Verifiable composition of access control and application features
Proceedings of the tenth ACM symposium on Access control models and technologies
Verifiable Aspect Composition in UML Models
SSIRI '08 Proceedings of the 2008 Second International Conference on Secure System Integration and Reliability Improvement
| Hi-index | 0.01 |
Aspect-oriented modeling (AOM) techniques have been advocated as solutions to support separation of crosscutting features from other application design concerns. In an AOM approach, crosscutting features are described by aspect models and other application features are described by a primary model [1]. However, composing an aspect model with a primary model can result in conflicts or compromised behaviors. Therefore, a key issue in applying the AOM approach is determining whether composition of an aspect model and a primary model produces a composed model that has desired properties. We extend the previous aspect composition approaches by France et al. [1] and Song et al. [2] by supporting a way to generate proof obligations that must be discharged in order to establish that a desired property holds in the composed class model. Fig. 1 shows an overview of our verifiable composition approach. The composition of a primary model class diagram and an aspect model class diagram (refer to the action (1) in Fig. 1) is accomplished according to a named-based composition proposed by [1]. Specifying the given property statement using the Object Constraint Language (OCL) provides the property to be verified denoted as Pprop (refer to (2)). The operation behavior in a composed model needs to be verified against this property. A proof obligation is generated and evaluated when a sequence diagram is derived from the operation specification in the composed class diagram (refer to (3)). If any faulty composition is notified during the evaluation, the current sequence diagram, which is partially derived at that point, and the current proof obligation may be used to determine at which part of the composition the property fails to hold. The information that is available when the composition stops, can be used by a developer to determine what needs to be done to correct the situation. Otherwise, a sequence diagram is obtained. For details of the action (3) in Fig. 1, refer to our earlier work in [3].