software & systems engineering informatics, tu munich, germany [email protected]
DESCRIPTION
Critical System Development using MBRA and UMLsec: Methods and Tools Jan Jürjens and Siv Hilde Houmb. Software & Systems Engineering Informatics, TU Munich, Germany [email protected] http://www.jurjens.de/jan and Department of Computer and Information Science, NTNU, Norway - PowerPoint PPT PresentationTRANSCRIPT
Critical System Development using MBRA and UMLsec:
Methods and Tools Jan Jürjens and Siv Hilde Houmb
Software & Systems Engineering
Informatics, TU Munich, Germany
http://www.jurjens.de/jan
and
Department of Computer and Information Science, NTNU, Norway
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 2
Critical Systems Development
• High quality development of critical systems (dependable, security-critical, real-time,...) is difficult.
• Many systems developed and deployed do not satisfy their criticality requirements, sometimes with spectacular failures.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 3
Quality vs. Cost
• Systems on which human life and commercial assets depend need careful development.
• Systems operating under possiblesystem failure or attack need to befree from weaknesses.
• Correctness in conflict with cost.• Thorough methods of system design
not used if too expensive or not efficient enough (time is money and one needs to deliver).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 4
Model-based Development/Design Synthesis
Requirements
Models
Designs
Systems
Goal: ease transition from human ideas to executable systems.
The layer bellow is a realisation of the layer above.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 5
Using UML
UML: unprecedented opportunity for high-quality critical systems development feasible in industrial context:
• De-facto standard in industrial modeling: large number of developers trained in UML.
• Relatively precisely defined (given the user community).
• Many tools in development (also for analysis, testing, simulation and transformation).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 6
Challenges
• Adapt UML to critical system application domains.
• Correct use of UML in the application domains.
• Conflict between flexibility and unambiguity in the meaning of a notation (ontology).
• Improving tool-support for critical systems development with UML.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 7
Content of This Tutorial
Background knowledge on using UMLsec and MBRA for critical systems development
• UML basics, including extension mechanisms.• Extensions of UML (UMLsafe, UMLsec).• UML as a formal design technique.• MBRA and integrated system development processes.• Tools for UML: UMLsec and MBRA.• Case studies.
Concentrate on security(-safety)-critical systems.
Generalize to other application domains.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 8
Roadmap
PrologueUMLSafety
SecurityOther relevant UML profilesMBRA and integrated SD processesTool support
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 9
Using UML
Unified Modeling Language (UML):
• visual modeling language
• different views on a system
• allows for a high degree of abstraction
• de-facto industry standard (OMG)
• standard extension mechanisms
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 10
Customer: Business:
Order
Pay
Wait Deliver
Class
Package
Attribute : undefined
Instance: Instance1:
<<comment>>
Instance2:
CallAction
CallAction
CallAction
CreateAction
LADC2003
ActorUseCase
Actor1
UseCase1
UseCase2<<include>>
<<extend>>
Node1
subsystem
Component1
Node
Component2
A Glimpse at UML
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 11
Used Fragment of UML
Activity diagram: flow of control between system components
Class diagram: data structure of the systemSequence diagram: interaction between
components by message exchangeStatechart diagram: dynamic component behaviorDeployment diagram: components in physical
environmentPackage: collect system parts into groups
Current: UML 1.5 (released Mar 2003)
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 12
UML run–through: Activity diagrams
• Specify the control flow between components within the system.
• At a higher degree of abstraction than statecharts and sequence diagrams.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 13
UML run-through: Class diagrams
• Data structure of system.
• Components with attributes and operations/signals; relationships between components.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 14
• Describe interaction between system components using message exchange.
UML run-through: Sequence Diagrams
]
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 15
UML run-through: Statecharts
• Dynamic behavior of individual component.
• Input events cause state change and output actions.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 16
UML run-through: Deployment diagrams
• Describe the physical layer on which the system is to be implemented.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 17
UML run-through: Package
• May be used to organize model elements into groups.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 18
UML Extension Mechanisms
• Stereotype: specialize model element using <<label>>.
• Tagged value: attach {tag=value} pair to stereotyped element.
• Constraint: refine semantics of stereotyped element.
• Profile: a particular set of stereotypes,
tagged values and constraints.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 19
Roadmap
PrologueUMLSafety
SecurityOther relevant UML profilesMBRA and integrated SD processesTool support
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 20
Safety
• Safety is freedom from accidents or losses [Leveson 1995].
• Safety-critical systems: five failure condition categories: catastrophic, hazardous, major, minor, no effect.
• Corresponding safety levels A - E (DO-178B standards in avionics).
• Safety goals: specified as the maximum allowed failure rate. For high degree of safety, testing not sufficient (1 failure per 100,000 years).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 21
Failures
Exchanged data may be • delayed (and possibly reordered) • lost• corrupted.Often, failures occur randomly (e.g. hardware).Failure semantics examples:• crash/performance: component may crash or
exceed time limit, but still be partially correct. • value: component may deliver incorrect
values.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 22
Fault-tolerance
• Redundancy model determines
which level of redundancy provided.
• Goal: no hazards in presence of
single-point failures.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 23
Embedded Systems
Embedded software increasingly used in safetycritical systems (flexibility):
• Automotive• Avionics• Aeronautics• Robotics, Telemedicine• …Our treatment of safety-critical systems also
applies to embedded systems.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 24
UMLsafe: Goals
Extensions for safe systems development.• evaluate UML specifications for weaknesses
in design • encapsulate established rules of prudent
safety engineering as checklist• make available to developers not specialized
in safety-critical systems• consider safety from early design phases, in
system context• make certification cost-effective
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 25
The UMLsafe Profile
• Recurring safety requirements, failure scenarios, concepts (fault tolerance) offered as stereotypes with tags on component-level.
• Use associated constraints to evaluate specifications and indicate possible weaknesses.
• Ensures that UML specification provides desired level of safety.
• Link to code via test-sequence generation.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 26
Failure Semantics Modeling
For redundancy model R, stereotype s {<<∊ crash/performance>>, <<value>>}, have set FailuresR(s) {delay(⊆ t), loss(p), corrupt(q)}:
• t: expected maximum time delay, • p: probability that value not delivered within t,• q: probability that value delivered in time
corrupted(in each case incorporating redundancy). Or use
<<risk>> stereotype with {failure} tag.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 27
Example
Suppose redundancy model R uses controller with redundancy 3 and the fastest result. Then could take:
• delay(t): t delay of fastest controller, • loss(p): p probability that fastest result
delivered within t,• loss(p): p probability that fastest result is
corrupted.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 28
<<guarantee>>
Describe guarantees required from communication dependencies for respective system components.
Tags: {goal} with value subset of {immediate(t), eventual(p), correct(q)}, where
• t: expected maximum time delay, • p: probability that value is delivered within t,• q: probability that value delivered in time not
corrupted.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 29
<<safe links>>
Physical layer should meet safety requirements on communication given redundancy model R.
Constraint: For dependency d stereotyped <<guarantee>> have corresponding communication link l with stereotype s such that
• if {goal} has immediate(t) as value then delay(t‘) FailuresR(s) implies t‘·t,
• if {goal} has eventual(p) as value then loss(p‘) FailuresR(s) implies p‘·1-p, and
• if {goal} has correct(q) as value then corruption(q‘) FailuresR(s) implies q‘·1-q.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 30
Example <<safe links>>
Given redundancy model none, <<safe links>> fulfilled iff T· expected delay according to Failuresnone(<<crash/performance>>).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 31
<<safe dependency>>
Communication dependencies should respect safety requirements on <<critical>> data.
For each safety level {l} for <<critical>> data, have goals(l)⊆{immediate(t), eventual(p), correct(q)}.
Constraint: for each dependency d from C to D stereotyped <<guarantee>>:
• Goals on data in D imply those in C.• Goals on data in C also appearing in D met by
guarantees of d.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 32
Example <<safe dependency>>
Assuming immediate(t) goals(realtime), violates <<safe dependency>>, since Sensor and dependency do not provide real-time goal immediate(t) for measure() required by Controller.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 33
<<safe behaviour>>
Ensures that system behavior in presence of failure model provides required safety {goals} by requiring that in any trace h of the execution:
• immediate(t): Value delivered after at most t time steps.
• eventual(p): Probability that delivered value is lost during transmission at most 1-p.
• correct(q): Probability that delivered value corrupted during transmission at most 1-q.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 34
<<containment>>
Prevent indirect corruption of data.
Constraint:
Value of any data element d may only be influenced by data whose requirements attached to <<critical>> imply those of d.
Make precise by referring to execution semantics (view of history associated with safety level).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 35
Example <<containment>>
Violates containment because a {safe} value depends on un{safe} value.
Can check this mechanically.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 36
Other Checks
Have other consistency checks such as
• Is the software‘s response to out-of-range values specified for every input ?
• If input arrives when it shouldn't, is a response specified?
…and other safety checks from the literature.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 37
Failure Models
lqln: messages on link l delayed further n time units.
phn: probability of failure at nth iteration in history h.
For link l stereotyped s where loss(p)2FailuresR(s),• history may give lql
0:=;; then append p to (phn)n2N,
• or no change, then append 1-p.
For link l stereotyped s where corruption(q)2FailuresR(s),• history may give lql
0:=;; then append q,• or no change; append 1-q.
For link l stereotyped s with delay(t)2FailuresR(s), and lql0;,
history may give lqln:=lql
0 for n·t; append 1/t .
Then for each n, lqln:=lql
n+1.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 38
Execution Semantics
Behavioral interpretation of a UML subsystem:
(1) Takes input events.
(2) Events distributed from input and link queues between subcomponents to intended recipients where they are processed.
(3) Output distributed to link or output queues.
(4) Failure model applied as defined above.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 39
Roadmap
PrologueUMLSafety
SecurityOther relevant UML profilesMBRA and integrated SD processTool support
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 40
A Need for Security
• Society and economies rely on computer networks for communication, finance, energy distribution, transportation...
• Attacks threaten economical and physical integrity of people and organizations.
• Interconnected systems can be attacked anonymously and from a safe distance.
• Networked computers need to be secure.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 41
Problems
• Many flaws found in designs of security-critical systems, sometimes years after publication or use.
• Spectacular Example (1997):
– NSA hacker team breaks into U.S. Department of Defence computers and the U.S.electric power grid system. Simulates power outages and 911 emergency telephone overloads in Washington D.C..
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 42
Causes I
• Designing secure systems correctly is difficult. Even experts may fail:
– Needham-Schroeder protocol (1978)
– attacks found 1981 (Denning, Sacco), 1995 (Lowe).
• Designers often lack background in security.
• Security as an afterthought.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 43
Causes II
• Cannot use security mechanisms „blindly“:– Security often compromised by circumventing
(back doors) (rather than breaking) security mechanism.
– Assumptions on system context, physical environment.
• „Those who think that their problem can be solved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (Lampson, Needham).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 44
Difficulties
• Exploit information spreads quickly.
• No feedback on delivered security from customers.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 45
Previous approaches
„Penetrate-and-patch“: unsatisfactory.
• insecure (damage until discovered)• disruptive (distributing patches costs
money, destroys confidence, annoys customers).
Traditional formal methods: expensive.
• training people• constructing formal specifications.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 46
Goal: Security by Design
Consider security
• from early on
• within development context
• taking an expansive view
• in a seamless way.
Secure design by model analysis.
Secure implementation by test generation.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 47
Holistic view on Security
„An expansive view of the problem is most appropriate to help ensure that no gaps appear in the strategy“ (Saltzer, Schroeder 1975).
But „no complete method applicable to the construction of large general-purpose systems exists yet“ - since 1975.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 48
From UMLsafe to UMLsec
Safety = „Security against stupid adversaries“
Security = „Safety for paranoids“
Adversaries in security correspond to failures in safety.
Replace failure model in UMLsafe by adversary model to get UMLsec.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 49
UMLsec
UMLsec: extension for secure systems development.
• evaluate UML specifications of vulnerabilities
• encapsulate security engineering patterns
• also for developers not specialized in security
• security from early design phases, in system context
• make certification cost-effective
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 50
The UMLsec profile
• Recurring security requirements as stereotypes with tags (secrecy, integrity,...).
• Associated constraints to evaluate model, indicate possible vulnerabilities.
• Ensures that stated security requirements enforce given security policy.
• Ensures that UML specification provides requirements.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 51
Basic Security Requirements
Secrecy
Information
Information
Integrity
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 52
<<Internet>>, <<encrypted>>, …
Kinds of communication links between respective system nodes.
For adversary type A, stereotype s, have set
Threats (s) {delete, read, insert, ∊access} of actions that adversaries are capable of.
Default attacker:
Stereotype Threats ()
Internet
encrypted
LAN
smart card
{delete, read, insert}
{delete}
∅∅
A
default
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 53
Requirements with use case diagrams
Capture security requirements in use case diagrams.
Constraint: need to appear in corresponding activity diagram.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 54
<<fair exchange>>
Ensures generic fair exchange condition.
Constraint: after a {buy} state in activity diagram is reached, one will eventually reach {sell} state.
(Cannot be ensured for systems that an attacker can stop completely.)
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 55
Example <<fair exchange>>
Customer buys goods from a business.
Fair exchange means: after payment, customer is eventually either delivered good or able to reclaim payment.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 56
<<secure links>>
Ensures that physical layer meets security requirements on communication.
Constraint: for each dependency d with stereotype s {∊ <<secrecy>>, <<integrity>>} between components on nodes n≠m, have a communication link l betweenn and m with stereotype t such that
• if s = <<secrecy>>: have read Threats ∉ (t).
• if s = <<integrity>>: have insert Threats ∉ (t).
A
A
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 57
Example <<secure links>>
• Given default adversary type, constraint for stereotype <<secure links>> violated:– According to the Threatsdefault(Internet)
scenario, <<Internet>> link does not provide secrecy against default adversary.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 58
<<secure dependency>>
Ensure that <<call>> and <<send>> dependencies between components respect security requirements on communicated data given by tags {secrecy}, {integrity}.
Constraint: for <<call>> or <<send>> dependency from C to D (and similarly for {secrecy}):
• Msg in D is {secrecy} in C if and only if also in D.
• If msg in D is {secrecy} in C, dependency stereotyped <<secrecy>>.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 59
Example <<secure dependency>>
• Violates <<secure dependency>>: – Random generator and <<call>> dependency do not give
security level for random() to key generator.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 60
<<no down–flow>>
Enforce secure information flow.
Constraint:
• Value of any data specified in {secrecy} may influence only the values of data also specified in {secrecy}.
• Formalize by referring to formal behavioral semantics.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 61
Example <<no down-flow>>
• <<no down–flow>> violated: – partial information on input of high wm() returned by non-high
rx().
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 62
<<data security>>
Security requirements of data marked <<critical>> enforced against threat scenario from deployment diagram.
Constraints:
• Secrecy of {secrecy} data preserved.
• Integrity of {integrity} data preserved.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 63
Example <<data security>>
Variant of TLS (INFOCOM`99).
Violates {secrecy} of s against default adversary.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 64
<<guarded access>>
Ensures that in Java, <<guarded>> classes only accessed through {guard} classes.
Constraints:
• References of <<guarded>> objects remain secret.
• Each <<guarded>> class has {guard} class.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 65
Example <<guarded access>>
• Provides <<guarded access>>:– Access to MicSi protected by MicGd.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 66
Concepts covered by UMLsec
Security requirements: <<secrecy>>,…
Threat scenarios: Use Threatsadv(ster).
Security concepts: e.g. <<smart card>>.
Security mechanisms: e.g. <<guarded access>>.
Security primitives: Encryption built in.
Physical security: Given in deployment diagrams.
Security management: Use activity diagrams.
Technology specific: Java, CORBA security.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 67
Security Analysis
• Model classes of adversaries.
• May attack different parts of the system according to threat scenarios.
• Example: insider attacker may intercept communication links in LAN.
• To evaluate security of specification, simulate jointly with adversary model.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 68
Applications
• Common Electronic Purse Specifications
• Analysis of multi-layer security protocol for web application of major German bank
• Analysis of SAP access control configurations for major German bank
• Risk analysis of critical business processes (for Basel II / KontraG)
• …
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 69
Roadmap
PrologueUMLSafety
SecurityOther relevant UML profilesMBRA and integrated SD processesTool support
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 70
Real-time: UMLreal
• Similar to dependability.
• Usually the focus is on meeting hard time deadlines.
• Add special stereotypes for this in UMLreal.
• Can also use this with the UML-RT extension.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 71
Real-time: UML-RT
• UML extended with concepts from the ROOM modelling language (Selic, Rumbaugh 1998).
• Focus on software architecture.
• New: capsules, ports, connectors.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 72
UML-RT: capsules, ports, connectors
Capsules: architectural objects interacting through signal-based boundary objects (ports).
Port: object implementing interface of capsule. Associated with a protocol defining flow of information.
Connector: abstract signal-based communication channels between ports.
Functionality of capsule realized by associated state machine.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 73
Example
From Selic, Rumbaugh 1998.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 74
Quality-of-service: UMLqos
• Similar to dependability.
• Usually the focus is on measuring the time delay on communication lines.
• Special stereotypes for this purpose.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 75
Hybrid Systems
• Actions define the discontinuities (instantaneous actions performed by combinational part).
• Activities define the smooth periods (the time consuming behavior of the analog part while combinational part is idle).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 76
Roadmap
PrologueUMLSafety
SecurityOther relevant UML profilesMBRA and integrated SD processesTool support
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 77
Model Based Risk Assessment• Integrated process
– Make use of system models both as system description and as input to risk assessment
• Support reuse (and ease the updating of system description during and after assessment)
• Cost efficient (at the right time for the right cost)• Precise specification of security requirements
– security requirements using UMLsec– existing security mechanism using CORAS UML profile or
SOL– results from assessment using CORAS UML profile or
SOL (Security assessment Object Language).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 78
Development processes/Life Cycle Models• IEC 61508: Functional safety of
electrical/electronic/programmable electronic safety-related systems.
• RUP (Rational Unified Process) or more general UP.
• CORAS integrated RMP and SDP.
• Integrated risk assessment and system development process for networked enterprises.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 79
IEC 61508 (1)
The strategy of the standard is to derive safety requirements from a hazard and risk analysis and to design the system to meet those safety requirements, taking all possible causes of failure into account [IEC61508].
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 80
Overalloperation andmaintenance
planning
6Overall
installation andcommissioning
planning
8Overallsafety
validationplanning
7
Overall planning
Concept1
Overall safetyrequirements4
Safety requirementsallocation5
Hazard and riskanalysis3
Overall scopedefinition2
Safety-relatedsystems:E/E/PES
9
Realisation(see E/E/PES
safetylifecycle)
Overall modificationand retrofit15
Decommissioningor disposal16
Overall operation,maintenance and repair14
Overall installationand commissioning12
Overall safetyvalidation13
Back to appropriateoverall safety lifecycle
phase
Safety-relatedsystems:
othertechnologiy
10
Realisation
External riskreductionfacilities
11
Realisation
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 81
IEC 61508 (3)• Concept: An understanding of the system and its
environment is developed.• Overall scope definition: The boundaries of the system and
its environment are determined, and the scope of the hazard and risk analysis is specified.
• Hazard and risk analysis: Hazards and hazardous events of the system, the event sequences leading to the hazardous events, and the risks associated with the hazardous events are determined.
• Overall safety requirements: The specification for the overall safety requirements is developed in order to achieve the required functional safety.
• Safety requirements allocation: The safety functions contained in the overall safety requirements specification are allocated to the safety-related system, and a safety integrity level is allocated to each safety function.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 82
IEC 61508 (4)• Overall operation and maintenance planning: A plan is
developed for operating and maintaining the system, and the required functional safety is ensured to be maintained during operation and maintenance.
• Overall safety validation planning: A plan for the overall safety validation of the system is developed.
• Overall installation and commissioning planning: Plans, ensuring that the required functional safety is achieved, are developed for the installation and commissioning of the system.
• Safety-related systems, E/E/PES: The E/E/PES safety-related system is created conforming to the safety requirements specification.
• Safety-related systems, other technology: Other technology safety-related systems are created to meet the requirements specified for such systems (outside scope of the standard).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 83
IEC 61508 (5)• External risk reduction facilities: External risk reduction
facilities are created to meet the requirements specified for such facilities (outside scope of the standard).
• Overall installation and commissioning: The E/E/PES safety-related system is installed and commissioned.
• Overall safety validation: The E/E/PES safety-related system is validated to meet the overall safety requirements specification.
• Overall operation, maintenance and repair: The system is operated, maintained and repaired in order to ensure that the required functional safety is maintained.
• Overall modification and retrofit: The functional safety of the system is ensured to be appropriate both during and after modification and retrofit.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 84
IEC 61508 (6)• Decommissioning or disposal: The functional safety of the
system is ensured to be appropriate during and after decommissioning or disposing of the system.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 85
Integrate SD and RM process (1)• Emphasize on handling risk at the right time for
the right price (as early as possible).
• Make use of MBRA and use models both to describe the system and as input to RA.
Ince
pti
on
Tra
nsi
tion
Ela
bor
atio
nChoose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Ince
pti
on
Tra
nsi
tion
Con
stru
ctio
n
Ela
bor
atio
nChoose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
Ince
pti
on
Tra
nsi
tion
Ela
bor
atio
nChoose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Ince
pti
on
Tra
nsi
tion
Con
stru
ctio
n
Ela
bor
atio
nChoose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
iterate
Choose a part
Architect a part
Analyse a part
Compose in
review risks
and consult
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 86
Integrate SD and RM process (2)Concept1
Overall Scope Definition2
Preliminary Hazard Analysis3
4 Risk Management
Security requirements
4.1 Identify security threats
4.2
Identify consequence
Identify likelihood
4.2.2
Estimate level of risk42.3
Evaluate risk4.2Accept risk
4.1
4.1
Update system description and requirements
Update security requirements
4.3 Analyse Risk
4.2.1
Design5
Implementation6
Testing and Security Validation7
Concept1
Overall Scope Definition2
Preliminary Hazard Analysis3
4 Risk Management
Security requirements
4.1 Identify security threats
4.2
Identify consequence
Identify likelihood
4.2.2
Estimate level of risk42.3
Evaluate risk4.2Accept risk
4.1
4.1
Update system description and requirements
Update security requirements
4.3 Analyse Risk
4.2.1
Design5
Implementation6
Testing and Security Validation7
Concept1
Overall Scope Definition2
Preliminary Hazard Analysis3
4 Risk Management
Security requirements
4.1 Identify security threats
4.2
Identify consequence
Identify likelihood
4.2.2
Estimate level of risk42.3
Evaluate risk4.2Accept risk
4.1
4.1
Update system description and requirements
Update security requirements
4.3 Analyse Risk
4.2.1
Design5
Implementation6
Testing and Security Validation7
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 87
Benefits
• Cost efficient (saving is the game…).
• An integrated part of the development.
• Detailed guidelines.
• Make use of UML (industry standard).
• Time efficient.
• Supports continuously decision-making processes (risk management).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 88
Secure Development of Embedded Systems• Integrated system development and risk
management process.
• Based on IEC61508 and CORAS.
• Using UML to capture non-functional requirements (security and safety).
• Using UML for design.
• Using UML to document results from risk management.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 89
Prototype System of a Production Cell
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 90
Requirements for UML-based Development Processes• Use UML all the way through the process.• Consistent use of UML by everyone involved
(profile?).• Models need to be consistent
– Top-down approach with guidelines on how to transfer information between UML models (preliminary)
– Bottom up approach– Make use of both top-down and bottom-up
approach (as for risk analysis of critical systems).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 91
UML-based SD: Experience• See appendix• Categories of use of UML:• Fri use of UML • UML use regulated by guidelines • Requires use of a UML-tool and a specific set of guidelines
with automatic documentation generation and requirements tracking with the use of the UML-tool
Requires use of a specific UML-tool and a specific set of guidelines with complete code generation (includes requirements tracking) and automatic generation of documentation
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 92
Roadmap
PrologueUMLSafety
SecurityOther relevant UML profilesMBRA and integrated SD processesTool support
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 93
Tool-support: Concepts
Meaning of diagrams stated informally in (OMG 2003).
Ambiguities problem for • tool support
• establishing behavioral properties (safety, security).
Need precise semantics for used part of UML, especially to ensure security requirements.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 94
Formal semantics for UML
• Diagrams in context (using subsystems).
• Model actions and internal activities explicitly.
• Message exchange between objects or components (incl. event dispatching).
• Include failure/adversary model arising from physical environment in deployment diagram.
• Use Abstract State Machines (pseudo-code).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 95
Tool-supported analysis
• Choose drawing tool for UML specifications.
• Commercial modeling tools: so far mainly syntactic checks and code-generation.
• Analyze specifications via XMI (XML
Metadata Interchange).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 96
UML Drawing Tools
Wide range of existing tools.
Consider some, selected under followingCriteria (Shabalin 2002):
• Support for all (UMLsec-) relevant diagram types.• Support for custom UML extensions.• Availability (test version, etc).• Prevalence on the market.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 97
Selected Tools
• Rational Rose. Developed by major participant in development of UML; market leader.
• Visio for Enterprise Architect. Part of Microsoft Developer Studio .NET.
• Together. Often referenced as one of the best UML tools.
• ArgoUML. Open Source Project, therefore interesting for academic community. Commercial variant Poseidon.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 98
Comparison
Evaluated features:
Support for custom UML extensions.
• Model export; standards support; tool interoperability.
• Ability to enforce model rules, detect errors, etc.
• User interface quality.
• Possibility to use the tool for free for academic institutions.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 99
Rational Rose (Rational Software Corporation)
One of the oldest on the market.+ Free academic license.+ Widely used in the industry.+ Export to different XMI versions. Insufficient support for UML extensions (custom stereotypes yes; tags and constraints no).- Limited support for checking syntactic correctness.- Very inconvenient user interface. Bad layout control.- Lack of compatibility between versions and with other Rational products for UML modeling.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 100
Together from TogetherSoft
Widely used in the development community. Very good round-trip engineering between the UML model and the code.
+ Free academic license.+ Written in Java, therefore platform-independent.+ Nice, intuitive user interface.+ Export to different XMI versions; recommendations
which for which tool. - Insufficient support for UML extensions (custom
stereotypes yes; tags and constraints no).
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 101
Visio from Microsoft Corporation
Has recently been extended with UML editing support.
+ Good user interface.+ Full support for UML extensions.+ Very good correspondence to UML standard.
Checks dynamically for syntactic correctness; suggestions for fixing errors.
- No free academic license.- Proprietary, undocumented file format; no export to
XMI or other tools.- No round-trip engineering support. No way back after
code generation.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 102
ArgoUML / Poseidon
ArgoUML: Open Source Project. Commercialextension Poseidon (Gentleware), sameinternal data format.
+ Open Source.+ Written in Java, therefore platform-
independent.+ XMI default model format.+ Solid mature product with good UML
specification support.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 103
Tool-supported analysisCommercial modeling tools: so far mainly
syntactic checks and code-generation.
Goal: more sophisticated analysis; connection to verification tools.
Several possibilities:
• General purpose language with integrated XML parser (Perl, …)
• Special purpose XML parsing language (XSLT, …)
• Data Binding (Castor; XMI: e.g. MDR)
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 104
Data-binding with MDR
• Extracts data from XMI file into Java
Objects, following UML 1.4 meta-model.
• Access data via methods.
• Advantage: No need to worry about
XML.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 105
Definition
• MDR = MetaData Repository– Load and Store a MOF Metamodel– Instantiate and Populate a Metamodel– Generate a JMI (Java Metadata Interface)
Definition for a Metamodel– Access a Metamodel Instance
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 106
UML Processing
MDRMOF
[UML 1.4] UML 1.4
MyUml
MyApp
generate
JMI
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 107
MDR Standards
• MOF (Meta Object Facility) Abstract format for describing metamodels
• XMI (XML Metadata Interchange)Defines XML format for a MOF metamodel
• JMI (Java Metadata Interface)Defines mapping from MOF to Java
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 108
MOF Architecture• Meta-Metamodel (M3)
– defined by OMG• Metamodels (M2)
– user-defined– e.g. UML 1.5, MOF, CWM– can be created with uml2mof
• Business Model (M1)– instances of Metamodels– e.g. UML class diagram
• Information (M0)– instance of model– e.g. implementation of UML
modelled classes in Java
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 109
MOF (Meta Object Facility)
OMG Standard for Metamodeling
Meta-Metamodel
MetaClass, MetaAssociation- MOF Model
MetamodelClass, Attribute, Dependency- UML (as language), CWM
ModelPerson, House, City- UML model
Data(Bob Marley, 1975) (Bonn)- Running Program
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 110
JMI: MOF Interfaces• IDL mapping for
manipulating Metadata– API for manipulating
information contained in an instance of a Metamodel
– MOF is MOF compliant!– Metamodels can be
manipulated by this IDL mapping
– JMI is MOF to Java mapping
– JMI has same functionality
• Reflective APIs– manipulation of
complex information– can be used without
generating the IDL mapping
– MDR has implemented these interfaces
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 111
Netbeans MDR-Explorer• Part of Netbeans IDE• Browse Repositories• Create Instances• Load XMI Data• Generate JMI
Interfaces• Shows
– Extents– Metamodels– Instances
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 112
MDR Repository: Loading Models• Metamodel is
instance of another Metamodel
• Loading Model = Loading Metamodel
• Needed Objects:– MDRepository– MofPackage– XMISaxReaderImpl
• Java Code-Snippet:MDRepository rep;UmlPackage uml;// Objekte erzeugen:rep = MDRManager.getDefault().getDefaultRepository();reader = (XMISaxReaderImpl)Lookup.getDefault().lookup( XmiReader.class);
// loading extent:uml = (UmlPackage)rep.getExtent(„name“);
// creating Extent:uml = (UmlPackage)rep.createExtent(„name“);
// loading XMI:reader.read(„url“, MofPackage);,
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 113
MDR Repository: Reading Data• Requires open
Repository and Package• Requires JMI Interfaces• Problem: where is the
data I need?• To find Objects:
– open Model in MDR-Explorer
– browse to the desired Element
– use the getter Functions to retrieve the element
• Example: Loading UML Class:
Iterator it = uml.getCore().getUmlClass().refAllOfClass().iterator();
while (it.hasNext()) { UmlClass uc =
(umlClass)it.next();
// .. do anything with UmlClass ..
}
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 114
Connection with analysis tool
Industrial CASE tool with UML-like notation: AUTOFOCUS (http://autofocus. informatik.tu-muenchen.de)
• Simulation• Validation (Consistency, Testing, Model Checking)• Code Generation (e.g. Java, C, Ada)• Connection to Matlab
Connect UML tool to underlying analysis engine.
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 115
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 116
Some resourcesBook: Jan Jürjens, Secure Systems
Development with UML, Springer-Verlag, due 2003.
Follow-on Tutorials: June: UMLws (SFO); Sept: FME (Pisa), FDL (Frankfurt), SAFECOMP (Edinburgh), Nov: LADC2003(Sao Paulo)
Special SoSyM issue on Critical Systems Development with UML
More information (slides etc.): http://www4.in.tum.de/~juerjens/csdumltut (user: Participant, password: Iwasthere)
Jürjens and Houmb: Critical System Development using MBRA and UMLsec 117
Finally
We are always interested in industrial challenges for our tools, methods,and ideas to solve practical problems.See http://www4.in.tum.de/~juerjens
Contact me here or via Internet.
Thanks for your attention !