Sangsig Kim, Dae-Kyoo Kim, Lunjin Lu, S. Park, Suntae Kim
Role-Based Access Control (RBAC) and Mandatory Access Control (MAC) are widely used access control models. They are often used together in domains where both data integrity and information flow are concerned. There is much work on combined use of RBAC and MAC policies at the kernel level, which focuses on enforcing hybrid policies at run-time. However, there is little work on techniques for developing hybrid systems of RBAC and MAC from a development perspective. In this work, we present a feature-based modeling approach for developing hybrid access control systems. In the approach, RBAC and MAC are designed in terms of features and features are configured based on requirements. Configured features are then composed to produce a design model that supports hybrid access control. The approach enables systematic development of hybrid systems of RBAC and MAC and reduces development complexity and errors through need-based configuration of features in early development phases. We use a hospital system to demonstrate the approach. Tool support for the approach is also discussed.
{"title":"A Feature-Based Modeling Approach for Building Hybrid Access Control Systems","authors":"Sangsig Kim, Dae-Kyoo Kim, Lunjin Lu, S. Park, Suntae Kim","doi":"10.1109/SSIRI.2011.16","DOIUrl":"https://doi.org/10.1109/SSIRI.2011.16","url":null,"abstract":"Role-Based Access Control (RBAC) and Mandatory Access Control (MAC) are widely used access control models. They are often used together in domains where both data integrity and information flow are concerned. There is much work on combined use of RBAC and MAC policies at the kernel level, which focuses on enforcing hybrid policies at run-time. However, there is little work on techniques for developing hybrid systems of RBAC and MAC from a development perspective. In this work, we present a feature-based modeling approach for developing hybrid access control systems. In the approach, RBAC and MAC are designed in terms of features and features are configured based on requirements. Configured features are then composed to produce a design model that supports hybrid access control. The approach enables systematic development of hybrid systems of RBAC and MAC and reduces development complexity and errors through need-based configuration of features in early development phases. We use a hospital system to demonstrate the approach. Tool support for the approach is also discussed.","PeriodicalId":224250,"journal":{"name":"2011 Fifth International Conference on Secure Software Integration and Reliability Improvement","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121002115","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Access control is a vital security mechanism in today's operating systems, and the security policies dictating the security relevant behaviors is lengthy and complex, for example in Security-Enhanced Linux (SELinux). It is extremely difficult to verify the consistency between the security policies and the security goals desired by applications. In this paper, we present how to predict whether the information flow security goal is violated or not during runtime, how to generate the corresponding control actions on-line when divergence is detected and how to apply these actions in time based on software active monitoring technique. The symbolic security information flow model of SElinux is generated from a formalization of the access control mechanism which can be used to generate the N-step ahead projection of the future behavior. Information flow security goals are expressed in linear temporal logic (LTL) which provides clear description of the objectives desired by applications. Anticipatory monitor is generated from LTL formula automatically. We consider an on-line scheme where after the occurrence of an event, the next control action is determined on the basis of the N-step ahead projection of the future behavior. This procedure is repeated after the occurrence of next security relevant event. Thus, a closed-loop system is generated that all behavior sequences will satisfy the security goals.
访问控制是当今操作系统中重要的安全机制,规定与安全相关行为的安全策略冗长而复杂,例如在security - enhanced Linux (SELinux)中。验证安全策略与应用程序所需的安全目标之间的一致性是极其困难的。本文介绍了基于软件主动监测技术,如何在运行过程中预测信息流安全目标是否被违反,如何在检测到偏离时在线生成相应的控制动作,以及如何及时应用这些控制动作。SElinux的符号安全信息流模型是由访问控制机制的形式化生成的,该机制可用于生成未来行为的n步提前预测。信息流安全目标以线性时序逻辑(LTL)的形式表达,它提供了应用程序所需目标的清晰描述。预期监视器由LTL公式自动生成。我们考虑一种在线方案,其中在事件发生后,下一个控制动作是根据未来行为的n步前投影确定的。在下一个安全相关事件发生后,重复此过程。这样就形成了一个所有行为序列都满足安全目标的闭环系统。
{"title":"Security Goals Assurance Based on Software Active Monitoring","authors":"Changzhi Zhao, Wei Dong, M. Leucker, Zhichang Qi","doi":"10.1109/SSIRI.2011.34","DOIUrl":"https://doi.org/10.1109/SSIRI.2011.34","url":null,"abstract":"Access control is a vital security mechanism in today's operating systems, and the security policies dictating the security relevant behaviors is lengthy and complex, for example in Security-Enhanced Linux (SELinux). It is extremely difficult to verify the consistency between the security policies and the security goals desired by applications. In this paper, we present how to predict whether the information flow security goal is violated or not during runtime, how to generate the corresponding control actions on-line when divergence is detected and how to apply these actions in time based on software active monitoring technique. The symbolic security information flow model of SElinux is generated from a formalization of the access control mechanism which can be used to generate the N-step ahead projection of the future behavior. Information flow security goals are expressed in linear temporal logic (LTL) which provides clear description of the objectives desired by applications. Anticipatory monitor is generated from LTL formula automatically. We consider an on-line scheme where after the occurrence of an event, the next control action is determined on the basis of the N-step ahead projection of the future behavior. This procedure is repeated after the occurrence of next security relevant event. Thus, a closed-loop system is generated that all behavior sequences will satisfy the security goals.","PeriodicalId":224250,"journal":{"name":"2011 Fifth International Conference on Secure Software Integration and Reliability Improvement","volume":"500 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123058902","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Risk assessment is a critical decision making process during the Security Certification and Accreditation (C&A) process. However, existing infrastructure-wide C&A processes in real world are challenged by the ever increasing complexity of information systems and their diverse socio-technical operational environments. The lack of an explicit model and the associated uncertainties of software behavior are two main reasons that directly impact the effectiveness of risk assessment as well as the subjective decisions made based on the different level of domain expertise. In this paper, we propose a method for a probabilistic model driven risk assessment on security requirements. The security requirements and their causal relationships are represented using MEBN (Multi-Entities Bayesian Networks) logic that constructs an explicit formal risk assessment model that supports evidence-driven arguments. The proposed approach is described by using real-world C&A scenarios to show not only its feasibility for security requirements risk assessment but also its effectiveness for the sensitivity analysis to identify critical influences among information entities in a complex and uncertain operational environment.
{"title":"Probabilistic Risk Assessment for Security Requirements: A Preliminary Study","authors":"Seok-Won Lee","doi":"10.1109/SSIRI.2011.12","DOIUrl":"https://doi.org/10.1109/SSIRI.2011.12","url":null,"abstract":"Risk assessment is a critical decision making process during the Security Certification and Accreditation (C&A) process. However, existing infrastructure-wide C&A processes in real world are challenged by the ever increasing complexity of information systems and their diverse socio-technical operational environments. The lack of an explicit model and the associated uncertainties of software behavior are two main reasons that directly impact the effectiveness of risk assessment as well as the subjective decisions made based on the different level of domain expertise. In this paper, we propose a method for a probabilistic model driven risk assessment on security requirements. The security requirements and their causal relationships are represented using MEBN (Multi-Entities Bayesian Networks) logic that constructs an explicit formal risk assessment model that supports evidence-driven arguments. The proposed approach is described by using real-world C&A scenarios to show not only its feasibility for security requirements risk assessment but also its effectiveness for the sensitivity analysis to identify critical influences among information entities in a complex and uncertain operational environment.","PeriodicalId":224250,"journal":{"name":"2011 Fifth International Conference on Secure Software Integration and Reliability Improvement","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131033729","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Organizations with stringent security requirements like banks or hospitals frequently adopt role-based access control (RBAC) principles to simplify their internal permission management. Authorization constraints represent a fundamental advanced RBAC concept enabling precise restrictions on access rights. Thereby, the complexity of the resulting security policies increases so that tool support for comfortable creation and adequate validation is required. We propose a new approach to developing and analyzing RBAC policies using UML for modeling RBAC core concepts and OCL to realize authorization constraints. Dynamic (i. e., time-dependent) constraints, their visual representation in UML and their analysis are of special interest. The approach results in a domain-specific language for RBAC which is highly configurable and extendable with respect to new RBAC concepts and classes of authorization constraints and allows the developer to validate RBAC policies in an effective way. The approach is supported by a UML and OCL validation tool.
{"title":"Comprehensive Two-Level Analysis of Static and Dynamic RBAC Constraints with UML and OCL","authors":"Mirco Kuhlmann, K. Sohr, Martin Gogolla","doi":"10.1109/SSIRI.2011.18","DOIUrl":"https://doi.org/10.1109/SSIRI.2011.18","url":null,"abstract":"Organizations with stringent security requirements like banks or hospitals frequently adopt role-based access control (RBAC) principles to simplify their internal permission management. Authorization constraints represent a fundamental advanced RBAC concept enabling precise restrictions on access rights. Thereby, the complexity of the resulting security policies increases so that tool support for comfortable creation and adequate validation is required. We propose a new approach to developing and analyzing RBAC policies using UML for modeling RBAC core concepts and OCL to realize authorization constraints. Dynamic (i. e., time-dependent) constraints, their visual representation in UML and their analysis are of special interest. The approach results in a domain-specific language for RBAC which is highly configurable and extendable with respect to new RBAC concepts and classes of authorization constraints and allows the developer to validate RBAC policies in an effective way. The approach is supported by a UML and OCL validation tool.","PeriodicalId":224250,"journal":{"name":"2011 Fifth International Conference on Secure Software Integration and Reliability Improvement","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126526840","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
As part of network security testing, an administrator needs to know whether the firewall enforces the security policy as expected or not. In this setting, black-box testing and evaluation methodologies can be helpful. In this paper, we employ a simple mutation operation, namely flipping a bit, to generate mutant firewall policies and use them to evaluate our previously proposed weighted test case selection method for firewall testing. In the previously proposed firewall testing approach, abstract test cases that are automatically generated from firewall decision diagrams are instantiated by selecting test input values from different test data pools for each field of firewall policy. Furthermore, a case study is presented to validate the proposed approach.
{"title":"Mutation-Based Evaluation of Weighted Test Case Selection for Firewall Testing","authors":"Tugkan Tuglular, Gurcan Gercek","doi":"10.1109/SSIRI.2011.22","DOIUrl":"https://doi.org/10.1109/SSIRI.2011.22","url":null,"abstract":"As part of network security testing, an administrator needs to know whether the firewall enforces the security policy as expected or not. In this setting, black-box testing and evaluation methodologies can be helpful. In this paper, we employ a simple mutation operation, namely flipping a bit, to generate mutant firewall policies and use them to evaluate our previously proposed weighted test case selection method for firewall testing. In the previously proposed firewall testing approach, abstract test cases that are automatically generated from firewall decision diagrams are instantiated by selecting test input values from different test data pools for each field of firewall policy. Furthermore, a case study is presented to validate the proposed approach.","PeriodicalId":224250,"journal":{"name":"2011 Fifth International Conference on Secure Software Integration and Reliability Improvement","volume":"112 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121836630","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Hyeon-Jeong Kim, Doo-Hwan Bae, V. Debroy, W. E. Wong
Slicing is a well-known reduction technique in many areas such as debugging, maintenance, and testing, and thus, there has been considerable research in the application of slicing techniques to models at the design level. UML state machine diagrams can properly describe the behavior of large software systems at the design level. The slicing of UML state machine diagrams is helpful for their maintenance. But it is difficult to apply a slicing algorithm to automatically reduce the diagrams with respect to slicing criteria, because of the unique properties of these diagrams, such as hierarchy and orthogonality. These properties make constructing a data dependence graph highly complicated. Hierarchy between states leads to implicit paths between states, which may affect data dependence. Also, orthogonality (i.e., parallelism) can cause an intransitivity problem when tracing data dependence. In this paper, we discuss an approach to address such problems. We first construct a control flow graph, which explicitly describes all possible transitions; and a hierarchy graph, which depicts the hierarchical structure of state machine diagram. Next we retrieve data dependence information and construct a dependence graph across different levels. We also show how data dependence information is retrieved, by virtue of ATM example.
{"title":"Deriving Data Dependence from/for UML State Machine Diagrams","authors":"Hyeon-Jeong Kim, Doo-Hwan Bae, V. Debroy, W. E. Wong","doi":"10.1109/SSIRI.2011.19","DOIUrl":"https://doi.org/10.1109/SSIRI.2011.19","url":null,"abstract":"Slicing is a well-known reduction technique in many areas such as debugging, maintenance, and testing, and thus, there has been considerable research in the application of slicing techniques to models at the design level. UML state machine diagrams can properly describe the behavior of large software systems at the design level. The slicing of UML state machine diagrams is helpful for their maintenance. But it is difficult to apply a slicing algorithm to automatically reduce the diagrams with respect to slicing criteria, because of the unique properties of these diagrams, such as hierarchy and orthogonality. These properties make constructing a data dependence graph highly complicated. Hierarchy between states leads to implicit paths between states, which may affect data dependence. Also, orthogonality (i.e., parallelism) can cause an intransitivity problem when tracing data dependence. In this paper, we discuss an approach to address such problems. We first construct a control flow graph, which explicitly describes all possible transitions; and a hierarchy graph, which depicts the hierarchical structure of state machine diagram. Next we retrieve data dependence information and construct a dependence graph across different levels. We also show how data dependence information is retrieved, by virtue of ATM example.","PeriodicalId":224250,"journal":{"name":"2011 Fifth International Conference on Secure Software Integration and Reliability Improvement","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124249229","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jianwen Xiang, Kazuo Yanoo, Y. Maeno, Kumiko Tadano
Fault tree analysis (FTA) is a traditional reliability analysis technique. In practice, the manual development of fault trees could be costly and error-prone, especially in the case of fault tolerant systems due to the inherent complexities such as various dependencies and interactions among components. Some dynamic fault tree gates, such as Functional Dependency (FDEP) and Priority AND (PAND), are proposed to model the functional and sequential dependencies, respectively. Unfortunately, the potential semantic troubles and limitations of these gates have not been well studied before. In this paper, we describe a framework to automatically generate static fault trees from system models specified with SysML. A reliability configuration model (RCM) and a static fault tree model (SFTM) are proposed to embed system configuration information needed for reliability analysis and error mechanism for fault tree generation, respectively. In the SFTM, the static representations of functional and sequential dependencies with standard Boolean AND and OR gates are proposed, which can avoid the problems of the dynamic FDEP and PAND gates and can reduce the cost of analysis based on a combinatorial model. A fault-tolerant parallel processor (FTTP) example is used to demonstrate our approach.
{"title":"Automatic Synthesis of Static Fault Trees from System Models","authors":"Jianwen Xiang, Kazuo Yanoo, Y. Maeno, Kumiko Tadano","doi":"10.1109/SSIRI.2011.32","DOIUrl":"https://doi.org/10.1109/SSIRI.2011.32","url":null,"abstract":"Fault tree analysis (FTA) is a traditional reliability analysis technique. In practice, the manual development of fault trees could be costly and error-prone, especially in the case of fault tolerant systems due to the inherent complexities such as various dependencies and interactions among components. Some dynamic fault tree gates, such as Functional Dependency (FDEP) and Priority AND (PAND), are proposed to model the functional and sequential dependencies, respectively. Unfortunately, the potential semantic troubles and limitations of these gates have not been well studied before. In this paper, we describe a framework to automatically generate static fault trees from system models specified with SysML. A reliability configuration model (RCM) and a static fault tree model (SFTM) are proposed to embed system configuration information needed for reliability analysis and error mechanism for fault tree generation, respectively. In the SFTM, the static representations of functional and sequential dependencies with standard Boolean AND and OR gates are proposed, which can avoid the problems of the dynamic FDEP and PAND gates and can reduce the cost of analysis based on a combinatorial model. A fault-tolerant parallel processor (FTTP) example is used to demonstrate our approach.","PeriodicalId":224250,"journal":{"name":"2011 Fifth International Conference on Secure Software Integration and Reliability Improvement","volume":"106 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131846663","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Covert channel analysis is an important requirement when building secure information systems, and identification is the most difficult task. Although some approaches were presented, they are either experimental or constrained to some particular systems. This paper presents a practical approach based on directed information flow graph taking advantage of the source code analysis. The approach divides the whole system into serval independent modules and analyzes them respectively. All the shared variables and their caller functions are found out from the source codes and modeled into directed information flow graphs. When the information flow branches are visible and modifiable to the external interface, a potential covert channel exists. Contributions made in this paper are as follows: a modularized analysis scheme is proved and reduces the workloads of identifying, a directed information flow graph algorithm is presented and used to model the covert channels, more than 30 covert channels have been identified in Linux kernel source code using this scheme, and a typical channel scenario is constructed.
{"title":"A Practical Covert Channel Identification Approach in Source Code Based on Directed Information Flow Graph","authors":"Jingzheng Wu, Liping Ding, Yongji Wang, Wei Han","doi":"10.1109/SSIRI.2011.17","DOIUrl":"https://doi.org/10.1109/SSIRI.2011.17","url":null,"abstract":"Covert channel analysis is an important requirement when building secure information systems, and identification is the most difficult task. Although some approaches were presented, they are either experimental or constrained to some particular systems. This paper presents a practical approach based on directed information flow graph taking advantage of the source code analysis. The approach divides the whole system into serval independent modules and analyzes them respectively. All the shared variables and their caller functions are found out from the source codes and modeled into directed information flow graphs. When the information flow branches are visible and modifiable to the external interface, a potential covert channel exists. Contributions made in this paper are as follows: a modularized analysis scheme is proved and reduces the workloads of identifying, a directed information flow graph algorithm is presented and used to model the covert channels, more than 30 covert channels have been identified in Linux kernel source code using this scheme, and a typical channel scenario is constructed.","PeriodicalId":224250,"journal":{"name":"2011 Fifth International Conference on Secure Software Integration and Reliability Improvement","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128053103","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
W. E. Wong, Andrea Demel, V. Debroy, Michael F. Siok
The importance of system safety has intensified in recent years given the ever-growing use of safety-critical systems in avionics, medicine, nuclear energy, and other fields. However, despite the abundance of standards which exist to provide guidance for the development of safe software for safety-critical systems, there is no consensus on how to achieve safety assurance in a cost-effective fashion. This paper reviews five software safety standards: the FAA System Safety Handbook, the US DoD MIL-STD-882D, the UK MoD DEF-STAN 00-56, NASA-STD 8719.13b and the RTCA DO-178B, and evaluates each in terms of cost effectiveness. It provides an overview of several safety-critical projects, ones that have incurred significant cost overruns as well as ones that have produced safety-critical software in a reasonably cost-effective manner. By virtue of discussing such projects we posit that it is possible to develop software, despite significant safety assurance requirements, without necessarily sacrificing cost. Specifically, projects can realize savings by using mature processes and appropriate tools to assist in development of safety-critical software.
{"title":"Safe Software: Does It Cost More to Develop?","authors":"W. E. Wong, Andrea Demel, V. Debroy, Michael F. Siok","doi":"10.1109/SSIRI.2011.28","DOIUrl":"https://doi.org/10.1109/SSIRI.2011.28","url":null,"abstract":"The importance of system safety has intensified in recent years given the ever-growing use of safety-critical systems in avionics, medicine, nuclear energy, and other fields. However, despite the abundance of standards which exist to provide guidance for the development of safe software for safety-critical systems, there is no consensus on how to achieve safety assurance in a cost-effective fashion. This paper reviews five software safety standards: the FAA System Safety Handbook, the US DoD MIL-STD-882D, the UK MoD DEF-STAN 00-56, NASA-STD 8719.13b and the RTCA DO-178B, and evaluates each in terms of cost effectiveness. It provides an overview of several safety-critical projects, ones that have incurred significant cost overruns as well as ones that have produced safety-critical software in a reasonably cost-effective manner. By virtue of discussing such projects we posit that it is possible to develop software, despite significant safety assurance requirements, without necessarily sacrificing cost. Specifically, projects can realize savings by using mature processes and appropriate tools to assist in development of safety-critical software.","PeriodicalId":224250,"journal":{"name":"2011 Fifth International Conference on Secure Software Integration and Reliability Improvement","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125786203","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Exception handling alters the control flow of the program. As such, errors introduced in exception handling code may influence the overall program in undesired ways. To detect such errors early and thereby decrease the programming costs, it is worthwhile to consider exception handling at design level. Preferably, design models must be extended to incorporate exception handling behavior and the control flow must be verified accordingly. Common practices for verification require a formal model and semantics of the design. Defining semantics and manually converting design models to formal models are costly. We propose an approach for verifying exception handling in UML design models, where we extend UML with exception handling notations, define execution and exception handling semantics, and automatically transform UML models to a formal model. The formal model is used for generating execution paths. Constraints are specified (as temporal logic formulas) on execution paths and are verified.
{"title":"Execution Constraint Verification of Exception Handling on UML Sequence Diagrams","authors":"S. Ciraci, Hasan Sözer, M. Aksit, W. Havinga","doi":"10.1109/SSIRI.2011.13","DOIUrl":"https://doi.org/10.1109/SSIRI.2011.13","url":null,"abstract":"Exception handling alters the control flow of the program. As such, errors introduced in exception handling code may influence the overall program in undesired ways. To detect such errors early and thereby decrease the programming costs, it is worthwhile to consider exception handling at design level. Preferably, design models must be extended to incorporate exception handling behavior and the control flow must be verified accordingly. Common practices for verification require a formal model and semantics of the design. Defining semantics and manually converting design models to formal models are costly. We propose an approach for verifying exception handling in UML design models, where we extend UML with exception handling notations, define execution and exception handling semantics, and automatically transform UML models to a formal model. The formal model is used for generating execution paths. Constraints are specified (as temporal logic formulas) on execution paths and are verified.","PeriodicalId":224250,"journal":{"name":"2011 Fifth International Conference on Secure Software Integration and Reliability Improvement","volume":"162 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132466074","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: