Secure State UML: Modeling and Testing Security Concerns of Software Systems Using UML State Machines

: In this research we present a technique by using which, extended UML models can be converted to standard UML models so that existing MBT techniques can be applied directly on these models. Existing Model Based Testing (MBT) Techniques cannot be directly applied to extended UML models due to the difference of modeling notation and new model elements. Verification of these models is also very important. Realizing and testing non functional requirements such as efficiency, portability and security, at model level strengthens the ability of model to turn down risk, cost and probability of system failure in cost effective way. Access control is most widely used technique for implementing security in software systems. Existing approaches for security modeling focus on representation of access control policies such as authentication, role based access control by introducing security oriented model elements through extension in Unified Modelling Language (UML). But doing so hinders the potential and application of MBT techniques to verify these models and test access control policies. In this research we introduce a technique secure State UML to formally design security models with secure UML and then transform it to UML state machine diagrams so that it can be tested, verified by existing MBT techniques. By applying proposed technique on case studies, we found the results that MBT techniques can be applied on resulting state machine diagrams and generated test paths have potential to identify the risks associated with security constraints violation.


INTRODUCTION
In the software industry, the use of models for testing the software systems before its implementation is called Model Based Testing (MBT), (Lindholm et al., 2006).Model based testing is basically applied for testing functional requirements of the system, but non functional requirements such as performance, usability and security are also important for any software system.Many efforts are now being put forward by researchers such as Lodderstedt et al. (2002), Jurjen (2002), Gray (2004) and Mariscal et al. (2005), to address different non functional aspects such as security using MBT.Jurjen (2002) introduced UMLsec as a UML profile for modeling security critical systems.UMLsec uses stereo types, tags and constraints to model security such as availability and integrity.Dynamic view of RBAC is presented Mariscal et al. (2005) presents new diagrams are introduced for specifying security policies by combination of the basic security models i.e., DAC, MAC and RBAC.It is also not easy to accommodate the changes in the overall design of the system that will happen due to integration of security model in the overall functional model of the system.Introduces an approach that uses UML sequence and state machine diagrams in combination to model the system functionalities and security threats.
The proper identification of threats is a difficult task and the threats that are not relevant to the control flow may be missed due to the fact that state machine diagram is used to model the control based transition of system states.Ceneys et al. (2009) analysis the two well known UML based modeling techniques i.e.
Secure UML and UMLsec in context of modeling RBAC.Raimundas and Dumas (2011) presented the comparison of Secure UML and UMLsec in the context of modeling RBAC.The authors presents later the transformation rules for converting Secure UML models to UMLsec and vice versa.The idea behind this was to utilize the modeling capabilities of both the languages for RBAC based system.
The transformation rules are based on a simple modeling example.The need is highlighted by the author for application of the transformation rules to a complex system to check its validity.Moreover to move from one extension of UML to another extension is not a healthy approach due to its incompatibility with standard UML models and MBT testing techniques and tools and less expertise are available in the extended modeling approaches when compared with the expertise that are available in UML.
In this research we aim to introduce a technique for transforming the secure UML models to UML state machine diagrams so that we can apply the existing MBT techniques on extended UML models along with security requirements, for verification of the required security requirements properly modeled or not to avoid future security risk.

MATERIALS AND METHODS
In this section we present the proposed approach for modeling and testing security.Through study of existing literature we highlighted the need of testing and verification of the extended UML models used for modeling security policies.We introduce a technique to enable the application of existing MBT techniques on these models.We use secure UML (Lodderstedt et al., 2002), an extension of UML for modeling RBAC policies.Secure UML uses stereotypes of class diagram for modeling of the RBAC concepts.We transformed secure UML models to UML state machines so that it can present the dynamic view of the secure UML models.
In the following Fig. 1 we present the overall process of the proposed technique secure State UML.Ellipses are used to show the activities that are performed and boxes are used to present the input to these activities, Boxes are used to show the output produced in result of these activities.

Components of secure state UML:
We present the details of each activity involved in the secure state UML modeling and testing process.

System modeling with secure UML:
The modeling capabilities of secure UML (Lodderstedt et al., 2002).Secure UML provides the elements for modeling RBAC policies.
The authorizations constraints of secure UM are used to model the pre conditions on access to system resources are very strong feature to control access to system resources.The following steps are carried out to model the system in secure UML: • Identify users of the system and model each user as a class of secure UML user.

RESULTS AND DISCUSSION
In this section we present validation and verification of the proposed technique by applying it on the case study.Comparison of the results is also presented with the previous techniques (Matulevicius and Dumas, 2011).Ttransformation technique for converting secure UML models to UMLsec and vice versa.Description of the case study is presented below.
Case study: Meeting scheduler system: We illustrate meeting scheduler system presented by Matulevicius and Dumas (2011).The requirements of the system are stated below: • There are two types of roles in the system, meeting initiator and meeting participants.• Meeting initiator is authorized to insert and update meeting schedule.• Meeting participants are permitted to view the details of the meeting in which they are participating.
The secure UML model of the system is presented in the following Fig. 2. Meeting initiator is authorized to enter agreement details and change it as well, meeting participant has the permission to view the  When we apply the mapping rules and the steps for creation of state machines are followed than we construct the state machine diagram as presented in the following Fig. 3.
When we apply the test path generation technique by Ceneys et al. (2009), by following the syntax, we are able to generate the following test paths from the above given State Machine diagrams in Fig. 3

CONCLUSION
Through our experimental results from various case studies, we found that Secure UML model can be used to design UML behavioral model (such as State Machine) by following predefined mapping rules.An additional advantage of the transformation to UML behavioral diagrams is that existing MBT techniques can be applied to model and test paths can be generated which can verify the behavior of the system under development.Raimundas and Dumas (2011), have used transformation rules to map Secure UML model with UMLsec model but it required self assumption and modeller's knowledge about problem domain.Although their approach focus on transforming one secure model to another but ambiguities and incompleteness of transformation rules in different modeling situations hinders the abilities to properly specify RBAC policies in resulting models.
Secure UML model itself describes structural aspects of the system such as class members, operations and static assignment of authorization constraints on roles to perform particular operation.Through UML State Machine model we can present dynamic or behavioral aspects of system through operation execution and representation of states as a result of states transitions.Test paths generation using existing techniques enables us to verify the security policies and identify unsecure states of the system.

Fig. 2 :
Fig. 2: Secure UML model of the meeting scheduler system

•
Identify the roles and model them as classes secure UML.role and associate users with their specific roles by assignment links.
• Identify and associate the permissions of the roles and model them in secure UML.permission class.•Model the resources in secureuml.resourceclass and define the associated methods.• Authorization Constraints (AC) are used to apply the access control on resources based on the Fig. 1: Process flow of secure state UML security policies.AC can be applied on resources directly or through permissions to roles.Mapping of secure UML models to UML state machines: In transformation rules, we specify mapping of secure UML modeling elements with different elements of UML state machines.A behavioral state machine can be used to model the behavior of instances of classes (UML superstructure specification 2.0).Secure UML model is presented in form of class diagrams stereotypes.Based on the references of UML superstructure 2.0 we can create state machine diagrams from Secure UML models along with the security information that is specified in these models.For instance, we map Authorization Constraints (AC) of secure UML to guard conditions in state machine diagram.Different elements of secure UML can be mapped to state machine model as we state in the Table 1.The first two columns presents the mapping of RBAC concepts to secure UML (Matulevicius and Dumas, 2011).We further extend and provide the mapping of secure UML modeling elements to be used for constructing UML state machine diagrams of the proposed technique secure State UML.Most of the techniques for testing and modelling Object Oriented (OO) systems are focused on use of state machines and class diagram (Thapa et al., 2010).Secure UML is based on class diagram stereotypes.Transformation to State machine gives its dynamic view and more testing expertise and tool support.Construction of UML state machine diagrams: Through transformation rules we map each element in secure UML model to state machine diagram.In this way, we are able to construct a complete state machine diagram which can become an alternate depiction

Table 1 :
Mapping secure UML model elements to secure state UML Request the resource class operation that will be placed as event in the state transition.•Put the Requested operation name as event and place the precondition if any in guard section of the transition.In case guard is true, move to the target state, else the request rejected state will be constructed and in both cases next transition will lead to the final state of the state machine diagram.

Table 2 :
Mapping secure UML model elements to UML state machines Change time place operation Requested action/event trigger when the associated guard if any is evaluated Change time place operation Requested states, state entry/do/exit actions Meeting agreement Context of class (from secure UML.resource) where state machine execution occurs Pre condition: meeting initiator.user= "Bob" Guard condition on requested state transition of change time place agreement details.These requirements are depicted in the secure UML model.We construct the State Machine diagram by applying the mapping rules of secure UML to UML State Machines presented in the proposed approach on the following change time place () operation.The authorization constraint associated with change time place () operation is given below.Authorization Constraint with Operation Change Time Place ().Context Meeting Agreement::change Time Place (): void Pre: meeting Initiator.user = "Bob").The following Table 2 presents the mapping of secure UML model elements to UML State Machines for the Change Time Place protected operation of the meeting scheduler to Stat Machines. :