UMLsec is an extension to the Unified Modeling Language for integrating security related information in UML specifications. This information can be used for model-based security engineering. Most security information is added using stereotypes and covers many security properties including secure information flow, confidentiality, and access control. Using an attacker model these properties can be checked on a model level.
It was first proposed by Jürjens et al. in 2002[1] and later revised and extended by the same author.[2]
UMLsec is defined as a lightweight extension for UML.[3]
The profile is defined through a set of prototypes with properties (tag definitions) and constraints. UMLsec defines 21 stereotypes listed below.
Stereotype | Base class | Tags | Description | |
---|---|---|---|---|
fair exchange | subsystem | start, stop, adversary | enforce the fair exchange principle on communication. That is, ensure no cheating of cooperating parties. | |
provable | subsystem | action, cert, adversary | provide evidence of activities to obtain non-repudiation. | |
rbac | subsystem | protected, role, right | enforce role-based access control. | |
Internet | link | Internet connection. It is assumed to be susceptible to message deletion, addition, and content exposure by the default attacker. | ||
encrypted | link | model an encrypted connection. It is assumed to be susceptible to message deletion by the default attackers. | ||
LAN | link, node | LAN connection or a LAN network (node). It is assumed to be unaffected by the default external attacker. | ||
wire | link | wire connection. It is assumed to be unaffected by the default external attacker. | ||
smart card POS device issuer node | node | Nodes with varying protection mechanisms. Adversary definitions determine to what extent these nodes may be tampered with. They are assumed to be unaffected by the default external attacker. | ||
secrecy integrity high | dependency | dependency that indicates an assumption of secrecy and integrity as well as high sensitivity. | ||
critical | object subsystem | secrecy, integrity, authenticity, high, fresh | label a system or object as critical. Tags are used to define in what respect the system/object is critical. | |
secure links | subsystem | adversary | enforce secure communication links under the defined adversary model. | |
secure dependencies | subsystem | ensure that secure dependencies are met. | ||
data security | subsystem | adversary, integrity, authenticity | enforce basic security requirements under the defined adversary model. | |
no down-flow, no up-flow | subsystem | ensure secure information flow. | ||
guarded access | subsystem | ensure that guarded objects are accessed only through their guards. | ||
guarded | object | guard | specify a guarded object that can only be accessed through the object specified by the guard tag. |
To ensure security it is necessary to specify what kind of attacker is assumed. In UMLsec, the attacker model is defined through the threats that it poses. The table below defines the default adversary. Other adversaries may of course be defined.
Stereotype | Threatsdefault | |
---|---|---|
Internet | ||
encrypted | ||
LAN | ∅ | |
wire | ∅ | |
smart card | ∅ | |
POS device | ∅ | |
issuer node | ∅ |