Abstract:

Model Driven Security: from UML Models to Access Control Infrastructures

David Basin and Jürgen Doser and Torsten Lodderstedt


We present a new approach to building secure systems. In our approach, which we call Model Driven Security, 
designers specify system models along with their security requirements and use tools to automatically generate 
system architectures from the models including complete, configured access control infrastructures. Rather than 
fixing one particular modeling language for this process, we propose a general schema for constructing such 
languages that combines languages for modeling systems with languages for modeling security. We present 
several instances of this schema thatcombine (both syntactically and semantically) different UML modeling 
languages with a security modeling language for formalizing access control requirements. From models in the 
combined languages, we automatically generate access control infrastructures for server-based applications, built 
from declarative and programmatic access control mechanisms. The modeling languages and generation process 
are semantically well-founded and are based on an extension of Role-Based Access Control. We have 
implemented this approach ina UML-based CASE-tool and report on experiments.