information technology. Threat identification methods for secure software development can be found in the literature. However, none of these methods has involved automatic threat identification based on analyzing UML models. Such an automated approach should offer benefits in terms of speed and accuracy when compared to manual methods, and at the same time be widely applicable due to the ubiquity of UML. This paper addresses this shortcoming by proposing an automated threat identification method based on parsing UML diagrams.

References

  1. Chimiak-Opoka, J., Felderer, M., Lenz, C., & Lange, C. (2008). Querying UML Models using OCL and Prolog: A Performance Study. 2008 IEEE International Conference on Software Testing Verification and Validation Workshop (ICSTW'08), Lillehammer Norway, pp. 81-88, April.
  2. Glinz, M. (2000). Problems and Deficiencies of UML as a Requirements Specification Language. In Proceedings of the 10th International Workshop on Software Specification and Design (IWSSD-00), San Diego, USA, pp. 11-22, November.
  3. Howard, M. & LeBlanc, D. (2003). Writing Secure Code. Microsoft Press, 2nd edition.
  4. Howard, M. & Lipner, S. (2006). The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press.
  5. Ingalsbe, J.A., Kunimatsu, L., Baeten, T., & Mead, N.R. (2008). Threat Modeling: Diving into the Deep End. IEEE Computer Software, Volume 25, Issue 1, pp. 28- 34, January-February.
  6. Microsoft (n.d.-A). Microsoft's Threat Modeling Tool. Available as of July 31, 2009 at: http://www.microsoft.com/downloads/details.aspx?Fa milyID=62830f95-0e61-4f87-88a6-e7c663444ac1& displaylang=en.
  7. Microsoft (n.d.-B). Microsoft Threat Analysis and Modeling v2.1.2. Available as of July 31, 2009 at: http://www.microsoft.com/downloads/details.aspx?Fa milyId=59888078-9DAF-4E96-B7D1- 944703479451&displaylang=en
  8. No Magic (n.d.). MagicDraw UML 16.0. Available as of July 31, 2009 at: http://www.nomagic.com/
  9. Object Management Group (n.d.-A). UML. Available as of July 31, 2009 at: http://www.omg.org/
  10. Object Management Group (n.d.-B). XMI. Available as of July 31, 2009 at: http://www.omg.org/technology/xml/index.htm.
  11. Pap, Z., Majzik, I., & Pataricza, A. (2001). Checking General Safety Criteria on UML Statecharts. In Lecture Notes in Computer Science, Vol. 2187, pp. 46- 55, Springer-Verlag.
  12. PTA Technologies (n.d.). Practical Threat Analysis. Available as of July 31, 2009 at: http://www.ptatechnologies.com/
  13. Saitta, P., Larcom, B., & Eddington, M. (2005). Trike v.1 Methodology Document [Draft], July 13. Available as of July 31, 2009 at: http://www.octotrike.org/papers/Trike_v1_Methodolo gy_Document-draft.pdf.
  14. Salter, C., Saydjari, O.S., Schneier, B., Wallner, J. (1998). Toward a Secure System Engineering Methodology. In Proceedings of New Security Paradigms Workshop, Charlottsville, VA, USA, pp. 2-10, September.
  15. Swiderski, F. & Snyder, W. (2004). Threat modeling. Microsoft Press.
  16. SWI-Prolog (n.d.). SWI-Prolog. Available as of July 31, 2009 at: http://www.swi-prolog.org/
  17. Wang, L., Wong, E., & Xu, D. (2007). A Threat Model Driven Approach for Security Testing. In Proceedings of the third IEEE Computer Society International Workshop on Software Engineering for Secure Systems (SESS), Minneapolis, MN, USA, pp. 10-16, May.
  18. Yee, G. (2006). Recent research in secure software. NRC Institute for Information Technology, National Research Council Canada, NRCC# 48478, NPArC# 8914119, March. Available as of July 29, 2009 at: http://nparc.cisti-icist.nrccnrc.gc.ca/npsi/ctrl?action=shwart&index=an&req=89 14119&lang=en
  19. Yee, G. (2007). Visual Analysis of Privacy Risks in Web Services. In Proceedings of the IEEE International Conference on Web Service 2007 (ICWS 2007), Salt Lake City, UT, USA, pp. 671-678, July.
Download


Paper Citation


in Harvard Style

Yee G., Xie X. and Majumdar S. (2010). AUTOMATED THREAT IDENTIFICATION FOR UML . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 521-527. DOI: 10.5220/0002996005210527


in Bibtex Style

@conference{secrypt10,
author={George Yee and Xingli Xie and Shikharesh Majumdar},
title={AUTOMATED THREAT IDENTIFICATION FOR UML},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},
year={2010},
pages={521-527},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002996005210527},
isbn={978-989-8425-18-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
TI - AUTOMATED THREAT IDENTIFICATION FOR UML
SN - 978-989-8425-18-8
AU - Yee G.
AU - Xie X.
AU - Majumdar S.
PY - 2010
SP - 521
EP - 527
DO - 10.5220/0002996005210527