Secure UML Information Flow using FlowUML

Khaled Alghathbar

, Duminda Wijesekera

, and Csilla Farkas

2†

Dept. of Information and Software Engineering and CSIS,

George Mason University, MS 4A4, Fairfax, VA 22030

Information Security

Laboratory, Dept. of Computer Science and Engineering,

University of South Carolina, Columbia, SC 29208

Abstract. FlowUML is a logic-based system to validate information flow poli-

cies at the requirements specification phase of UML based designs. It uses

Horn clauses to specify information flow polices that can be checked against

flow information extracted from UML sequence diagrams. FlowUML policies

can be written at a coarse grain level of caller-callee relationships or at a finer

level involving passed attributes.

1 Introduction

As security becomes an important aspect of large software systems, it needs to be

addressed through out the software development life cycle. Considered a non-

functional requirement, security requirements have not been considered during the

early phases of system development; thus resulting in vulnerable software [7]. In

[13,14] Nuseibeh and Easterbrook present the need to formally analyze and validate

security requirements during earlier phases to detect and remove design vulnerabili-

ties Recent work has addressed information flow control security [3,1,12,16]. Infor-

mation flow requirements need to be developed and evaluated during the require-

ments and design stages of the software life cycle, as validating information flow

requirements at an early stage prevents costly fixes mandated during latter stages of

the development life cycle. In this paper we propose a logic-based system

(FlowUML) to validate information flow policies at the requirements specification

phase of UML-based designs [17]. FlowUML uses locally stratified Horn clauses to

enforce user specifiable information flow policies via three processes: 1) Extract

information flows predicates from UML sequence diagram, 2) Derive all inherited

and indirect flows, and 3) Check for compliances with specified policies - specified at

two levels of granularity. At the coarse level, a flow is represented as a directed arc

between components, going from its source to its sink. At the fine level, the flow is

defined based on the semantics of methods, attributes passed between the compo-

nents, and the roles played by the components.

†

Farkas’ work was partially supported by the National Science Foundation under grant number

IIS-0237782.

Alghathbar K., Wijesekera D. and Farkasâ

a C. (2005).

Secure UML Information Flow using FlowUML.

In Proceedings of the 3rd International Workshop on Security in Information Systems, pages 229-238

DOI: 10.5220/0002569802290238

 SciTePress

FlowUML does not assume the existence of a particular meta-policy and can sup-

port a variety of policies. FlowUML advances over existing secure information flow

models by applying a formal framework to the early phases of the software develop-

ment life cycle. Towards that end, Section 2 shows information flow specifications

embedded in UML sequence diagrams. Section 3 provides a running example. Sec-

tion 4 describes our notations and assumptions. Section 5 explains the FlowUML

process. Section 6 has the syntax and semantics of FlowUML. Section 7 shows the

expressibility of FlowUML by means of the running example. Section 8 describes

related work and Section 9 concludes the paper.

2 Flow Specification in UML

The UML is the de-facto design language for large software projects. The UML uses

multiple diagrams (views) to represent requirements and designs. Use Cases support

the specification of usage scenarios between the system and its intended users [17].

Interaction diagrams specify how objects in the use case interact with each other.

Sequence diagrams are specific interaction diagrams that show such interactions as a

sequence of messages exchanged between objects over time. The sequence diagrams

shown in Fig. 1 consists of four objects and two actors, where Actor A initiates the

first flow as a request to read information from Obj3 which then returns the requested

information. Secondly, Actor A writes information to Obj4 and the control object.

The flow to the control object triggers additional flows. FlowUML extracts flows

from the sequence diagrams.

ActorA

Obj3

Obj4

control

Obj5

read

write

call another control

read

write

ActorB

write

ActorA

Obj1

Obj2

Read()

write(att1)

Return(att1)

Fig. 1. A sample sequence diagram Fig. 2. The sequence diagram for use

case1

3 Running Example

Our example consists of two use cases. Use case 1 has a simple scenario shown in

Fig.

2, and use case 2 has a more complex scenario shown in Fig. 3. The actor in use

case 1 reads information from object Obj1 returned as an attribute att1 and then

writes it to Obj2. The actor in use case 2 transfers information between two objects

and then calls another object leading to additional information flow.

During the analysis stage of the software development, selected interactions are

specified between objects. These interactions are further refined by specifying the

230

message’s attributes or parameters passed between objects. Therefore, the expres-

siveness and detail in a sequence diagram depends on the analysis stage. For example,

the sequence diagram of use case 2 can be categorized into two views: coarse grain

view shown in Fig. 1 and the fine grain view shown in Fig. 3.

Flow and access control requirements are expressed over the actors and objects of

the sequence diagram. For example, we may specify that information is permitted to

flow from Obj 3 to Obj. 4 but not vice verse. Similarly, we may permit of deny Actor

A to read Obj. 3.

ActorA

Obj3

Obj4

control

Obj5

read(att1)

write(att2)

call(att3)

read(att3')

write(att4)

Return(att2,att3)

Return(att4)

ActorB

write(att6)

write(att5)

Fig. 3. Detailed sequence diagram for use case 2

4 Notations and Assumptions

Objects in sequence diagrams belong to three categories: actors, entities, or control

objects. Actors initiate flows and send/receive information to/from the system as

externals. Every use case has at least one actor. Entity objects are persistent and store

information. Control objects provide coordination and application logic. Generally,

actors and entity objects can be sources or sinks of information flows and control

objects do not store information. However, they may create new information without

storing them. This is a basic axiom of FlowUML.

Axiom 1: Sources and sinks of Information flows are actors and entities.

Information flows in sequence diagrams arise due to attributes passed in method

calls such as read and write. For example, the method read(att1) exchanges informa-

tion between Obj3 and Actor A. FlowUML uses any message as a flow of informa-

tion regardless of its name.

Axiom 2: Any information-carrying message is considered an information flow.

Sequence diagram builds complex messages from simple ones using three kinds of

constructs: creation messages used to create new objects, iteration messages used to

send data multiple times, and conditional messages used to control messages based

satisfying certain conditions. We consider a creation message as an information flow

if the caller passes creation parameters to the callee. We consider an iterated message

as a single information flow. We consider a conditional message to be an information

flow regardless of the truth-value of the condition. We consider a simple message as a

flow if it passes information.

231

4.1 Attribute Dependencies across Objects

We make the following observations about the attributes:

1. Information flowing into an object may flow out unaltered, called exact attribute

flow in FlowUML.

2. Some attributes flowing out of an object may be different in name but always

have the same value as an attribute that flow into the same object. FlowUML re-

quires this information to be in the similar attribute table.

3. Some attributes flowing out of an object may depend upon others that flow into

the same object. FlowUML requires this information to be in the derived attrib-

ute table.

We formalize these observations in the following definitions and axioms.

Definition 1: An exact attribute is one that flows through an object but does not

change its value. An attribute that flows out of an object depends upon a set of attrib-

utes flowing into the same object. We say that the output attribute is derived from the

input attributes.

Axiom 3: Attribute names are unique over a system.

Axiom 4: Pairs of exact attribute s are entered into the exact attribute table and

dependent attributed have an entry in the dependent attribute table.

At the requirements specification stage flow analysis depends on 1) the types of com-

ponents (i.e., actor, entity or control object), 2) the sequence of objects in a flow, and

3) whether the flow is within a use case or between many use cases. For example,

entities or actors may alter information while control objects do not.

5 The Verification Process

FlowUML verify flow policies using five steps using two metadata sources as shown

in Fig. 4. Coarse grain policies require less detail than fine grain policies. Fine grain

policies incorporate attribute values and their dependencies.

232

Additional Metadata for the fine-grain policy

Metadata

propagating

inheritances

transitive

flow policies

Detecti ng

unsafe flow

Unsafe flow is detected

Resolve flows conflicts

Safe Flow

Defining

Flow

structure

Finalizing

Flow

…………...

Fl o w Structure

…………...

Flow Const r aint s

…………...

Similar Attributes

…………...

Derived Attributes

Fig. 4. Steps in FlowUML

Coarse grain policy analysis

In the first step FlowUML extracts flow structure, called the defining flow structure,

from Sequence diagrams and transforms it into basic predicates (see Section 6). The

second step propagates basic predicates using the actor (or role) hierarchy, deriving

implied information flows. The third step derives all transitive flows. The fourth step

complements the third step by filtering results of the third step to those flows that

satisfy properties of interests as specified in the policies. For example, in Fig. 1 the

third step derives a flow from Obj3 to Actor A directly, flow from Obj3 to Obj4

through Actor A, flow from Obj3 to control through Actor A etc. In the fourth step,

predefined policies may only apply to non-transitive flows between only entities and

actors. Thus only flows from Obj3 to Actor A and the one from Actor A to Obj4, but

not the flow from Obj3 to Obj4 may be of relevance. The fifth step detects flows that

violate specified policies. Currently, FlowUML does not attempt to resolve the de-

tected conflicts automatically.

Fine grain policy analysis

Fine grain policies require two kinds of additional information. The first, given in the

similar attribute table, contains name of the attributes that always contain the same

data value. The second, given in the attribute derivation table, lists attribute depend-

encies. This information is useful in controlling the flow of sensitive information. For

example, in Fig. 3, if there is a record in the attribute derivation table stating that att6

is derived from att3 in the control object then FlowUML concludes that there is a

transitive flow from Actor A to Actor B.

6 Syntax and semantics

FlowUML alphabet contains variables or constants over actors (A), objects (Obj), use

cases (UC), attributes (Att), and times (T). Constants are members of the sets A, Obj,

233

UC, Att, and T. Variables are represented as X

, X

obj

, X

att

and X

, respectively.

FlowUML uses the following predicates:

Basic predicates for supporting the specification of flows, called FlowSup.

1. A unary predicate isEntity(X

obj

) meaning X

obj

is an entity.

2. A unary predicate isActor(X

obj

) meaning X

obj

is an actor.

3. A binary predicate specializedActor(X

,X’

)meaning X’

is a specialized actor of

4. A binary predicate precedes(X

, X’

) meaning use cases X

and X’

are exe-

cuted in that order.

5. A binary predicate sameAtt(X

att

, X’

att

) meaning attributes X

att

and X’

att

have the

same value.

6. A binary predicate derAtt(X

att

, X’

att

, X

obj

) meaning that attribute X’

att

is derived

from attribute X

att

in object X

obj

7. A ternary predicate ignoreFlow(X

, X

obj

, X’

obj

) meaning to exclude the flow from

object X

obj

to object X’

obj

8. A 6-ary predicate ignoreFlows(X

, X

obj1

, X’

obj1

, X

obj2

, X’

obj2

) to exclude the

flow from X

obj1

to X’

obj

and the flow from X

obj2

to X’

obj2

from being detected as a

violation of flow control policies. Two similar predicates ignoreFlows

att

obj1

,X’

obj1

obj2

,X’

obj2

) and ignoreFlow

att

, X

att

obj

,X’

obj

) are used in fine

grain policies

Predicates for specifying flow constraints, called ConstSup.

1. A binary predicate dominates(X

obj

,X’

obj

) meaning that the security label of object

X’

obj

dominates or equals the security label of object X

obj

. It is used in multi-level

security policies.

2. A binary predicate ACL(X

obj

,X’

obj

) meaning that object X

obj

is in the access

control list of object X’

obj

. It is used in discretionary access control policies. X

is an operation such as read or write.

3. A binary predicate conflictingActors(X

obj

,X’

obj

) meaning that actors X

obj

and

X’

obj

are in conflict with each other for a specific reason. For example, both ac-

tors can not flow information to the same object or there must not be a flow of

information between them.

4. A binary predicate conflictingEntities(X

obj

,X’

obj

) meaning both entities X

obj

and

X’

obj

are in conflict with each specific reason. For example, each entity belongs

to different competitive company and information must not flow in between.

Predicates for coarse-grain policies

1. A 5-ary predicate Flow(X

obj

,X’

obj

) meaning there is a simple flow initi-

ated by actor X

from object X

obj

to object X’

obj

at time X

in use case X

2. A 5-ary predicate mayFlow(X

obj

,X’

obj

) is the transitive closure of the

previous predicate.

3. mayFlow

interUC

obj

,X’

obj

) is similar to mayFlow but the scope of may-

flow

interUC

is between use cases instead of focusing in one use case.

4. A 4-ary predicate finalFlow(X

obj

,X’

obj

) meaning a finalized flow.

5. finalFlow

interUC

obj

,X’

obj

) is similar to finalFlow but it covers flows be-

tween use cases.

6. A ternary predicate unsafeFlow(X

obj

,X’

obj

) meaning there is an unsafe flow

from X

obj

to X’

obj

initiated by actor X

234

7. A 6-ary predicate unsafeFlows(X

obj1

,X’

obj1

, X

obj2

, X’

obj2

) meaning there

are two unsafe flow. The first, initiated by actor X

flows from X

obj1

to X’

obj1

The second, initiated by actor X

flows from object X

obj2

to object X’

obj2

. They

are unsafe because together they violate a flow constraint.

8. A ternary predicate safeFlow(X

obj

,X’

obj

) meaning that the flow initiated by

actor X

from object X

obj

to object X’

obj

is safe.

Predicates for fine-grain policies

The predicates used to specify fine grain access control policies are similar to the

ones for coarse grain policy, but include X

att

as an attribute flowing between objects.

The predicates are as follows: flow

att

obj

,X’

obj

), mayFlow

att

obj

,X’

obj

), mayFlow

interUC_att

att

obj

,X’

obj

), finalFlow-

att

obj

,X’

obj

), finalFlow

interUC_att

att,

obj

,X’

obj

), unsafeFlow-

att

obj

,X’

obj

), unsafeFlows

att

att1

obj1

,X’

obj1

att2

obj2

,X’

obj2

), safe-

flow

att

, X

att1

obj

,X’

obj

FlowUML uses a set of predicates, as summarized in Tables 1 and 2 A FlowUML

rule is of the form

L ← L , …L

1 n

where L , L , …L

1 n

are literals satisfying the condi-

tions stated in Tables 1 and 2. Rules constructed according to these specifications

form a locally stratified logic program, and therefore has a unique stable model and

that stable model is also a well-founded model [11].

Table 1. FlowUML’s strata for coarse-grain policies

Table 2. FlowUML’s strata for fine-grain policies

Phase Stratum Predicate Rules defining the predicate

FlowSup predicates

ConstSup

predicates

base relations.

Flow(X

, X

obj

, X ’

obj

, X

)

body may contain FlowSup predicates.

mayFlow(X

, X

obj

, X ’

obj

, X

)

body may contain literal from strata 0 to 2

mayFlow

inter UC

, X

obj

, X ’

obj

, X

)

body may contain literal from strata 0, 1 and 3

finalFlow(X

, X

obj

, X ’

obj

, X

)

finalFlow

inter UC

, X

obj

, X ’

obj

, X

)

body may contain literal from strata 0 to 3

Coarse-grain

unsafeFlow(X

, X

obj

, X ’

obj

)

unsafeFlows(X

, X

obj1

, X ’

obj1

, X

obj2

X’

)

body may contain literal from strata 0 to 4

saf eF l ow ( X

, X

obj

, X ’

obj

)

body may contain literal from strata 0 to 5

Phase Stratum Predicate Rules defining the predicate

FlowSup predicates

ConstSup

predicates

base relations.

Flow

at t

, X

obj

, X ’

obj

, X

)

body may contain FlowSup predicates.

mayFlow

att

, X

obj

, X ’

obj

, X

)

body may contain literal from strata 0, 1 and 2

mayFlow

inter UC_att

, X

obj

, X ’

obj

, X

)

body may contain literal from strata 0, 1 and 3

finalFlow

at t

, X

obj

, X ’

obj

, X

)

finalFlow

inter UC_att

, X

obj

, X ’

obj

, X

)

body may contain literal from strata 0 to 3

Fine-grain

unsafeFlow

at t

, X

att

, X

obj

, X ’

obj

)

unsafeFlows

att

, X

at t 1

obj1

, X ’

obj1

at t2

, X

, X ’

)

body may contain literal from strata 0 to 4

saf eF l ow

att

, X

at t1

obj

, X ’

obj

)

body may contain literal from strata 0 to 5

Table 2. FlowUML’s strata for fine grain policies

Table 1. FlowUML’s strata for coarse grain policies

235

7 Applying FlowUML

This section shows how some sample FlowUML policies and apply them to detect

unsafe flows. Due to space limitation, we only present the basic flow predicates,

propagation policies, and the security verification for discretionary access control.

Basic flow predicates: Examples flow information available in Fig. 2 are given in

rules (1). The rules (2) to (6) are instances of FlowSup predicates of Figs 2 and 3.

Flow

att

(ActorA,att1,Obj1,ActorA,1,uc1)← Flow

att

(ActorA,att1,ActorA,Obj2,2,uc1)←

(1)

isEntity(obj1)← , isActor(actorA)←, precedes(uc1,uc2)←,

(2,3,4)

sameAtt(att3, att3’)←, derAtt(att3, att6, control)←

(5,6)

Propagation policies: The second step applies a policy that propagates flows along

actor hierarchies. In our example, if there is a specialized actor say Actor C of Actor B

then Actor C receives att5 and att6. Policies stating acceptable inheritances can be

stated in example rules such as (7) to (9).

Rule 7 say that every actor that plays a specialized role of an actor that initiates a

flow also initiates an inherited flow. In rules 8 and 9, for every flow from or to an

actor, respectively, rules 8 and 9 add new information flow for every specialized actor

of the actor who sends or receives the information, respectively.

Flow(X’

, X

obj

, X’

obj

, X

) ← Flow(X

, X

obj

, X’

obj

, X

), specializedRole(X

X’

)

(7)

Flow(X

, X’’

obj

, X’

obj

, X

) ← Flow(X

obj

,X’

obj

) ,isActor(X

obj

), special-

izedActor(X

obj

,X’’

obj

)

(8)

Flow(X

, X

obj

, X’’

obj

, X

) ← Flow(X

obj

,X’

obj

) ,isActor(X’

obj

), special-

izedActor(X’

obj

,X’’

obj

)

(9)

Detecting flows unsafe with respect to policies: This section shows FlowUML

specification of known flow control policies, and how to detect information flows

unsafe with respect to them.

Mandatory Access Control (MAC) permits a subjects to read an objects only if the

subject’s security clearance dominates the security classification of the object (2).

Rule 18 specify if information flows from Obj1 to Obj2. If Obj2 does not dominate

or equals the security label of Obj1 then the flow is considered unsafe.

unsafeFlow(X

, X

obj1

, X

obj2

)← finalFlow(X

, X

obj1

, X

obj2,

), ¬dominates(X

obj1

, X

obj2

)

(18)

Discretionary access control (DAC) allows subjects to access objects solely based

on the subject’s identity and the authorization rule. Rule 19 specify unauthorized

information flows from an actor to an object and rule 20 specify unauthorized flows

from an object to an actor.

unsafeFlow

att

, X

att1

, X

obj1

, X

obj2

)← finalFlow(X

, X

att1

, X

obj1

, X

obj2,

), ¬ACL(X

obj1

, X

obj2

, w)

(19)

unsafeFlow

att

, X

att1

, X

obj2

, X

obj1

)← finalFlow(X

, X

att1

, X

obj2

, X

obj1,

), ¬ACL(X

obj1

, X

obj2

, r)

(20)

236

8 Related Work

Secure information flow models have been studied by several researchers. Most of

these develop richer flow control models. For example, Samarati et al. develops a

DAC based model that prevents information leakage by Trojans [16]. Bertino et al.

[3] present a logic based workflow model. Although important, these papers do not

address flow policies for software design life cycle models.

Myers [12] presents JFlow, an extension to Java that adds statically checkable flow

constraints. However, JFlow can be used during the implementation phase while

FlowUML is to be used during the requirements, design and analysis phases of the

software development life cycle. . Lodderstedt et al. [18] present a language to anno-

tate UML-based models representing authorization constraints. Jurjens [19] proposes

to extend UML, allowing to represent security information within UML diagrams.

To the best of our knowledge, none of the existing works address the design and

verification processes supported by FlowUML. However, some published work

shares some of FlowUML’s objectives. In the area of logic-based checking of policy

violations during the requirement engineering, Alghathbar et al. [1] developed

AuthUML, a logic program based framework for that analyzing access control re-

quirements during the requirements engineering phase to ensure consistency, com-

pleteness and conflict-freedom. AuthUML is the access control analog of FlowUML.

FlexFlow of Chen et al. [6] is a logic-based flexible flow control framework to

specify data-flow, workflow and transaction systems. Although FlowUML and Flex-

Flow analyze and prevent unauthorized flows, FlowUML is different from FlexFlow

in many aspects such as FlexFlow is an abstract model while FlowUML is tightly

integrated with UML diagrams.

9 Conclusions

FlowUML is a logic programming based framework to specify and validate informa-

tion flow policies in UML based designs at the early phases of the software develop-

ment life cycle. We demonstrated the expressiveness of FlowUML by validating

existing example policies.

References

1. K. Alghathbar, D. Wijesekera. “authUML: A Three-phased framework to analyze access

control specifications in Use Cases”. In proc. of the Workshop on Formal Methods in Secu-

rity Engineering (FMSE), Washington, DC. October 2003. ACM Press.

2. D. Bell and L. LaPadula. “Secure computer system: United exposition and Multics interpre-

tation”. Technical Report, ESD-TR-75-306, MITRE Corp. MTR-2997. Bedford, MA, 1975.

3. E. Bertino and V. Atluri. “The specification and enforcement of authorization constraints in

workflow management”. ACM transactions on Information Systems Security, February

1999.

4. B. Boehm. Software engineering economics. Englewood Cliffs, NJ: Prentice-Hall. (1981)

237

5. G. Booch, J. Rumbaugh, and I. Jacobson. The Unified Modeling Language User Guide.

Addison-Wesley, Reading, MA, 1999.

6. S.Chen, D. Wijesekera, S. Jajodia. “FlexFlow: A Flexible Flow Control Policy Specifica-

tion Framework”. In proceedings of the 17th Annual IFIP WG 11.3 Working Conference

on Database and Applications Security. Estes Park, Colorado. August 2003.

7. L. Chung, B. Nixon, E. Yu, J. Mylopoulos. Non-Functional Requirements in Software

Engineering. Kluwer Academic Publishers (2000).

8. P. T. Devanbu and S. Stubblebine. “Software engineering for security:A roadmap”. In A.

Finkelstein, editor, The Future of Software Engineering. ACM Press, 2000.

9. D. Gabbay and A. Hunter, “Making Inconsistency Respectable: A Logical Framework for

Inconsistency in Reasoning, Phase1 - A Position Paper”, Proceedings of Fundamentals of

Artificial Intelligence Research '91, 19-32, Springer-Verlag.

10. D. Gabbay and A. Hunter, “Making Inconsistency Respectable: A Logical Framework for

Inconsistency in Reasoning, Phase2”, In Symbolic and Quantitative Approaches to Reason-

ing and Uncertainty, 129-136, LNCS, Springer-Verlag, 1992.

11. M. Gelfond, V. Lifschitz. 1988. “The stable model semantics for logic programming”. In

Proceedings, 5th International Conference and Symposium on Logic Programming. Seat-

tle, Wash. pp. 1070–1080.

12. A. Myers. “JFlow: Practical mostly-static information flow control”. In Proc. 26th ACM

Symp. on Principles of Programming Languages (POPL), pages 228--241, San Antonio,

TX, January 1999.

13. B. Nuseibeh, S. Easterbrook and A. Russo, “Making Respectable in Software Develop-

ment”, Journal of Systems and Software, 56(11), November 2001, Elsevier Science Pub-

lishers

14. B. Nuseibeh and S. Easterbrook. “Requirements engineering: A roadmap”. In A. Finkel-

stein, editor, The Future of Software Engineering. ACM Press, 2000.

15. Rational Rose. http://www.rational.com.

16. P. Samarati, E. Bertino, A. Ciampichetti, and S. Jajodia. “Information flow control in ob-

ject-oriented systems. IEEE Transactions on Knowledge and Data Engineering”, 9(4):524–

538, July-Aug. 1997.

17. The Unified Modeling Language version 1.5. http://www.omg.org/uml/. Accessed in Sep-

tember 2003.

18. T. Lodderstedt, D. Basin, and J. Doser. “SecureUML: A UML-Based Modeling Language

for Model-Driven Security,” in

Proceedings of the 5th International Conference on The

Unified Modeling Language

, pp. 426-441, 2002.

19. J. Jurjens. “UMLsec: Extending UML for Secure Systems Development,” in

Proceedings of

the 5th International Conference on the Unified Modeling Language, pp. 412-425, 2002.

238