MDSE@R: Model-driven security engineering at runtime

Mohamed Almorsy, John Grundy, Amani S. Ibrahim

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

11 Citations (Scopus)

Abstract

New security threats arise frequently and impact on enterprise software security requirements. However, most existing security engineering approaches focus on capturing and enforcing security requirements at design time. Many do not address how a system should be adapted to cope with new unanticipated security requirements that arise at runtime. We describe a new approach - Model Driven Security Engineering at Runtime (MDSE@R) - enabling security engineers to dynamically specify and enforce system security requirements based on current needs. We introduce a new domain-specific visual language to model customer security requirements in a given application. Moreover, we introduce a new UML profile to help capturing system architectural characteristics along with security specifications mapped to system entities. Our MDSE@R toolset supports refinement and merger of these visual models and uses model-driven engineering to take the merged model and specify security controls to be enforced on the target system components. A combination of interceptors (via generated configurations) and injected code (using aspect-oriented programming) are used to integrate the specified security controls within the target system. We describe MDSE@R, give an example of using it in securing an ERP system, describe its implementation, and discuss an evaluation of applying MDSE@R on a set of open source applications.

Original languageEnglish
Title of host publicationCyberspace Safety and Security - 4th International Symposium, CSS 2012, Proceedings
Pages279-295
Number of pages17
Volume7672 LNCS
DOIs
Publication statusPublished - 2012
Externally publishedYes
Event4th International Symposium on Cyberspace Safety and Security, CSS 2012 - Melbourne, VIC, Australia
Duration: 12 Dec 201213 Dec 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7672 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference4th International Symposium on Cyberspace Safety and Security, CSS 2012
CountryAustralia
CityMelbourne, VIC
Period12/12/1213/12/12

Keywords

  • aspect-oriented programming
  • domain-specific visual languages
  • model-driven engineering
  • Security engineering

Cite this