Giv s feasible that iagram associ shown in Fig rted from exp s not difficult e attributes of ure 3. ... diagram of Ev he âcustomerâ. âsystemâ re .... tended ecurity ovides ut and extend search to the ackers. ources ze and gen pre effe spe reso secu.
A Resource-based Approach to Extend UML Diagrams for Web Applications Lin Deng, Weifeng Xu, Stephen Frezza Department of Computer and Information Science Gannon University Erie, Pennsylvania, USA {deng001, xu001, frezza001}@gannon.edu The motivation of our research is to seek effective methodology to extend UML diagrams for facilitating analysis on security requirements from the perspective of web resources of web applications, especially, in the early phase of system lifecycle. More specifically, in addition to our previous research [2][10], after formalizing use case specification and deriving web resources, this paper focuses on integrating them into the representations of different UML classic diagrams, e.g. sequence diagram, class diagram. Our ultimate goal is, by highlighting web resources in UML models, to generate security requirement, to protect resources from possible attacks, and to maintain web applications running smoothly. The rest of this paper is organized as follows: Section II goes through related works, Section III describes the details of the approach, Section IV presents a case study, and Section V discusses the future work and concludes the paper.
Abstract—Web applications will perform unexpected behaviors against their original UML diagrams and specifications if they are attacked. These attacks always exploit vulnerabilities of those web applications which lack of sufficient protection on their web resources. The paper proposes a resource-based approach to extend UML diagrams for web applications. The goal of the research is, by integrating web resources into UML diagrams, to seek a systematic framework on requirement analysis from the perspective of web resources. First, we formalize use case specification and conduct lexical analysis on event flows. Then, we identify and organize different types of web resources according to the results of lexical analysis. After that, attributes of web resources are integrated into static UML diagram, i.e., class diagram. Finally, dynamic UML diagram, i.e., sequence diagram, is extended by tagging related web resources on each action and object. These extended UML diagrams enable security analysts to further investigate vulnerabilities of web applications in terms of web resources, and help to generate security requirements.
II. RELATED WORK Several papers have been published on extending UML models and/or applying UML models to support security analysis. Jürjens proposes an extension of UML called UMLsec in order to aid the developing security-critical systems [8][9]. It provides a framework that is based on integration between the information on security and the specification of system in terms of UML diagrams. Other than established rules and complicated constraints of UMLsec, our research focuses on extending UML from the perspective of web resources, which is relatively more related to the causes of vulnerabilities of web applications. Another dominated type of extension on UML is misuse case which is widely applied to eliciting security requirements [4][5][7]. In addition to original use case diagram, misuse case can describe the malicious activities of attackers who intend to compromise web applications, and the relationships between these malicious activities and original use case. Misuse case has both advantages, including its visual explicitness, understandability, and simplicity to draw; and disadvantages, including that it can only represent high-level threats without the detailed process and it’s inconvenient when reusing [6]. Therefore, our approach directly adopts use case as the basis of analysis, in order to get rid of these drawbacks of misuse case, and to provide a relatively direct and simple way of investigation.
Keywords-requirement engineering, security requirements, web resources, use case specification, Unified Modeling Language
I.
INTRODUCTION
Networks and web applications greatly facilitate people’s daily lives. However, they not only bring convenience to the society, but also expose individuals to an increasing number of security attacks. These attacks can threaten our privacy, cause financial loss, and influence reputation of business organizations. Normally, attacks exploit vulnerabilities of web resources to achieve their malicious goals. Web resource is a resource identified by a Uniform Resource Identifier (URI), residing on the Internet that can be accessed using any implemented version of HTTP as part of the protocol stack (or its equivalent), either directly or via an intermediary [3]. According to IBM, the first half of 2010 saw at least a 55% increase on disclosed vulnerabilities of web applications than 2009[1]. Consequently, in order to generate security requirements and appropriately protect web applications, we have conducted the research on identifying and organizing web resources [2][10]. It is a new perspective to analyze requirements and security issues, especially for web applications, based on web resources.
978-1-4244-9761-4/11/$26.00 ©2011 IEEE
103
Figure 1. Use case specification of Order Item
III.
•
APPROACH
Basically, the proposed approach for extending UML diagrams consists of formalizing use case specification, identifying and organizing web resources, and integrating extended UML diagrams. The brief descriptions of the main activities are described in below: a. Formalizing use case specification and extracting event flow information. Specify candidate use case and conduct lexical analysis on event flows. [2] b. Identifying, organizing resources and corresponding attributes. Extract explicit resources (resources explicitly exist in use case specification), and apply heuristics thoughts to elicit implicit resources (resources are not shown in the event flows but perform functions during fulfillment of actions). Organize them into different categories, and identify attributes of resources.[10] c. Integrating resources into extended UML diagrams. From static and dynamic perspectives, integrate different types of web resources and their attributes into UML diagrams, i.e., class diagram and sequence diagram. In our previous research [2][10], we have detailed described the process on how to formalize use case specification and extract key information from event flows. For example, Figure 1 is a candidate use case specification. We conduct lexical analysis on each event flow, and extract three categories of key information: event initiator, initiated intention, and receiving objects. The results of lexical analysis on Event 1 and 2 are listed on the right side of use case specification. Given these as the input, each subsequent step of our approach will be discussed in detail.
•
•
A. Identifying, organizing resources and corresponding attributes. As we have stated in [2][10], web resources can be categorized into different types. Basically, as shown in Figure 2, web resources are classified into property resource (PR), command resource (CR) and implicit resource (IMR):
Property resource (PR): receiving objects identified in the lexical analysis on event flows, including independent PR (IPR) and dependent PR (DPR). IPRs are those resources that can be independently accessed or manipulated by initiators, e.g. item, order, etc. DPRs are composite objects whose complete behaviors must depend on the support of other resources, most of the time, implicit resources. For example, a shopping cart cannot work without the support of implicit resources, such as session or cookie attaching on it. Some explicit property resources may have extra different attributes that indicate supplementary information of the resource. For example, item is an IPR with attributes of name and price. Command resource (CR): initiated intentions executed by an initiator to realize the event flow. For example, update, add, and calculate are command resources. Implicit resources (IMR): those resources not explicitly shown in use case specification, but perform indispensable support on the fulfillment of event flow, and implementation of explicit resources. For example, item is IPR which has some implicit resources, such as name, price and quantity. The object shopping cart is DPR and identified by session and/or cookies.
Figure 2. Web resource categorization
104
infoormation from m the “databasse” and returnns informationn to the “shopping caart”; finally, thhe “shopping cart” is updatted mer”. andd represented tto the “custom Original sequuence diagram m, however, meerely emphasizzes on the flow of acctions without paying too m much attention on webb resources invvolved in actioons. And web resource playys a vitaal role on the execution e of aactions. As wee have mentionned beffore, a large pportion of attaacks will target on these w web resoources, in ordder to make thhe system perfform undesirabble behhaviors againstt its use case specification. Therefore, sinnce we have alreadyy identified web w resourcess from use caase speecification [100], it is feassible to integgrate them innto seqquence diagram m. In Figure 5, we extennd the sequennce diaggram by show wing resourcees in the form mat of besside actions aand objects. Inn this way, it is much moore mannifest to repreesent functionss performed byy web resourcces. As can be seen, “customer” reequires resources of “Sessioon” Credential”, and “shoppinng cart” neeeds andd/or “URL C “Coookie” to impllement.
B B. Integratingg resources innto extended UML U diagramss. In our preevious researcch paper [10],, we systemattically ddescribed thee approach off identifying implicit resoources, hheuristically aaccording to aan extended S STRIDE modeel. For eexample, forr “customer” extracted inn Figure 1, it is cconcluded thaat “cookie”, “U URL”, and “crredential param meter” oof customers are implicit resources invvisible in usee case sspecification bbut need to be protected from m attacks. Once webb resources have been iidentified, wee can iintegrate them m into UML cllassic diagram ms in order to ffurther ffacilitate the aanalysis on reqquirement, esppecially for seecurity ppurposes. Iniitially, we cconsider integrating from m two pperspectives: static s and dynaamic. 1) Integraate web resourrces into staticc diagram: Static persspective is m much more com mmon and eaasy to uunderstand. Class diagram iis a typical staatic diagram thhat we ccan further analyze. Givven that expllicit resourcees are iidentified, it is feasible thatt some of them m can be convverted iinto class diiagram associiated with thheir attributess. For eexample, as sshown in Figgure 3, item and order aree two cclasses converrted from expplicit resourcess of the use case in F Figure 1. It iss not difficult to imagine thhat name, pricee, and ddescription aree attributes off item.
Figure 5. Extended sequencce diagram of E Event 1 and 2
IV.
CA ASE STUDY
In this sectionn, a detailed case c study willl be analyzed,, in ordder to further iillustrate our aapproach. We still analyze tthe usee case provideed in Sectionn III (Figure 1), since online shoopping system is one of the m most popular w web applicatioons on tthe Internet, annd it always bbecomes the tarrget of malicioous attaackers, as it iinvolves finanncial transactiion and a larrge amoount of user pprivacy. Tablee 1 demonstrattes the resultss of idenntification of web resourcees. For exampple, the action of addd item and cheeck out (CRs) rrequires URL as the IMR. A Also, the customer (D DPR) requires Cookie, Sesssion and/or U URL Creedential as thee IMR.
Figu ure 3. Class diaagram of Item aand Order
2) Integraate web resourrces into dynam mic diagram: However, static persppective, e.g., class diagram, is iinsufficient too represent the whole process p duringg the eexecution of actions as these t actions are dynamicc and ccomplicated. T Take Event 1 and 2 in Figuure 1 as an exaample, tthe execution of these two events may innvolve a numbber of rresources in tterms of seveeral sub-eventts. In consequuence, ssequence ddiagram dynnamically and a approprriately ddemonstrates tthese sub-evennts (Figure 4).
Table 1. Reesults of identiffication of web b resources T of Implicit Resource Tag > > > , ,
Figurre 4. Sequence diagram of Evvent 1 and 2
As shown in Figure 4, thhe “customer”” adds the “iteem” to ““shopping ccart”; the “system” reetrieves neceessary
105
Explicit R Resource Add, enterr, check out Shoppiing Cart Update, displlay, calculate, recalcculate Providde, pay Item(quantityy, name, price) Total amouunt, discount Shipping adddress, payment Custtomer
Then, accoording to the uuse case speciification (Figuure 1), w we can draw a complete sequence diaggram and integrate rresources intoo it as tags (Figure 6). F From this exttended ssequence diaggram, it is cconvenient too generate seecurity rrequirements. For examplee, when “the customer proovides ccredit card infformation”, thhe system musst protect Inpuut and User Privacy (IMPs). V V.
CONCLU USION AND DISCUSSION
The paperr presents a reesource-based approach to eextend U UML diagram ms for security purposes. Prim marily, our ressearch oonly considerrs the case thhat vulnerabiliities are due tto the ppossible explooitation of webb resources by malicious attaackers. So the objectiive of the papper is to integgrate web resoources iinto different U UML diagram ms, in order to further analyzze and
gennerate securityy requiremennts for web applications on preventing possibble attacks. The contributtions of our rresearch incluude proposing an effeective mechannism of formaalizing and analyzing use caase speecification, andd extending U UML diagram ms based on w web resoources, from sstatic and dynaamic perspectives, to facilittate secuurity analysis.. For the futuree work, we plaan to continuee our research on exteending other UML diagrams, and proppose a compllete resoource-based framework on generrating securrity requ quirements from m them. The ultimate goall of our researrch aim ms to constructt an integratedd framework tthat can not onnly eliccit security reqquirements, buut also generaate test cases for verrifying and vallidating web appplications.
Figure 6. E Extended sequeence diagram [6]
M. Diallo, J. Roomero-Mariona, S S. Sim, D. Richarddson, “A comparaative evaluation of thhree approaches too specifying securrity requirements””, in Proceedings of tthe REFSQ’06, L Luxembourg, 20066. [7] T. Stålhane andd G. Sindre, “A Comparison of Two Approachess to Safety Analysiss Based on Use Cases”, C in Proceeddings of Comceptual Modeling-ER’22007, Lecture Nootes in Computer Science, Vol. 48801, 2007, pp. 423-4437. [8] J. Jürjens, “U UMLsec: Extennding UML foor Secure Systeems Development”, in Proceedings oof the 5th Internattional Conferencee on The Unified Moodeling Languagee, Dresden, Sep. 330 - Oct. 4, 2002. [9] J. Jürjens, “Using UMLsec annd Goal-Trees for f Secure Systeems A symposium on Development”, in Proceedings of the 2002 ACM Applied compuuting, Madrid, Maar. 10-14, 2002. [10]] L. Deng, W. Xu, “Deriving Implicit Resourrces from Extennded STRIDE Modell for Web Requireements Analysis””, unpublished.
REFFERENCES [1] [2]
[3] [4] [5]
IBM X-forcce research and ddevelopment team ms, “IBM X-Forcce 2010 Mid-Year T Trend and Risk Reeport”. W. Xu, L. D Deng, Y. Liu,“A A Resource-based Approach to Formalize Use Case Specification S forr Web Applicatioons”, in Proceeddings of IEEE Interrnational Confereence on Progreess in Informatics and Computing, 2010. WCA-terms/#Corre http://www..w3.org/1999/05/W G. Sindre and a A. L. Opdahhl, “Eliciting seccurity requiremennts with misuse casees”, Requirementss Engineering, Vool. 10, No. 1, Jann. 2005, pp. 34-44. A. Opdahl, G. Sindre, “expeerimental comparrison of attack treees and misuse cases for security threat identificaation”, Informatioon and Software Teechnology, Vol. 51, 2009, pp916-9332.
106
