File(s) under permanent embargo
MDSE@R: model-driven security engineering at runtime
conference contribution
posted on 2012-12-26, 00:00 authored by M Almorsy, John Grundy, Amani IbrahimNew security threats arise frequently and impact on enterprise software security requirements. However, most existing security engineering approaches focus on capturing and enforcing security requirements at design time. Many do not address how a system should be adapted to cope with new unanticipated security requirements that arise at runtime. We describe a new approach - Model Driven Security Engineering at Runtime (MDSE@R) - enabling security engineers to dynamically specify and enforce system security requirements based on current needs. We introduce a new domain-specific visual language to model customer security requirements in a given application. Moreover, we introduce a new UML profile to help capturing system architectural characteristics along with security specifications mapped to system entities. Our MDSE@R toolset supports refinement and merger of these visual models and uses model-driven engineering to take the merged model and specify security controls to be enforced on the target system components. A combination of interceptors (via generated configurations) and injected code (using aspect-oriented programming) are used to integrate the specified security controls within the target system. We describe MDSE@R, give an example of using it in securing an ERP system, describe its implementation, and discuss an evaluation of applying MDSE@R on a set of open source applications.
History
Event
Cyberspace Safety and Security. International Symposium (4th : 2012 : Melbourne, Victoria)Volume
7672Series
Lecture Notes in Computer SciencePagination
279 - 295Publisher
SpringerLocation
Melbourne, VictoriaPlace of publication
Berlin, GermanyPublisher DOI
Start date
2012-12-12End date
2012-12-13ISSN
0302-9743eISSN
1611-3349ISBN-13
9783642353611Language
engPublication classification
E Conference publication; E1.1 Full written paper - refereedCopyright notice
2012, SpringerEditor/Contributor(s)
Y Xiang, J Lopez, C Kuo, W ZhouTitle of proceedings
CSS 2012 : Proceedings of the 4th International Symposium on Cyberspace Safety and SecurityUsage metrics
Categories
No categories selectedKeywords
Licence
Exports
RefWorks
BibTeX
Ref. manager
Endnote
DataCite
NLM
DC