Model Driven Development of Security Aspects

Quantified Score

Visualization

Abstract

The development of security-critical large-scale distributed software systems is a difficult and error prone process. As we learnt from practical experiences, it is especially difficult to manually define security policies, for example for access control. A human security administrator is not able to cope with the high complexity of the interactions of the application and the low level, platform specific security policy. Therefore, a new approach is needed to ease the definition of appropriate security policies. This paper shows how realisation of security aspects of a system can be automated to a great extend by applying model-driven software development techniques not only on functional properties. In the presented approach, UML models of the application's functional properties are flexibly augmented with security relevant information. Together with a high level security policy defined by the security administrator, this augmented functional model is then used in an automatic model transformation to generate the platform specific security policy. With this approach, which supports the separation of concerns in model based software engineering, we can automatically generate security-critical applications for different middleware platforms like SecureMiddleware, which is an extended implementation of the CORBA Component Model with improved support for non functional properties like security. The concepts, platforms and tools presented in the paper are currently used for the development of several large-scale and secure applications, for example for building a Virtual Air-Space Management System with strong security requirements.