MDSE@R: model-driven security engineering at runtime

Authors:
Mohamed Almorsy;John Grundy;Amani S. Ibrahim
Affiliations:
Centre for Computing & Engineering Software Systems, Swinburne University of Technology, Melbourne, Australia;Centre for Computing & Engineering Software Systems, Swinburne University of Technology, Melbourne, Australia;Centre for Computing & Engineering Software Systems, Swinburne University of Technology, Melbourne, Australia
Venue:
CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security
Year:
2012

Citing 11
Cited 0

Towards Development of Secure Systems Using UMLsec

FASE '01 Proceedings of the 4th International Conference on Fundamental Approaches to Software Engineering
SecureUML: A UML-Based Modeling Language for Model-Driven Security

UML '02 Proceedings of the 5th International Conference on The Unified Modeling Language
Eliciting security requirements with misuse cases

Requirements Engineering
A Model-Based Framework for Security Policy Specification, Deployment and Testing

MoDELS '08 Proceedings of the 11th international conference on Model Driven Engineering Languages and Systems
SERENITY Pattern-Based Software Development Life-Cycle

DEXA '08 Proceedings of the 2008 19th International Conference on Database and Expert Systems Application
Taming Dynamically Adaptive Systems using models and aspects

ICSE '09 Proceedings of the 31st International Conference on Software Engineering
From goal-driven security requirements engineering to secure design

International Journal of Intelligent Systems - Goal-driven Requirements Engineering
Pre-patched software

HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
Security-driven model-based dynamic adaptation

Proceedings of the IEEE/ACM international conference on Automated software engineering
Supporting automated vulnerability analysis using formalized vulnerability signatures

Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Supporting automated software re-engineering using re-aspects

Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

New security threats arise frequently and impact on enterprise software security requirements. However, most existing security engineering approaches focus on capturing and enforcing security requirements at design time. Many do not address how a system should be adapted to cope with new unanticipated security requirements that arise at runtime. We describe a new approach - Model Driven Security Engineering at Runtime (MDSE@R) - enabling security engineers to dynamically specify and enforce system security requirements based on current needs. We introduce a new domain-specific visual language to model customer security requirements in a given application. Moreover, we introduce a new UML profile to help capturing system architectural characteristics along with security specifications mapped to system entities. Our MDSE@R toolset supports refinement and merger of these visual models and uses model-driven engineering to take the merged model and specify security controls to be enforced on the target system components. A combination of interceptors (via generated configurations) and injected code (using aspect-oriented programming) are used to integrate the specified security controls within the target system. We describe MDSE@R, give an example of using it in securing an ERP system, describe its implementation, and discuss an evaluation of applying MDSE@R on a set of open source applications.