ETH Zuerich - Homepage
Information Security

Model-Driven Security with SecureUML

Almost daily do we hear about newly detected software vulnerabilities, allowing attackers to steal or destroy information, to enter protected areas, or to cause denial of services. Especially systems connected to the Internet are in danger and need to be well designed and carefully implemented to minimize attacking possibilities.

Model Driven Security (MDS) embraces a model-centric development approach to increase the security of software systems. It is based on the observations that (1) security mechanisms are rather easy to state but difficult to realize and (2) that security is often neglected in favor of "real" features. As a consequence, security is considered late in the design process and realized badly yielding to insecure systems and potentially to costly damage during operations.

The vision of the MDS project is to offer a variety of functionality to software engineers assisting them in making systems more secure more easily.

MDS Blueprint
MDS Blueprint

XMI (XML Metadata Interchange) is a standard format used by UML tools to export the various kinds of UML diagrams. We designed a security modelling language, SecureUML, that allows to specify access control requirements in arbitrary UML design models.

Unfortunately, each UML tool uses a slightly different version of XMI making interoperability a challenge. Therefore, an important step for MDS is to extract the MDS-model off the UML model.

System Generation

Starting from the MDS-model, code and security configuration is automatically generated for different platforms. Generators for Java plus JAAS or Permis as well as for C#/.Net already exist. Further candidate platforms are: EJB, WebServices, Java plus the SpringFramework.


Determine security properties of the model using theorem provers, such as Isabelle/HOL-OCL. We developed a transformation from MDS models using SecureUML to generic UML/OCL models. Using this transformation, it is possible to use Isabelle/HOL-OCL to analyse security properties of the design model. For an alternative approach, we are investigating to add specialized support for analysing access control requirements to Isabelle/HOL-OCL, resulting in Isabelle/HOL-OCL/SecureUML.

Model Checking

Determine security properties of the model using model checkers, such as SPIN.

Test Cases

Model information is used to automatically generate test suites to be applied on (not automatically generated) systems.

Development Process Integration

To allow for seamless use, the functionality needs to be integrated into the process used by the software engineers. Possible integration points are UML-tools, IDEs (Eclipse) or build tools (Ant, Maven).


In the context of MDS, we offer a variety of projects



Wichtiger Hinweis:
Diese Website wird in älteren Versionen von Netscape ohne graphische Elemente dargestellt. Die Funktionalität der Website ist aber trotzdem gewährleistet. Wenn Sie diese Website regelmässig benutzen, empfehlen wir Ihnen, auf Ihrem Computer einen aktuellen Browser zu installieren. Weitere Informationen finden Sie auf
folgender Seite.

Important Note:
The content in this site is accessible to any browser or Internet device, however, some graphics will display correctly only in the newer versions of Netscape. To get the most out of our site we suggest you upgrade to a newer browser.
More information

© 2011 ETH Zurich | Imprint | Disclaimer | 13 February 2007