Information Technology Reference
In-Depth Information
a CSPF is selected and instantiated. CSPFs involve first solution approaches
for the problems described by SPFs. For example, there exists an SPF for the
problem class of confidential transmission of data over an insecure network, and
a CSPF that represents the corresponding solution class of using cryptographic
key-based symmetric encryption to protect such data transmissions.
Each CSPF contains a
machine domain
, which represents the software to be
developed in order to fulfill the
requirement
. The environment, in which the
software development problem is located, is described by
problem domains
.Ac-
cording to Jackson [7], we distinguish
causal
domains that comply with some
physical laws,
lexical
domains that are data representations, and
biddable
do-
mains that are usually people. Each domain has at least one
interface
. Interfaces
consist of
shared phenomena
, which may be events, operation calls, messages,
and the like. They are observable by at least two domains, but controlled by only
one domain. Since requirements refer to the environment,
requirement references
between the domains and the requirement exist. At least one of these references is
a
constraining
reference. That is, the domain this constraining references points
to is influenced by the machine so that the requirement can be fulfilled. We
developed a comprehensive set of SPFs for confidential and integrity-preserving
data transmission and data storage, and authentication problems and the cor-
responding CSPFs that use symmetric and asymmetric encryption, keyed and
non-keyed hashing, digital signatures, password-based and cryptographic key-
based mechanisms (see [14] for details).
3 Pattern-Oriented Transition to Secure Architectural
Design
This section contains the main scientific contributions of this paper. To proceed
after security requirements analysis following SEPP to the development of secure
software architectures that realize the security requirements, we develop in this
section
architectural security patterns
. We specify these patterns using UML and
an improved version of the security extension UMLsec, which is introduced in
Sect. 3.1. We describe patterns for security components in Sect. 3.2, and we
present patterns for secure software architectures related to CSPFs in Sect. 3.3.
In Sect. 3.4, we briefly explain the process of instantiating GSAs. Then, we
discuss the composition of different instances of GSAs yielding global secure
software architectures in Sect. 3.5. Finally, we outline an approach to verify
global secure software architectures based on the UMLsec4UML2-profile and
the UMLsec tool suite in Sect 3.6.
3.1
UMLsec4UML2
In this section, we present an overview of a
notation
for the specification of
structural as well as behavioral views of architectural security patterns based on
UML. As explained in [11], UML includes special support for modeling software
architectures since version 2.0. For example, the current UML version 2.3 sup-
ports typical architectural concepts such as
parts
, i.e., black-box components,
