Information Technology Reference
In-Depth Information
to GSCs,
generic non-security components
(GNC) are necessary, which do not
realize any security requirements. Instead, they represent auxiliary components
for GSCs. Typical examples for GNCs are user interface, driver, and storage
management components.
According to [16], the architecture of software is multifaceted: there exists
a structural view, a process-oriented view, a function-oriented view, an object-
oriented view with classes and relations, and a data flow view on a given software
architecture. Hence, we specify each GSC and GNC based on a structural view
using UML2.3 class and composite structure diagrams, and control and data flow
views using UML2.3 sequence diagrams. We make required and provided inter-
faces of GSCs and GNCs explicit using sockets, lollipops, and interface classes.
After GSCs are instantiated, the process-oriented and object-oriented views can
be integrated seamlessly into the structural view. Semantic descriptions of the
operations provided and used by the components' interfaces can be expressed as
OCL pre- and postconditions.
We use GSCs and GNCs to structure the machine domain of a CSPF. The
GSCs and GNCs describe the machine's interfaces to its environment and the
machine-internal interfaces, i.e., the interfaces between the GSCs and GNCs.
Each CSPF is related to a set of GSCs and GNCs.
Given a CSPF, the following procedure can be applied to construct GSCs and
GNCs that help to realize the concretized security requirement of the CSPF:
1. Each interface of the machine with the environment must coincide with an
interface of some GSCs and GNCs.
2. GSCs and GNCs that serve the same purpose can be represented by one such
component, e.g., several storage management components can be represented
by one storage management component.
3. For each interface between the machine and a biddable or display domain
a user interface component should be used. If the same CSPF contains dif-
ferent interfaces between the machine and a biddable or display domain,
user interface components represented by GNCs must be kept separate from
user interface components represented by GSCs. For example, a generic non-
security user interface component to edit some text should be kept separate
from a generic security user interface component to enter a password.
4. For each interface from the machine to a lexical domain, a storage manage-
ment component should be used. Symbolic phenomena correspond to return
values of operations or to getter/setter operations.
5. For each interface of the machine domain with a causal domain, a driver com-
ponent should be used. Causal phenomena correspond to operations provided
by driver components.
6. GSCs adequate to realize the concretized security requirement should be
used, such as components for symmetric / asymmetric encryption / decryp-
tion, cryptographic key handling, hash calculation, etc.
We enrich GSCs with UMLsec4UML2 language elements to express security
properties based on the CSPFs the GSCs are related to. Since each CSPF con-
siders at least one asset to be protected against the malicious environment, these
