Supporting security assurance in the context of evolution: Modular modeling and analysis with UMLsec

Developing security-critical software correctly and securely is difficult. To address this problem, there has been a significant amount of work over the last 10 years on providing model-based development approaches based on the Unified Modeling Language which aim to raise the trustworthiness of security-critical systems. However, the fact that software continues to evolve on an ongoing basis, even after the implementation has been shipped to the customer, increases the challenge since in principle, the software has to be reverified after each modification, requiring significant efforts. In particular, as part of the system evolution, the threat model can change against which the design has to be verified. This requires a modular approach to security assurance, since the threat model has to be substituted independently from the design model. In this paper, we present such an approach based on the extension mechanisms available for the Unified Modeling Language (UML), in particular using so-called profiles. This modular approach allows us to define analysis models which can be exchanged easily whenever the threat model changes due to system evolution. We demonstrate the approach in the face of a specific security requirement, namely secure information flow.