An Extension of Class Diagram to Model the Structure of Context-Aware Systems

Context-aware systems (CASs) have become a reality thanks to the development of smart software and hardware to assist the users in various real life activities. The proliferation of context-aware services has led to the emergence of environments where services are made available for usage anywhere and at any time. CASs have the ability to capture users’ contexts and use their instance values to provide self-adaptive services in response to context changes. Modelling and documenting the structure of such a system during the design phase is vital for system validation, testing, maintenance and version management. The Unified Modelling Language (UML) is the de facto industrial standard for system modelling and development. The UML class diagrams provide notations for modelling graphically the structure of a system in terms of classes and the relationships between them. However, these notations are insufficient to model the structure of CASs. This paper proposes a new set of notations to represent context and context-awareness and their relationships with classes in class diagrams. Hence, the structure of CASs can be specified, visualized, constructed, and documented distinctively during system development. The proposed approach is evaluated using real-world case studies

Detecting Violations of Access Control and Information Flow Policies in Data Flow Diagrams

The security of software-intensive systems is frequently attacked. High fines or loss in reputation are potential consequences of not maintaining confidentiality, which is an important security objective. Detecting confidentiality issues in early software designs enables cost-efficient fixes. A Data Flow Diagram (DFD) is a modeling notation, which focuses on essential, functional aspects of such early software designs. Existing confidentiality analyses on DFDs support either information flow control or access control, which are the most common confidentiality mechanisms. Combining both mechanisms can be beneficial but existing DFD analyses do not support this. This lack of expressiveness requires designers to switch modeling languages to consider both mechanisms, which can lead to inconsistencies. In this article, we present an extended DFD syntax that supports modeling both, information flow and access control, in the same language. This improves expressiveness compared to related work and avoids inconsistencies. We define the semantics of extended DFDs by clauses in first-order logic. A logic program made of these clauses enables the automated detection of confidentiality violations by querying it. We evaluate the expressiveness of the syntax in a case study. We attempt to model nine information flow cases and six access control cases. We successfully modeled fourteen out of these fifteen cases, which indicates good expressiveness. We evaluate the reusability of models when switching confidentiality mechanisms by comparing the cases that share the same system design, which are three pairs of cases. We successfully show improved reusability compared to the state of the art. We evaluated the accuracy of confidentiality analyses by executing them for the fourteen cases that we could model. We experienced good accuracy

Detecting Violations of Access Control and Information Flow Policies in Data Flow Diagrams

The security of software-intensive systems is frequently attacked. High fines or loss in reputation are potential consequences of not maintaining confidentiality, which is an important security objective. Detecting confidentiality issues in early software designs enables cost-efficient fixes. A Data Flow Diagram (DFD) is a modeling notation, which focuses on essential, functional aspects of such early software designs. Existing confidentiality analyses on DFDs support either information flow control or access control, which are the most common confidentiality mechanisms. Combining both mechanisms can be beneficial but existing DFD analyses do not support this. This lack of expressiveness requires designers to switch modeling languages to consider both mechanisms, which can lead to inconsistencies. In this article, we present an extended DFD syntax that supports modeling both, information flow and access control, in the same language. This improves expressiveness compared to related work and avoids inconsistencies. We define the semantics of extended DFDs by clauses in first-order logic. A logic program made of these clauses enables the automated detection of confidentiality violations by querying it. We evaluate the expressiveness of the syntax in a case study. We attempt to model nine information flow cases and six access control cases. We successfully modeled fourteen out of these fifteen cases, which indicates good expressiveness. We evaluate the reusability of models when switching confidentiality mechanisms by comparing the cases that share the same system design, which are three pairs of cases. We successfully show improved reusability compared to the state of the art. We evaluated the accuracy of confidentiality analyses by executing them for the fourteen cases that we could model. We experienced good accuracy

Identifying Implicit Component Interactions in Distributed Cyber-Physical Systems

Modern distributed systems and networks, like those found in cyber-physical system domains such as critical infrastructures, contain many complex interactions among their constituent software and/or hardware components. Despite extensive testing of individual components, security vulnerabilities resulting from unintended and unforeseen component interactions (so-called implicit interactions) often remain undetected. This paper presents a method for identifying the existence of implicit interactions in designs of distributed cyber-physical systems using the algebraic modeling framework known as Communicating Concurrent Kleene Algebra (C²KA). Experimental results verifying the applicability of C²KA for identifying dependencies in system designs that would otherwise be very hard to find are also presented. More broadly, this research aims to advance the specification, design, and implementation of distributed cyber-physical systems with improved cybersecurity assurance by providing a new way of thinking about the problem of implicit interactions through the application of formal methods

Architectural Uncertainty Analysis for Access Control Scenarios in Industry 4.0

Industrie 4.0-Systeme zeichnen sich durch ihre hohe Komplexität, Konnektivität und ihren hohen Datenaustausch aus. Aufgrund dieser Eigenschaften ist es entscheidend, eine Vertraulichkeit der Daten sicher zu stellen. Ein häufig verwendetes Verfahren zum Sicherstellen von Vertraulichkeit ist das Verwenden von Zugriffskontrolle. Basierend auf modellierter Softwarearchitektur, kann eine Zugriffskontrolle bereits während der Entwurfszeit konzeptionell auf das System angewendet werden. Dies ermöglicht es, potentielle Vertraulichkeitsprobleme bereits früh zu identifizieren und bietet die Möglichkeit, die Auswirkungen von Was-wäre-wenn-Szenarien auf die Vertraulichkeit zu analysieren, bevor entsprechende Änderungen umgesetzt werden. Ungewissheiten der Systemumgebung, die sich aus Unklarheiten in den frühen Phasen der Entwicklung oder der abstrakten Sicht des Softwarearchitekturmodells ergeben, können sich jedoch direkt auf bestehende Zugriffskontrollrichtlinien auswirken und zu einer reduzierten Vertraulichkeit führen. Um dies abzuschwächen, ist es wichtig, Ungewissheiten zu identifizieren und zu behandeln. In dieser Arbeit stellen wir unseren Ansatz zum Umgang mit Ungewissheiten der Zugriffskontrolle während der Entwurfszeit vor. Wir erstellen eine Charakterisierung von Ungewissheiten in der Zugriffskontrolle auf der Architekturebene, um ein besseres Verständnis über die existierenden Arten von Ungewissheiten zu erhalten. Darauf basierend definieren wir ein Konzept des Vertrauens in die Gültigkeit von Eigenschaften der Zugriffskontrolle. Dieses Konzept bietet die Möglichkeit mit Ungewissheiten umzugehen, die bereits in Publikationen zu Zugriffskontrollmodellen beschrieben wurden. Das Konzept des Vertrauens ist eine Zusammensetzung von Umgebungsfaktoren, die die Gültigkeit von und folglich das Vertrauen in Zugriffskontrolleigenschaften beeinflussen. Um Umgebungsfaktoren zu kombinieren und so Vertrauenswerte von Zugriffskontrolleigenschaften zu erhalten, nutzen wir Fuzzy-Inferenzsysteme. Diese erhaltenen Vertrauenswerte werden von einem Analyseprozess mit in Betracht gezogen, um Probleme zu identifizieren, die aus einem Mangel an Vertrauen entstehen. Wir erweitern einen bestehenden Ansatz zur Analyse von Informationsfluss und Zugriffskontrolle zur Entwurfszeit, basierend auf Datenflussdiagrammen. Das Wissen, welches wir mit unserem Konzept des Vertrauens hinzufügen, soll Softwarearchitekten die Möglichkeit geben, die Qualität ihrer Modelle zu erhöhen und Anforderungen an die Zugriffskontrolle ihrer Systeme bereits in frühen Phasen der Softwareentwicklung, unter Berücksichtigung von Ungewissheiten zu verifizieren. Die Anwendbarkeit unseres Ansatzes evaluieren wir anhand der Verfügbarkeit der notwendigen Daten in verschiedenen Phasen der Softwareentwicklung, sowie des potenziellen Mehrwerts für bestehende Systeme. Wir messen die Genauigkeit der Analyse beim Identifizieren von Problemen und die Skalierbarkeit hinsichtlich der Ausführungszeit, wenn verschiedene Modellaspekte individuell vergrößert werden

Requirements Engineering of Context-Aware Applications

Context-aware computing envisions a new generation of smart applications that have the ability to perpetually sense the user’s context and use these data to make adaptation decision in response to changes in the user’s context so as to provide timely and personalized services anytime and anywhere. Unlike the traditional distribution systems where the network topology is fixed and wired, context-aware computing systems are mostly based on wireless communication due to the mobility of the network nodes; hence the network topology is not fixed but changes dynamically in an unpredictable manner as nodes join and the leave network, in addition to the fact that wireless communication is unstable. These factors make the design and development of context-aware computing systems much more challenging, as the system requirements change depending on the context of use. The Unified Modelling Language (UML) is a graphical language commonly used to specify, visualize, construct, and document the artefacts of software-intensive systems. However, UML is an all-purpose modelling language and does not have notations to distinguish context-awareness requirements from other system requirements. This is critical for the specification, visualization, construction and documentation of context-aware computing systems because context-awareness requirements are highly important in these systems. This thesis proposes an extension of UML diagrams to cater for the specification, visualization, construction and documentation of context-aware computing systems where new notations are introduced to model context-awareness requirements distinctively from other system requirements. The contributions of this work can be summarized as follows: (i) A context-aware use case diagram is a new notion which merges into a single diagram the traditional use case diagram (that describes the functions of an application) and the use context diagram, which specifies the context information upon which the behaviours of these functions depend. (ii) A Novel notion known as a context-aware activity diagram is presented, which extends the traditional UML activity diagrams to enable the representation of context objects, context constraints and adaptation activities. Context constraints express conditions upon context object attributes that trigger adaptation activities; adaptation activities are activities that must be performed in response to specific changes in the system’s context. (iii) A novel notion known as the context-aware class diagram is presented, which extends the traditional UML class diagrams to enable the representation of context information that affect the behaviours of a class. A new relationship, called utilisation, between a UML class and a context class is used to model context objects; meaning that the behaviours of the UML class depend upon the context information represented by the context class. Hence a context-aware class diagram is a rich and expressive language that distinctively depicts both the structure of classes and that of the contexts upon which they depend. The pragmatics of the proposed approach are demonstrated using two real-world case studies

Architectural Data Flow Analysis for Detecting Violations of Confidentiality Requirements

Software vendors must consider confidentiality especially while creating software architectures because decisions made here are hard to change later. Our approach represents and analyzes data flows in software architectures. Systems specify data flows and confidentiality requirements specify limitations of data flows. Software architects use detected violations of these limitations to improve the system. We demonstrate how to integrate our approach into existing development processes

Architectural Data Flow Analysis for Detecting Violations of Confidentiality Requirements

Software vendors must consider confidentiality especially while creating software architectures because decisions made here are hard to change later. Our approach represents and analyzes data flows in software architectures. Systems specify data flows and confidentiality requirements specify limitations of data flows. Software architects use detected violations of these limitations to improve the system. We demonstrate how to integrate our approach into existing development processes