UMLsec profile
UML profile defining the UMLsec security annotations using the standard UML extension mechanisms.
Specurity Aspects
Name
Description
Specifies properties of structural interaction data security. It ensures that the security requirements in different parts of a static structure diagram are consistent.
Specifies security requirements of communicated information and properties of used connections. It ensures that the security requirements on the communication dependencies between components are supported by the physical situation, relative to the adversary model under consideration.
Data security ensures that security is enforced on the behavior level.
Specifies role-based access control to activities.
No sensitive information should be leaked or corrupted due to indirect data flow.
No sensitive information should be leaked or corrupted due to indirect data flow.
Specifies access control to objects through guards.
Specification Elements
Name
Description
The stereotype expresses that the secure dependency property of UMLsec has to hold for the static parts of the annotated subsystem.
The <<call>> stereotype from an dependent to independent class indicates that instances of the dependent class may call operations of the independent class. Therefore, the dependent class knows of instances of the independent class. If the dependency points to an interface, the dependent class may only call operations listed in the corresponding interface specification.
The <<send>> stereotype from an dependent to independent class indicates that instances of the dependent class may send information to the independent class. Therefore, the dependent class knows of instances of the independent class. If the dependency points to an interface, the dependent class may only access members listed in the corresponding interface specification.
The sterotype expresses that secrecy is assumed for the information communicated over an annotated Dependency.
The sterotype expresses that integrity is assumed for the information communicated over an annotated Dependency.
The sterotype expresses that high sensitivity is assumed for the information communicated over an annotated Dependency.
The stereotype expresses that the annotated connection is assumed to be encrypted.
The stereotype expresses that the annotated connection is assumed to be a direct physical wire.
The stereotype expresses that the annotated connection is assumed to be over the Internet.
The stereotype expresses that the annotated connection is assumed to be in a LAN.
The stereotype indicates a critical object. The security requirements are represented through the tagged values of the <<critical>> stereotype.
The stereotype expresses that the secure links property of UMLsec has to hold for the components and communication dependencies in the annotated subsystem.
The stereotype expresses that role-based access control must be enforced.
The stereotype expressess that no sensitiv information should be leaked or corrupted due to indirect data flow.
The stereotype expresses that no sensitive information should be leaked or corrupted due to indirect data flow.
The stereotype expresses that the access to the objects in a subsystem should secured via access control using guard objects.
The stereotype expresses that the object must be guarded.
The stereotype expresses that the behavior specified in the annotated subsystem must respect data security.
Security Aspects
secure dependency
Specifies properties of structural interaction data security. It ensures that the security requirements in different parts of a static structure diagram are consistent.- Threats:
- Information Disclosure
- Tampering with Data
secure links
Specifies security requirements of communicated information and properties of used connections. It ensures that the security requirements on the communication dependencies between components are supported by the physical situation, relative to the adversary model under consideration.- Specification Elements:
- secure links
- call
- send
- secrecy
- integrity
- Threats:
- Information Disclosure
- Tampering with Data
data security
Data security ensures that security is enforced on the behavior level.- Specification Elements:
- data security
- call
- send
- secrecy
- integrity
- Threats:
- Information Disclosure
- Tampering with Data
rbac
Specifies role-based access control to activities.- Specification Elements:
- rbac
- Threats:
- Elevation of Privileges
no down-flow
No sensitive information should be leaked or corrupted due to indirect data flow.- Specification Elements:
- no down-flow
- critical
- Threats:
- Information Disclosure
- Tampering with Data
no up-flow
No sensitive information should be leaked or corrupted due to indirect data flow.- Specification Elements:
- no up-flow
- critical
- Threats:
- Information Disclosure
- Tampering with Data
guarded access
Specifies access control to objects through guards.- Specification Elements:
- guarded
- guarded access
- Threats:
- Elevation of Privileges
Specification Elements
secure dependency
The stereotype expresses that the secure dependency property of UMLsec has to hold for the static parts of the annotated subsystem.call
The <<call>> stereotype from an dependent to independent class indicates that instances of the dependent class may call operations of the independent class. Therefore, the dependent class knows of instances of the independent class. If the dependency points to an interface, the dependent class may only call operations listed in the corresponding interface specification.- Applies to:
- InformationFlow
- ControlFlow
send
The <<send>> stereotype from an dependent to independent class indicates that instances of the dependent class may send information to the independent class. Therefore, the dependent class knows of instances of the independent class. If the dependency points to an interface, the dependent class may only access members listed in the corresponding interface specification.- Applies to:
- InformationFlow
- ControlFlow
secrecy
The sterotype expresses that secrecy is assumed for the information communicated over an annotated Dependency.- Applies to:
- InformationFlow
- ControlFlow
integrity
The sterotype expresses that integrity is assumed for the information communicated over an annotated Dependency.- Applies to:
- InformationFlow
- ControlFlow
high
The sterotype expresses that high sensitivity is assumed for the information communicated over an annotated Dependency.- Applies to:
- InformationFlow
- ControlFlow
encrypted
The stereotype expresses that the annotated connection is assumed to be encrypted.- Applies to:
- Connection
wire
The stereotype expresses that the annotated connection is assumed to be a direct physical wire.- Applies to:
- Connection
Internet
The stereotype expresses that the annotated connection is assumed to be over the Internet.- Applies to:
- Connection
LAN
The stereotype expresses that the annotated connection is assumed to be in a LAN.- Applies to:
- Node
critical
The stereotype indicates a critical object. The security requirements are represented through the tagged values of the <<critical>> stereotype.- Applies to:
- Entity
secure links
The stereotype expresses that the secure links property of UMLsec has to hold for the components and communication dependencies in the annotated subsystem.- Applies to:
- Component
- Connection
rbac
The stereotype expresses that role-based access control must be enforced.- Applies to:
- Activity
no down-flow
The stereotype expressess that no sensitiv information should be leaked or corrupted due to indirect data flow.- Applies to:
- InformationFlow
no up-flow
The stereotype expresses that no sensitive information should be leaked or corrupted due to indirect data flow.- Applies to:
- InformationFlow
guarded access
The stereotype expresses that the access to the objects in a subsystem should secured via access control using guard objects.- Applies to:
- Entity
guarded
The stereotype expresses that the object must be guarded.- Applies to:
- Entity
data security
The stereotype expresses that the behavior specified in the annotated subsystem must respect data security.- Applies to:
- Activity