Domain-Specific Languages for Model-Driven Security Engineering


Type Dissertation Project

Funding Bodies
  • FFG

Duration Dec. 1, 2011 - Nov. 30, 2013

http://nm.wu.ac.at/modsec
  • Information Systems and New Media IN (Details)
  • Hoisl, Bernhard (Former researcher) Project Head
 

Abstract (German)

Sicherheitsprobleme und -lücken in Softwareprodukten sind ein allgegenwärtiges Problem in unserer technologiebasierten Gesellschaft. Täglich werden verschiedenste Arten von Software (Handy, Internet, im Unternehmen, für den Staat etc.) eingesetzt. Aufgrund dessen sind vertrauensstiftende Maßnahmen ein Muss. In bestehenden Softwareentwicklungsprozessen wird jedoch dem Auffinden von Sicherheitsproblemen und dem Testen von sicherheitsrelevanten Softwareteilen zu wenig Beachtung geschenkt. Sicherheitsfeatures werden meist ad-hoc und nur in den seltensten Fällen von Beginn an systematisch bei dem Design von Software miteinbezogen. Aufgrund knapper Produktionszyklen und dadurch entstehenden Kosten wird die anfallende Zeit für Tests meist unterschätzt. Das Resultat ist fehleranfällige und unsichere Software. Studien belegen, dass früh gefundene und beseitigte Fehler im Softwareentwicklungsprozess deutlich billiger für ein Unternehmen sind. Trotzdem wird Sicherheitsproblemen noch immer zu wenig Aufmerksamkeit, gerade am Beginn der Modellierung von Software geschenkt.

<br><br>

Im geplanten ModSec Projekt benutzen wir das Konzept von domänenspezifischen Sprachen für die Spezifikation von Sicherheitsanforderungen von Geschäftsprozessen auf Modellierungsebene und gewährleisten eine automatisierte und konsistente Transformation auf die Systemebene (ausführbare Softwareartefakte). Dadurch wird sichergestellt, dass geltende Richtlinien und Einschränkungen korrekt im Softwaresystem abgebildet werden. Hauptziel des Projekts ist einerseits die Integration verschiedener prozessbasierter domänenspezifischer Sprachen im Sicherheitsbereich. Andererseits die Erstellung von Testfällen zur Sicherstellung, dass entwickelte Softwareartefakte dieselben Richtlinien auf Modell- und Systemebene erfüllen.

<br><br>

Unser modellgetriebener Sicherheitsansatz für die Softwareentwicklung soll einen Entwicklungszyklus ermöglichen, der Sicherheitsaspekte von Beginn an berücksichtigt. Deshalb soll die durchgeführte Forschung im ModSec Projekt dazu beitragen, einerseits Risiken von sicherheitskritischen Prozessen und andererseits Sicherheitslücken in Softwaresystemen zu minimieren. Ergebnisse des Projekts werden neue Methoden, Konzepte und Softwareartefakte sein, die auf domänenspezifischen Sprachen im Bereich modellgetriebener Softwareentwicklung für Sicherheitsaspekte basieren.


Abstract (English)

Security issues in software systems have become a major problem in every day's life, such as software end users, companies, and governments&#8212;just to name a few. Current software engineering processes do not emphasize the modeling and design of security properties of software artifacts. Security features are often integrated in an ad-hoc manner and are not planned systematically. Furthermore, security software tests may be skipped due to tight software delivering cycles. Research has repeatedly shown that eliminating errors early in the software development process is far cheaper than fixing security holes at a later stage or in productive systems. However, less effort is put in creating processes which take security concerns from the beginning of software developments into account.

<br><br>

In the ModSec project we build on the concept of Domain-Specific Languages (DSLs) for specifying security requirements in business processes on the modeling-level and automatically transform these models to the system-level. Thereby, emphasizing the integration and test of different security- and process-related DSLs to ensure compliance of model- and system-level implementations.

<br><br>

The proposed approach should allow for a software development cycle considering security aspects in software engineering processes right from the beginning. Thus, research done in the ModSec project will help to minimize the risk of security issues emerging from the development of process-aware information systems. The outcome will be new methods, concepts, and software artifacts in the area of DSL-based Model-Driven Security Engineering (MDSE).

Publications

Journal article

2016 Torre, Damiano, Labiche, Yvan, Genero, Marcela, Elaasar, Maged, Das, Tuhin Kanti, Hoisl, Bernhard, Kowal, Matthias. 2016. 1st International Workshop on UML Consistency Rules (WUCOR 2015): Post workshop report. ACM SIGSOFT Software Engineering Notes 41 (2), 34-37. (Details)
  Sobernig, Stefan, Hoisl, Bernhard, Strembeck, Mark. 2016. Extracting Reusable Design Decisions for UML-based Domain-specific Languages: A Multi-Method Study. Journal of Systems and Software 113, 140-172. (Details)
2014 Hoisl, Bernhard, Sobernig, Stefan, Strembeck, Mark. 2014. Modeling and Enforcing Secure Object Flows in Process-driven SOAs: An Integrated Model-driven Approach. Software and Systems Modeling 13 (2): 513-548. (Details)

Chapter in edited volume

2015 Hoisl, Bernhard, Hu, Zhenjiang, Hidaka, Soichiro. 2015. Towards Bidirectional Higher-Order Transformation for Model-Driven Co-evolution. In: Communications in Computer and Information Science (CCIS), Hrsg. S. Hammoudi, L. F. Pires, J. Filipe, and R. C. das Neves, S. 153-167. Cham: Springer International Publishing. (Details)

Contribution to conference proceedings

2016 Hoisl, Bernhard and Sobernig, Stefan. 2016. Open-Source Development Tools for Domain-Specific Modeling: Results from a Systematic Literature Review. In Proceedings of the 49th Hawaii International Conference on System Sciences (HICSS), Hrsg. T. X. Bui and R. H. Sprague, Jr. S. 5001-5010. Washington, D.C. IEEE Computer Society Press. (Details)
2015 Hoisl, Bernhard, Sobernig, Stefan. 2015. Consistency Rules for UML-based Domain-specific Language Models: A Literature Review. In Proceedings of the 1st International Workshop on UML Consistency Rules (WUCOR), Hrsg. D. Torre, Y. Labiche, M. Genero, M. Elaasar, S. 29-36. Aachen: CEUR Workshop Proceedings. (Details)
  Hoisl, Bernhard, Sobernig, Stefan. 2015. Towards Benchmarking Evolution Support in Model-to-Text Transformation Systems. In Proceedings of the 4th Workshop on the Analysis of Model Transformations (AMT), Hrsg. J. Dingel, S. Kokaly, L. Lúcio, R. Salay, and H. Vangheluwe, S. 16-25. Aachen: CEUR Workshop Proceedings. (Details)
2014 Hoisl, Bernhard, Sobernig, Stefan, Strembeck, Mark. 2014. Comparing Three Notations for Defining Scenario-based Model Tests: A Controlled Experiment. In Proceedings of the 9th International Conference on the Quality of Information and Communications Technology (QUATIC), Hrsg. A. R. da Silva, A. R. Silva, M. A. Brito, and R. J. Machado, S. 95-104. Washington, D.C. IEEE Computer Society Press. (Details)
  Hoisl, Bernhard, Sobernig, Stefan, Strembeck, Mark. 2014. Natural-language Scenario Descriptions for Testing Core Language Models of Domain-Specific Languages. In Proceedings of the 2nd International Conference on Model-Driven Engineering and Software Development (MODELSWARD), Hrsg. L. F. Pires, S. Hammoudi, J. Filipe, and R. C. das Neves, 356-367. Setubal: SciTePress. (Details)
  Hoisl, Bernhard, Hu, Zhenjiang, Hidaka, Soichiro. 2014. Towards Co-Evolution in Model-driven Development via Bidirectional Higher-Order Transformation. In Proceedings of the 2nd International Conference on Model-Driven Engineering and Software Development (MODELSWARD), Hrsg. L. F. Pires, S. Hammoudi, J. Filipe, and R. C. das Neves, S. 466-471. Setubal: SciTePress. (Details)
2013 Hoisl, Bernhard, Sobernig, Stefan, Strembeck, Mark. 2013. Higher-Order Rewriting of Model-to-Text Templates for Integrating Domain-specific Modeling Languages. In Proceedings of the 1st International Conference on Model-Driven Engineering and Software Development (MODELSWARD), Hrsg. N.N., 49-61. Setubal: SciTePress. (Details)
  Hoisl, Bernhard. 2013. Towards Testing the Integration of MOF/UML-based Domain-specific Modeling Languages. In Proceedings of the 8th IASTED International Conference on Advances in Computer Science (ACS), Hrsg. K. Piromsopa and P. Bhattarakosol, 314-323. Calgary: ACTA Press. (Details)
  Sobernig, Stefan, Hoisl, Bernhard, Strembeck, Mark. 2013. Requirements-driven Testing of Domain-specific Core Language Models using Scenarios. In Proceedings of the 13th International Conference on Quality Software (QSIC), Hrsg. A. Gotlieb and Z. Chen, S. 163-172. Washington, D.C. IEEE Computer Society Press. (Details)
2012 Hoisl, Bernhard, Strembeck, Mark, Sobernig, Stefan. 2012. Towards a Systematic Integration of MOF/UML-based Domain-specific Modeling Languages. In Proceedings of the 16th IASTED International Conference on Software Engineering and Applications (SEA), Hrsg. M. H. Hamza, 337-344. Calgary: ACTA Press. (Details)
  Hoisl, Bernhard, Sobernig, Stefan, Schefer-Wenzl, Sigrid, Strembeck, Mark, Baumgraß, Anne. 2012. Design Decisions for UML and MOF based Domain-specific Language Models: Some Lessons Learned. In Proceedings of the 2nd Workshop on Process-based approaches for Model-Driven Engineering (PMDE), Hrsg. H. Störrle, G. Botterweck, M. Bourdellès, D. Kolovos, R. Paige, E. Roubtsova, J. Rubin, and J.-P. Tolvanen, 303-314. Kgs. Lyngby: Technical University of Denmark (DTU). (Details)
  Hoisl, Bernhard, Strembeck, Mark. 2012. A UML Extension for the Model-driven Specification of Audit Rules. In Proceedings of the 2nd International Workshop on Information Systems Security Engineering (WISSE), Hrsg. M. Bajec and J. Eder, 16-30. Berlin: Springer. (Details)
2011 Hoisl, Bernhard, Strembeck, Mark. 2011. Modeling Support for Confidentiality and Integrity of Object Flows in Activity Models. In Proceedings of the 14th International Conference on Business Information Systems (BIS), Hrsg. W. Abramowicz, 278-289. Berlin: Springer. (Details)
  Hoisl, Bernhard, Sobernig, Stefan. 2011. Integrity and Confidentiality Annotations for Service Interfaces in SoaML Models. In Proceedings of the International Workshop on Security Aspects of Process-aware Information Systems (SAPAIS), Hrsg. N.N. S. 673-679. Washington, D.C. IEEE Computer Society Press. (Details)

Paper presented at an academic conference or symposium

2016 Hoisl, Bernhard. 2016. Open-Source Development Tools for Domain-Specific Modeling: Results from a Systematic Literature Review. 49th Hawaii International Conference on System Sciences (HICSS), Kauai, United States/USA, 05.01.-08.01. (Details)
2015 Hoisl, Bernhard. 2015. Consistency Rules for UML-based Domain-specific Language Models: A Literature Review. 1st International Workshop on UML Consistency Rules (WUCOR), Ottawa, Kanada, 28.09.-28.09. (Details)
  Hoisl, Bernhard. 2015. Towards Benchmarking Evolution Support in Model-to-Text Transformation Systems. 4th Workshop on the Analysis of Model Transformations (AMT), Ottawa, Kanada, 28.09.-28.09. (Details)
2014 Hoisl, Bernhard. 2014. Comparing Three Notations for Defining Scenario-based Model Tests: A Controlled Experiment. 9th International Conference on the Quality of Information and Communications Technology (QUATIC), Guimarães, Portugal, 23.09.-26.09.. (Details)
  Hoisl, Bernhard. 2014. Towards Co-Evolution in Model-driven Development via Bidirectional Higher-Order Transformation. 2nd International Conference on Model-Driven Engineering and Software Development (MODELSWARD), Lisbon, Portugal, 07.01.-09.01.. (Details)
2013 Hoisl, Bernhard. 2013. Requirements-driven Testing of Domain-specific Core Language Models using Scenarios. 13th International Conference on Quality Software (QSIC), Nanjing, China, 29.07.-30.07.. (Details)
  Hoisl, Bernhard. 2013. Scenario-driven Testing of Security-related Domain-specific Language Models. ACM SIGSAC Chapter Vienna/OCG Arbeitskreis IT-Sicherheit: 3rd Young Researcher's Day, Vienna, Österreich, 25.06.. (Details)
  Hoisl, Bernhard. 2013. Towards Testing the Integration of MOF/UML-based Domain-specific Modeling Languages. 8th IASTED International Conference on Advances in Computer Science (ACS), Phuket, Thailand, 10.04.-12.04.. (Details)
2012 Hoisl, Bernhard. 2012. Modeling and Enforcing Secure Object Flows in Process-driven SOAs: An Integrated Model-driven Approach. OCG Arbeitskreis IT-Sicherheit: 2nd Young Researcher's Day, Vienna, Österreich, 29.11.. (Details)
  Hoisl, Bernhard. 2012. Towards a Systematic Integration of MOF/UML-based Domain-specific Modeling Languages. 16th IASTED International Conference on Software Engineering and Applications (SEA), Las Vegas, Vereinigte Staaten/USA, 12.11.-14.11.. (Details)
  Hoisl, Bernhard. 2012. Design Decisions for UML and MOF based Domain-specific Language Models: Some Lessons Learned. 2nd Workshop on Process-based approaches for Model-Driven Engineering (PMDE) at the 8th European Conference on Modelling Foundations and Applications (ECMFA), Copenhagen, Dänemark, 02.07.-05.07.. (Details)
  Hoisl, Bernhard. 2012. A UML Extension for the Model-driven Specification of Audit Rules. 2nd International Workshop on Information Systems Security Engineering (WISSE) at the 24th International Conference on Advanced Information Systems Engineering (CAiSE), Gdańsk, Polen, 25.06.-29.06.. (Details)
2011 Hoisl, Bernhard. 2011. Integrity and Confidentiality Annotations for Service Interfaces in SoaML Models. International Workshop on Security Aspects of Process-aware Information Systems (SAPAIS) at the 6th International Conference on Availability, Reliability and Security (ARES), Vienna, Österreich, 22.08.-26.08.. (Details)
  Hoisl, Bernhard. 2011. Modeling Support for Confidentiality and Integrity of Object Flows in Activity Models. 14th International Conference on Business Information Systems (BIS), Poznań, Polen, 15.06.-17.06.. (Details)

Poster presented at an academic conference or symposium

2014 Hoisl, Bernhard, Sobernig, Stefan, Strembeck, Mark. 2014. Natural-language Scenario Descriptions for Testing Core Language Models of Domain-Specific Languages. 2nd International Conference on Model-Driven Engineering and Software Development (MODELSWARD), Lisbon, Portugal, 07.01.-09.01.. (Details)
2013 Hoisl, Bernhard, Strembeck, Mark. 2013. Evaluating Design Decisions for Security-related Domain-specific Modeling Languages. Secure Business Austria Research (SBA Research) Evaluation, Vienna, Österreich, 10.06.-11.06.. (Details)
2012 Hoisl, Bernhard, Strembeck, Mark. 2012. Integrated Model-driven Security: From Business Processes to Software Services. Secure Business Austria Research (SBA Research) Evaluation, Vienna, Österreich, 11.06.. (Details)

Working/discussion paper, preprint

2016 Hoisl, Bernhard and Sobernig, Stefan. 2016. A Survey on Documenting and Using Design Rationale when Developing Domain-specific Modeling Languages. Technical Reports / Institute for Information Systems and New Media, 2016/01. WU Vienna University of Economics and Business, Vienna. (Details)
2014 Hoisl, Bernhard, Sobernig, Stefan, Strembeck, Mark. 2014. A Catalog of Reusable Design Decisions for Developing UML/MOF-based Domain-specific Modeling Languages. Technical Reports / Institute for Information Systems and New Media, 2014/03. WU Vienna University of Economics and Business, Vienna. (Details)
  Sobernig, Stefan, Hoisl, Bernhard, Strembeck, Mark. 2014. Protocol for a Systematic Literature Review on Design Decisions for UML-based DSMLs. Technical Reports / Institute for Information Systems and New Media, 2014/02. WU Vienna University of Economics and Business, Vienna. (Details)
2012 Hoisl, Bernhard, Sobernig, Stefan, Schefer-Wenzl, Sigrid, Strembeck, Mark, Baumgraß, Anne. 2012. A Catalog of Reusable Design Decisions for Developing UML- and MOF-based Domain-Specific Modeling Languages. Technical Reports / Institute for Information Systems and New Media, 2012/01. WU Vienna University of Economics and Business, Vienna. (Details)

Dissertation

2014 Hoisl, Bernhard. 2014. Integration and Test of MOF/UML-based Domain-specific Modeling Languages. Dissertation, WU Vienna University of Economics and Business. (Details)

Magazine/newspaper article

2012 Hoisl, Bernhard. 2012. Sicherheitskonzepte in der modellgetriebenen Softwareentwicklung. Forschungsnewsletter der Wirtschaftsuniversität Wien, 06.03. (Details)

Classification