Professional Documents
Culture Documents
Uml-Based Modeling and Analysis of Security Threat
Uml-Based Modeling and Analysis of Security Threat
net/publication/220344852
CITATIONS READS
21 2,798
3 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Jun Kong on 18 March 2015.
JUN KONG
Department of Computer Science
North Dakota State University
jun.kong@ndsu.edu
DIANXIANG XU
National Center for the Protection
of the Financial Infrastructure
Dakota State University
dianxiang.xu@dsu.edu
XIAOQIN ZENG
Department of Computer Science
Hohai University, China
xzeng@hhu.edu.cn
Poor design has been a major source of software security problems. Rigorous and
designer-friendly methodologies for modeling and analyzing secure software are highly
desirable. A formal method for software development, however, often suffers from a gap
between the rigidity of the method and the informal nature of system requirements. To
narrow this gap, this paper presents a UML-based framework for modeling and analyz-
ing security threats (i.e. potential security attacks) rigorously and visually. We model
the intended functions of a software application with UML statechart diagrams and
the security threats with sequence diagrams, respectively. Statechart diagrams are auto-
matically converted into a graph transformation system, which has a well-established
theoretical foundation. Method invocations in a sequence diagram of a security threat
are interpreted as a sequence of paired graph transformations. Therefore, the analysis
of a security threat is conducted through simulating the state transitions from an initial
state to a final state triggered by method invocations. In our approach, designers directly
work with UML diagrams to visually model system behaviors and security threats while
threats can still be rigorously analyzed based on graph transformation.
875
January 18, 2011 11:16 WSPC/117-IJSEKE - SPI-J111 0218-1940
S0218194010004980
1. Introduction
Many techniques (i.e. cryptography and firewall) have been proposed to protect
computer systems at the network and operating system levels. However, they are
inadequate for application-level security because they lack the knowledge of appli-
cation semantics [35]. Poor software design has been a major source of security
problems. For example, around 50 percent of the security flaws uncovered during
Microsoft’s “security push” in 2002 were closely related to design-level problems [9].
Rigorous and designer-friendly methodologies for modeling and analyzing secure
software are highly desirable.
Formal methods can offer a solid foundation for achieving a high degree of
trustworthiness through formalization and verification of security properties [34].
Application of formal methods, however, requires considerable expertise and often
incurs a steep learning curve. This significantly reduces users’ interest in adopting
formal methods for real-world software development processes. In general, a visual
language can encourage users’ involvement and facilitate the communication of
design decisions, but often lacks precise semantics. This paper presents a UML-based
framework for modeling and analyzing secure software. This framework is featured
by using UML [28] as the modeling language while supporting rigorous analysis
of security threats. This narrows the gap between visual modeling and rigorous
analysis.
UML is a widely applied standard language for visually modeling object-oriented
systems. Our approach uses UML statechart diagrams to model intended func-
tions and UML sequence diagrams to specify security threats. Security threats are
misuses and anomalies that violate security policies or goals (e.g. confidentiality,
integrity, and availability) [35]. Due to the informal nature of UML notations, how-
ever, it is difficult to automate the analysis of security threats. In order to support
rigorous analysis, our approach automatically translates a UML statechart diagram
to a graph transformation system [19], which provides a solid foundation to simu-
late the execution of state transitions. Graph transformation offers a computational
paradigm of mathematical precision and visual specification [33]. It defines computa-
tion in a multi-dimensional fashion based on a set of rewriting rules, i.e. productions.
Each production consists of two parts: a left graph and a right graph, the difference
of which visually indicates the changes caused by a computation. With a graphical
representation of the state of a software artifact in the execution, the behavioral
semantics can be inherently specified through a sequence of productions, i.e. tran-
sitions from one graph (representing the current state) to another (representing a
new state). In our approach, we exploit graph transformation as the underlying
theoretical foundation for rigorous verification of security threats. More specifically,
a sequence diagram of security threat includes a sequence of actions. Each action
in a security threat triggers a state transition, which is executed through graph
transformation. If the system finally stays at some regular state after the attack
of a security threat, it indicates that the system is vulnerable to the threat since
January 18, 2011 11:16 WSPC/117-IJSEKE - SPI-J111 0218-1940
S0218194010004980
the system takes the special combination of sequenced actions in a security threat
as normal actions. After we verify and identify vulnerable security threats against
intended functions, we need to mitigate identified vulnerabilities. Threat mitigation
is to prevent a specific sequence of actions from being triggered in state transitions.
In summary, this paper presents a rigorous and designer-friendly approach to
modeling and verifying security threats. In this approach, designers directly work
with UML diagrams to model intended functions and security threats. The intu-
itive nature of UML diagrams facilitates the distribution and communication of
software models. This encourages end-users to get involved in the design process.
Since end-users are more familiar with application domains, they may anticipate
those security threats that are not recognized by software developers. Underlying
UML diagrams, our approach applies graph transformation to verify security threats
against intended functions. Therefore, our approach supports rigorous verification
of security threats while it releases designers/users from learning a formal language.
The work reported in this paper is extended from a short conference paper [18]. This
paper, however, gives a more complete specification of our approach and presents a
more comprehensive case study.
The rest of this paper is organized as follows. Section 2 overviews the UML-based
modeling and analysis of security threats. Section 3 illustrates the modeling of
intended functions and security threats through UML diagrams. Section 4 demon-
strates the analysis of security threats based on graph transformation. Section 5
presents a case study. Section 6 discusses related work and Sec. 7 concludes the
paper.
Formalize
Hierarchical States Analyze
as a Graph Grammar Security Threats
A Graph Secured
Mitigate Statechart
Grammar Security Threats Diagrams
In the past years, a number of shopping cart systems failed because of security
vulnerabilities (e.g. customers purchased products at a reduced price and customers
ended up paying for others’ purchases). Those vulnerabilities were primarily due to
improper design.
January 18, 2011 11:16 WSPC/117-IJSEKE - SPI-J111 0218-1940
S0218194010004980
AddItem
RemoveItem
AddItem
shopping
Purchase CheckPrice Price
calTotalPrice
AddItem CheckPrice ListPrice
orderSubmitted
CheckInventory Browsing PlaceOrder
Inventory CheckInventory showItems
GetOrder Coupon
processing
waitingOrder
Order VerifyCoupon
ValidatePay [InValid]
[Valid]
[pay=valid] [pay=invalid]
Valid Invalid
PrintReceipt
ShoppingCart statechart diagram
PayCenter statechart diagram
a We only present the UML statechart diagrams for classes ItemToPurchase, PayCenter and Shop-
pingCart which are relevant to the following discussions about security threats.
January 18, 2011 11:16 WSPC/117-IJSEKE - SPI-J111 0218-1940
S0218194010004980
After a user completes shopping, he/she can place the order by calling method
PlaceOrder, which triggers a state transition from shopping to orderSubmitted.
Figures 2 and 3 constitute a design model for an online shopping application.
Given a design model, a security threat is a potential misuse or anomaly that vio-
lates some security goals. More specifically, given a design model, a security threat
refers to a number of sequenced method invocations that can violate security goals
or policies. However, an arbitrary set of method invocations does not necessarily
make up a security threat. Multiple threats can constitute a more complex threat.
Normally, a method invocation in a security threat is an action legitimately sup-
ported in a design model. However, certain combinations of legitimate individual
actions may become vulnerabilities. Sequence diagrams provide a natural means to
model those sequenced method invocations that constitute a security threat.
Login
Browse
CheckInventory
AddItem
AddCoupon
VerifyCoupon
Continue
Shopping
RemoveItem
calTotalPrice
PlaceOrder
GetOrder
ValidatePay
YT ZT
Fig. 5. A production.
There are three approaches to embedding a graph into a host graph [24]:
• Implicit embedding: formalisms such as picture layout grammars [8] and con-
straint multiset grammars [22] do not distinguish between a node and an edge.
Relationships are implicitly defined as constraints over their attribute values.
Attribute assignments within productions have the implicit side effect that cre-
ates new relationships to unknown context elements. Users are, therefore, not
always aware of the consequences of attribute assignments, and a parser requires
considerable time to extract implicitly defined knowledge about the relationships
from attributes and constraints.
• Embedding rules: some graph grammars, such as the NLC graph grammar [26],
have separate embedding rules which allow the redirection of arbitrary sets of
relationships from a redex to its substitute. This approach is easy to implement.
However, the embedding rules are often difficult to understand and all known
parsing algorithms for productions with embedding rules are either inefficient or
imposing very strict restrictions on the left and right graphs of the productions.
January 18, 2011 11:16 WSPC/117-IJSEKE - SPI-J111 0218-1940
S0218194010004980
Furthermore, embedding rules are only able to redirect or re-label existing rela-
tionships. They cannot be used to establish new relations between previously
unconnected nodes.
• Context elements: context elements can be used to establish the relationships
between a newly created graph and the host graph. This approach is the easiest
to understand, but an unrestricted use of context elements may complicate the
productions. Furthermore, it is difficult to rewrite elements that may participate
in a statically unknown number of relationships.
Without limiting to a specific grammar formalism, this paper uses the Spatial
Graph Grammar (SGG) [17] as the underlying grammar formalism to illustrate
our approach. The SGG formalism uses labeled graphs to support the linking of
newly created graphs into a parsed graph (traditionally called embedding). The
node structure enhanced with additional visual notations (e.g. vertices) in the SGG
simplifies the transformation specification and also increases the expressiveness. The
SGG combines the approaches of the embedding rule and the context elements to
solve the embedding problem. By introducing context information, simple embed-
ding rules can be sufficiently expressive to handle complicated visual programs.
The time complexity of the SGG parser is critical to the overall system perfor-
mance. The SGG parser uses efficient string matching technique to search for an
appropriate substructure which matches the right graph of a production based on
spatial relations. Under the confluence condition, the SGG parser has a polyno-
mial time complexity [17]. Informally, the confluence requires that different orders
of production applications achieve the same result, and therefore the parsing only
tries one parsing path.
BusyN
Busy
BusyT Scan
state configuration as shown in Fig. 6, the non-terminal node Busy N denotes the
state configuration starting from state Busy and the terminal node Busy T means
state Busy itself.
Productions are automatically generated according to the following rules:
• As visualized in Fig. 7(a), a concurrent composite state s with i direct substates
(x1 , . . . , xi ) generates a production such that the left graph includes only one
non-terminal node sN and the right graph is a two-level tree having node sT as
the root with i child nodes from x1N to xiN .
• Figure 7(b) depicts that a sequential composite state s with i direct substates
(x1 , . . . , xi ) generates i productions. In each production, the left graph has only
one non-terminal node sN , and the right graph is a two-level tree having node sT
as the root with one child node xmN (1 ≤ m ≤ i).
• Figure 7(c) shows a simple state s that generates a production such that the
left/right graph is made up of one node sN/sT .
Graph grammar
Source state
Generate
D
λ := ZN JN
(d) New states
<P6> EN := ET
e1 e2 <P3-P4> ZT ZT Z
ZN :=
E J DN EN <P7> JN := JT D
e3
___________________________
Analysis (State, Threat, initState)
Fig. 11. Graph grammars automatically derived from UML statechart diagrams.
:ShoppingCart :ItemToPurchase
Purchase
shopping
:PayCenter
Browsing waitingOrder
RemoveItem <(P1),(P1)>
:PayCenter :PayCenter :ShoppingCart <(P11,P12), :ShoppingCart
<(P5),(P6)> <(P4),(P5)> <(P10),(P11)> :ItemToPurchase
processing (P14)>
Confirmed ValidatePay GetOrder orderSubmitted PlaceOrder shopping calTotalPrice
Order Purchase
ListPrice
Fig. 13. Threat verification through paired graph transformations — Coupon Fraud.
b Dueto limited space, Fig. 12 only presents the paired graph transformations starting from the
method invocation AddCoupon.
January 18, 2011 11:16 WSPC/117-IJSEKE - SPI-J111 0218-1940
S0218194010004980
shopping
PlaceOrder
calTotalPrice /VerifyCoupon
VerifyingCoupon
Browsing ListPrice
showItems
VerifyCoupon
ContinueShopping addCoupon [Valid] [InValid]
addCoupon
5. A Case Study
Our case study was an online shopping application. We employed the STRIDE cate-
gories [11, 32] to identify threats. Each STRIDE category consists of different types
of threats. We elicited 12 types of threats to such security goals as confidentiality,
integrity, and availability and identified more than 50 specific threats across four
high-level functional use cases, including “placing an order,” “customer manage-
ment,” “order management,” and “handling and shipping.” As the online shopping
application is complex, the list of identified threats was by no means exhaustive.
Nevertheless, it provided a fairly good basis for demonstrating our approach.
In a shopping cart application, it is desirable to support client-side input, i.e.
clients can edit the quantity of a selected product. However, without a proper design,
the client-side input opens a security vulnerability to malicious users. They can edit
hidden form fields (such as price, weight, quantity, and identification) within the
HTML source code to perform an attack. For example, a malicious customer could
change the price of an item in a Web page and then submit the order request. Given a
design model (defined in Figs. 2, 3(a), 3(b) and 14), such an attack, buying a product
at a reduced price, is modeled as a sequence diagram in Fig. 15. A malicious user
GetOrder ValidatePay
:ShoppingCart
:ItemToPurchas :ItemToPurchase :ItemToPurchas shopping
<(P1),( P2)> <(P2),(P1)> <(P10),(P9)>
Purchase CheckPrice Price AddItem Purchase CalTotalPrice
ListPrice
checks the price of a selected product by calling CheckPrice. Then, he/she saves the
Web page of the selected product, changes the price and adds the product to the
shopping cart with a reduced price by calling AddItem.
Figure 16 gives the automatically derived graph grammar, which is correspond-
ing to the refined statechart diagram in Fig. 14. Similar to the verification of a
coupon fraud, grammars in Figs. 16, 11(a) and 11(b) provide a theoretical founda-
tion to verify the threat of buying a product at a reduced price. Figure 17 gives the
verification process, including a sequence of paired graph transformations. Accord-
ing to the verification result, though the statehcart diagram for the ShoppingCart
class in Fig. 14 is free from a coupon fraud, it is still vulnerable to the threat of
buying a product at a reduced price.
In order to mitigate the threat, we introduce a new method VerifyPrice to the
class ShoppingCart. This method, which is automatically called after an Shopping-
Cart object verifies coupons, is used to compare the submitted price recorded in
class Products. If the price is altered, the ShoppingCart object is transitted to state
orderCancelled, which indicates an invalid order. The corresponding refined state-
chart diagram for class ShoppingCart is presented in Fig. 18, which is secured from
both the coupon fraud and buying a product at a reduced price. The above model-
ing and verification process is performed iteratively until all identified threats are
verified.
January 18, 2011 11:16 WSPC/117-IJSEKE - SPI-J111 0218-1940
S0218194010004980
PlaceOrder
shopping /VerifyCoupon
calTotalPrice VerifyingCoupon
Browsing ListPrice VerifyCoupon
showItems
[Valid]
[InValid]
/VerifyPrice
ContinueShopping addCoupon
VerifyingPrice orderCancelled
Coupon
VerifyPrice
[ValidPrice] [InValidPrice]
addCoupon
orderSubmitted
6. Related Work
Threat modeling has gained increasing attention in the secure software engineering
community. As a structured way to secure software, the Microsoft’s threat model-
ing approach [11, 32] first determines threats to the system based on application
decomposition, ranks them by decreasing risk, and then chooses assurance tech-
niques to mitigate them. The suggested tools for specifying system functions and
security threats are data flow diagrams and attack trees, respectively. The misuse
case approach [1, 30] extends the use case approach with misuse cases and miti-
gation cases for the integrated elicitation of functional and security requirements.
Misuse cases are the inverse of use cases to model system behavior that should be
avoided. A misuse case can be defined as a complete sequence of actions which can
result in loss for the organization or some specific stakeholder. Sindre and Opdahl
have identified several relations between ordinary use cases and misuse cases, such
as includes, extends, prevents and detects. Also they have proposed a general tem-
plate for misuse case description [31]. Alexander discussed a variety of applications
of misuse cases beyond security requirements elicitation, such as eliciting general
“-ility” requirements, exceptions, and test cases [1]. Built upon the notions of misuse
and mitigation use cases, Xu et al. [37] have exploited aspect-orientation to capture
the crosscutting nature of threats and mitigations so that system requirements are
elicited in a more structured way. The structured specification facilitates under-
standing and analysis of the interplays between functional and security require-
ments. Xu and Pauli have developed a threat-driven approach to the architectural
design and analysis of secure software [36]. Based on the identification and mitiga-
tion of security threats as misuse use cases, they leverage use cases, misuse cases,
and mitigation of use cases to design architectural components and their connec-
tions for candidate architectures. This approach also allows for informal analysis of
whether or not candidate architectures are resistant to the identified security threats
and what constraints must be imposed on the choices of system implementation.
January 18, 2011 11:16 WSPC/117-IJSEKE - SPI-J111 0218-1940
S0218194010004980
Many approaches have been proposed to extend UML to model and specify
security requirements. Rodriguez et al. [25] extend UML to model secure business
process at a high level of abstraction through UML activity diagrams. Houmb and
Kansen [10] present the Security Assessment UML, i.e. a UML profile for specifying
concrete threat scenarios. This UML profile aims at documenting the results from
risk identification and risk analysis in a security assessment, but this approach does
not discuss automatic verification of threat scenarios. Basin et al. [20, 2] proposed
a Model Driven Security methodology for developing secure systems, and demon-
strated its application to the domain of access control. Based on the SecureUML [20],
a modeling language for specifying access control policies, this approach supports to
automatically generate configured access control infrastructures. Due to the infor-
mal nature, the approaches described above do not support verification of threat
models or misuse cases while our approach supports a rigorous verification of secu-
rity threats based on graph transformation. Brucker et al. [3] present a semantics
for SecureUML by transforming a SecureUML model into a secured system model
described in UML/OCL. Kim et al. [16] use UML template diagrams to specify
reusable Role-Based Access Control (RBAC) policies, which need to be instantiated
in an application specific model. UMLsec [12, 13] extends UML to specify security
requirements within UML diagrams in a system specification. This approach sup-
ports encapsulating security engineering knowledge in the widely used design nota-
tion of UML. A tool has been developed to support UMLsec-based verification [14].
However, this work does not discuss threat modeling and analysis.
Formal methods for threat modeling and verification have also been developed.
Xu and Nygard have developed aspect-oriented Petri nets as a unified formalism
for specifying intended functions, security threats, and threat mitigations of a secu-
rity design as a whole [35]. Intended functions and security threats are modeled
by Petri nets, whereas threat mitigations are modeled by Petri net based aspects
due to the incremental and crosscutting nature of security features. The unified
formalism facilitates verifying correctness of security threats against intended func-
tions and verifying absence of security threats from integrated functions and threat
mitigations. Lotz has proposed a process-algebra based formal approach for devel-
oping secure communication systems with the aid of threat scenarios [21]. A threat
scenario describes a situation in which the system is attacked by an adversary.
The specification of a threat scenario is derived by replacing critical components
with subsystems that specify relevant attacks. Based on a compositional system
specification, the approach identifies and specifies threat scenarios, selects security
mechanisms, refines specification, and conducts security analysis. In this paper, we
investigate threat modeling and verification with UML Statecharts, UML sequence
diagrams, and graph transformations. Different from the above approaches, our
front-end language is UML, which has been widely applied to real-world software
development.
January 18, 2011 11:16 WSPC/117-IJSEKE - SPI-J111 0218-1940
S0218194010004980
7. Conclusion
We have presented a rigorous and design-friendly framework for modeling and anal-
ysis of security threats. In our approach, designers use statechart diagrams to model
the behavior and sequence diagrams to specify security threats. In order to support
rigorous analysis of security threats against the system behavior, statechart dia-
grams are automatically converted to a graph transformation system, which can
be considered to be a UML virtual machine to interpret state transitions triggered
by sequenced method invocations in a security threat. Our approach allows for rig-
orous modeling and analysis of secure software while minimizing the requirement
of expertise in formal methods. In other words, designers directly apply the indus-
try standard of UML notations to model secured software without knowing the
details of underlying graph grammars. The popularity of UML notations increases
the applicability of our approach.
Our approach is limited by the nature of UML statechart and sequence diagrams.
Since a statechart diagram captures control-oriented state transitions, instead of
data flows, it is difficult to identify and analyze threats that are related to data flows.
Furthermore, a statechart diagram requires enumerating all states, which makes it
difficult to build the statechart for a complex system. Also, sequence diagrams
represent sequences of actions. They are hard to capture the relationships between
threats. As the future work, we will conduct more experiments on modeling and
analyzing security requirements in real-world systems to investigate above issues.
We will also formalize our approach with a rigorous proof of correctness to analyze
security threats against statechart diagrams.
Acknowledgments
The authors would like to thank associate editor Dr. Yi Deng and anonymous
reviewers for their insightful and constructive comments that have helped us to
significantly improve the presentation. This work is supported in part by ND NASA
EPSCoR grant #NNXO7AK91A.
References
1. I. Alexander, Misuse Cases: Use Cases with Hostile intent, IEEE Software (2003)
58–66.
2. D. Basin, J. Doser and T. Lodderstedt, Model driven security: From UML models
to access control infrastructures, ACM Transactions on Software Engineering and
Methodology 15(1) (2006) 39–91.
3. A. D. Brucker, J. Doser and B. Wolff, A model transformation semantics and analy-
sis methodology for SecureUML, Model Driven Engineering Languages and Systems
LNCS, Vol. 4199 (2006), pp. 306–320.
4. M. M. Burnett, Visual Language Research Bibliography, http://www.cs.orst.edu/
∼burnett/vpl.html, 2009.
January 18, 2011 11:16 WSPC/117-IJSEKE - SPI-J111 0218-1940
S0218194010004980
27. G. Rozenberg (ed.), Handbook of Graph Grammars and Computing by Graph Trans-
formation: Foundations, Vol. 1 (World Scientific, 1997).
28. J. Rumbaugh, I. Jacobson and G. Booch, The Unified Modeling Language Reference
Manual, 2nd edn. (Addison-Wesley, 2005).
29. A. Schürr, A. Winter and A. Zündorf, Graph grammar engineering with PROGRES,
Proc. ESEC’95, LNCS Vol. 989 (1995), pp. 219–234.
30. G. Sindre and A. L. Opdahl, Eliciting security requirements by misuse cases, Proc.
Conf. Technology of Object-Oriented Languages and Systems (2000), pp. 120–131.
31. G. Sindre and A. L. Opdahl, Templates for misuse case description, Proc. of the
7th International Workshop on Requirements Engineering, Foundation for Software
Quality (2001).
32. F. Swiderski and W. Snyder, Threat Modeling (Microsoft Press, 2004).
33. D. Varró, A formal semantics of UML statecharts by model transition systems, Proc.
ICGT 2002, LNCS Vol. 2505 (2002), pp. 378–392.
34. J. Wing, A symbiotic relationship between formal methods and security, Proc. NSF
Workshop on Computer Security, Fault Tolerance, and Software Assurance: From
Needs to Solution (1998).
35. D. X. Xu and K. E. Nygard, Threat-driven modeling and verification of secure software
using aspect-oriented petri nets, IEEE Transactions on Software Engineering 32(4)
(2006) 265–278.
36. D. Xu and J. Pauli, Threat-driven design and analysis of secure software architectures,
Journal of Information Assurance and Security 1(3) (2006) 171–180.
37. D. Xu, V. Goel, K. Nygard and W. E. Wong, Aspect-oriented specification of threat-
driven security requirements, International Journal of Computer Applications in Tech-
nology, Special Issue on Concern Oriented Software Evolution 31(1/2) (2008) 131–140.
38. D. Q. Zhang, K. Zhang and J. Cao, A context-sensitive graph grammar formalism for
the specification of visual languages, Computer Journal 44(3) (2001) 187–200.
39. K. Zhang, D-Q. Zhang and J. Cao, Design, construction, and application of a generic
visual language generation environment, IEEE Transactions on Software Engineering
27(4) (2001) 289–307.