UMLsec explained

UMLsec is an extension to the Unified Modeling Language for integrating security related information in UML specifications. This information can be used for model-based security engineering. Most security information is added using stereotypes and covers many security properties including secure information flow, confidentiality, and access control. Using an attacker model these properties can be checked on a model level.

Development

It was first proposed by Jürjens et al. in 2002[1] and later revised and extended by the same author.[2]

Profile definition

UMLsec is defined as a lightweight extension for UML.[3]

The profile is defined through a set of prototypes with properties (tag definitions) and constraints. UMLsec defines 21 stereotypes listed below.

StereotypeBase classTagsDescription
fair exchangesubsystemstart, stop, adversaryenforce the fair exchange principle on communication. That is, ensure no cheating of cooperating parties.
provablesubsystemaction, cert, adversaryprovide evidence of activities to obtain non-repudiation.
rbacsubsystemprotected, role, rightenforce role-based access control.
Internet
linkInternet connection. It is assumed to be susceptible to message deletion, addition, and content exposure by the default attacker.
encryptedlinkmodel an encrypted connection. It is assumed to be susceptible to message deletion by the default attackers.
LANlink, nodeLAN connection or a LAN network (node). It is assumed to be unaffected by the default external attacker.
wirelinkwire connection. It is assumed to be unaffected by the default external attacker.
smart card
POS device
issuer node
nodeNodes with varying protection mechanisms. Adversary definitions determine to what extent these nodes may be tampered with. They are assumed to be unaffected by the default external attacker.
secrecy
integrity
high
dependencydependency that indicates an assumption of secrecy and integrity as well as high sensitivity.
criticalobject
subsystem
secrecy,
integrity,
authenticity,
high, fresh
label a system or object as critical. Tags are used to define in what respect the system/object is critical.
secure linkssubsystemadversaryenforce secure communication links under the defined adversary model.
secure dependenciessubsystemensure that secure dependencies are met.
data securitysubsystemadversary,
integrity,
authenticity
enforce basic security requirements under the defined adversary model.
no down-flow,
no up-flow
subsystemensure secure information flow.
guarded accesssubsystemensure that guarded objects are accessed only through their guards.
guardedobjectguardspecify a guarded object that can only be accessed through the object specified by the guard tag.

Adversary model

To ensure security it is necessary to specify what kind of attacker is assumed. In UMLsec, the attacker model is defined through the threats that it poses. The table below defines the default adversary. Other adversaries may of course be defined.

StereotypeThreatsdefault
Internet
encrypted
LAN
wire
smart card
POS device
issuer node

References

  1. Jürjens, J. UMLsec: Extending UML for secure systems development. UML 2002 —The Unified Modeling Language (2002), 1–9.
  2. Jürjens, J. Secure Systems Development with UML, 1 ed. Springer, 2005.
  3. OMG. Unified Modeling Language Superstructure version 2.2. The Object Management Group, February 2009. http://www.omg.org/spec/UML/2.2/Superstructure