MODEL-BASED SECURITTY FOR DEVELOPMENT CONTEXT-AWARE MOBILE

APPLICATIPONS BASED UML

Salahideen M. Alhaj
CIS, IT&S, Jordan
[email protected]

ABSTRACT
Design and development of context-aware applications is particularly complex. Context acquisition is not an
easy process. Context is changing rapidly in rich information environment .The adaptation process can be based
on different types of mechanisms depending on the required dynamism and may be related to the semantics of
the application. Consequently, context-aware applications need specific development mechanisms. However,
developing secure context-aware applications is currently a challenging task due to the specific demands and
technical constraints of mobile applications. This paper introduces model based security engineering (MBSE)
approach as a framework driver for secure context-aware mobile application development (SCAMAD).Utilizing
UMLsec which is an extension of unified modelling language (UML).

Keywords:Context-Awareness, Model Based Security, Secure Application,

Unified Modeling Language, UMLsec.

1 INTRODUCTION use) is then a requisite in order to provide fine-

grained access control and to block dangerous
As computers become more pervasive and their manipulations [4]. As computing technology
functionality is more transparently integrated into becomes more tightly integrated into the fabric of
homes [1] and broadband technology is introduced everyday life, it is imperative that security
into residential communities [2], new applications mechanisms become more flexible and less intrusive.
will emerge to make everyday living easier for To address these concerns, our research is focused on
people [1], allow a wide range of human activities providing security services for context-aware
(e.g., education, entertainment, social and computing environments that can adapt to changing
community gatherings, etc.) to be conducted over the conditions when requests are made [1].The situation
Internet [2]. Such applications, which will be that surrounds both the requested service
enabled by a ubiquitous (a pervasive) computing and environment and the user‟s environment is formally
communication infrastructure, will provide called context [4]. Context-awareness has been
unobtrusive access to important information, considered since a time now in designing more
resources and services [3]. Furthermore, these adaptive systems, but in the domain of security, it is
applications will access this sensitive information rather new [4].
from many different locations [2] .Clearly, the
successful deployment of such applications will 2 CONTEXT-AWARENESS
depend on our ability to secure them [1]. In
particular, we will have to ensure that access to While most people tacitly understand what
information and services is granted only to context is, they find it hard to elucidate. Previous
authorized users, without requiring them to deal with definitions of context are done by enumeration of
complex security policies, burdensome access examples or by choosing synonyms for context [5].
control mechanisms [3],or burdensome Dey defines Context in [5] as: Any information that
authentication procedures [1]. Security policies in can be used to characterize the situation of an entity.
these types of environments generally follow a static An entity is a person, place, or object that is
approach, where security requirements do not change considered relevant to the interaction between a user
over time [4]. Security requirements are assumed to and an application, including the user and
be relatively static since access control decisions do applications themselves. Context is not limited to the
not change with context, nor do they account for physical world around the user, but also incorporates
changing conditions in the environment [1]. For the user‟s behavior, and terminal and network
example, ways to authenticate users and protocols characteristics [6].Context-aware computing is a new
used to encrypt messages are fixed [4]. Additionally, computer paradigm that determines and utilizes
the surrounding situation is rarely taken into account certain context information, such as time and
and security requirements mainly depend on the location. This paradigm can provide services which
user‟s identity (or role) [4]. The need for adaptive the user wants if the user‟s context matches context
security (that adapts according to the situation of in the context-aware technology [7]. In Day‟s

Ubiquitous Computing and Communication Journal 1

definition [8,9], context is divided into user context taxonomies and attempts to generalize them to
(such as user's preferences and age), physical context satisfy all existing context-aware applications. There
(such as location and time), computer system context are three categories of features that a context-aware
(such as power on/off and devices), and non- application can support: presentation of information
classification context. This will be used in the and services to a user, Automatic execution of a
development of a context-aware system according to service for a user, and Tagging of context to
the user‟s preferences. information to support later retrieval [5]. Dey in [8] ,
Defined CAA as : Applications that use context,
2.1 Context-Aware Computing (ACA) whether on a desktop or in a mobile or ubiquitous
Context-Aware Computing was first discussed computing environment, are called context-aware.
by Schilit and Theimer [11] in 1994 to be software Context-aware applications are becoming more
that “adapts according to its location of use, the prevalent and can be found in the areas of wearable
collection of nearby people and objects, as well as computing, mobile computing, robotics, adaptive and
changes to those objects over time.” Since then, intelligent user interfaces, augmented reality,
there have been numerous attempts to define context- adaptive computing, intelligent environments and
aware computing, most of which have been too context sensitive interfaces. It is not surprising that in
specific [12]. When we try to apply previous most of these areas, the user is mobile and her
definitions to established context-aware applications, context is changing rapidly. According to [15] there
we find that they do not fit. We have chosen a are two extremes when it comes to Managing
general definition of context-aware computing [5]. A Context; Context Engine (CE) or Tight Coupling
system is context-aware if it uses context to provide (TC).When dividing the context management from
relevant information and/or services to the user, the application that are going to use the context and
where relevancy depends on the user‟s task [5]. thus protect the context in an isolated and
Autonomous Systems (AS), we call it a Context
Engine. The other extreme to let all contexts that an
application needs be an integrated part of the
application.

3 GENERAL PROCESS IN CONTEXT-

AWARE SYSTEMS

Context-aware systems are usually complicated

systems, and they are responsible for many jobs such
as acquiring, storing, interpreting, aggregating,
representation, management, reasoning, and analysis
of context information for different entities with
different attributes. They provide their functionalities
through a collaboration process of many different
components in the systems. There are various types
Figure 1: Context Models of different context-aware systems; however,
generally, a context-aware system follows four basic
However, the goal of context-aware computing, or steps. First step is acquiring context information.
applications that use context, as well as computing in Second step, the system stores acquired context data
general, should be to make interacting with into its repository. When storing context data, what
computers easier. Forcing users consciously to kind of data model is used to represent context
increase the amount of information they have to information is very important. To easily use the
input would make this interaction more difficult and stored context data, in third step, the system controls
tedious. Furthermore, it is likely that most users will the abstraction level of stored context data by
not know which information is potentially relevant interpreting or aggregating context data. Finally, the
and, therefore, will not know what information to system utilizes the abstracted context data for
provide [8]. context-aware applications in many ways.
2.2 Context-Aware Applications (CAA) 3.1 Acquiring Context Information (ACI)

Similar to the problem of defining context-

aware, researchers have also tried to specify the Because of the diversity of context information
important features of a context-aware application [13, types, context information can be acquired in many
14]. Again, these features have tended to be too ways. Physical sensors, which are hardware devices
specific to particular applications. Our proposed that convert physical analogue properties into
categorization combines the ideas from previous computable digital data, are used for context

Ubiquitous Computing and Communication Journal 2

acquisition. According to the types of context framework into the internal Metadata Repository
information, many different physical sensors can be (MDR). MDR is an XMI-specific data-binding
used. However, using physical sensors is not the only library which directly provides a representation of an
way of acquiring context information. Assuming a XMI file at the abstraction level of a UML model
context-aware application which recommends a through Java Metadata Interfaces (JMI). This allows
music playlist based on user‟s preference, weather the developer to operate directly with UML
conditions of current location, and current location of concepts, such as classes, state charts, and
users. In this situation, user‟s preference can be stereotypes.] [The developer can then use the aspect
acquired by analyzing the user‟s music play history, weaver to weave in security aspects on the model or
and the weather conditions of current location can be into the code that can be generated. The resulting
attained by querying a web service provided by a code can then again be analyzed for security
forecasting site. Although these context can be requirements. The framework is designed to be
acquired without using physical sensors, there needs extensible: advanced users can define stereotypes,
to be software modules that perform as virtual tags, and first-order logic constraints which are then
sensors. Just as physical sensors convert physical automatically translated to the automated theorem
properties into context data, virtual sensors convert prover (ATP) for verification on a given UML
diverse sources into context data by analyzing them. model].
What to use: One can use MBSE within first MDA approach Guides: 1. Models expressed in a
constructs a model of the system. Then, the well-defined notation are a cornerstone to system
implementation is derived from the model, generate understanding for enterprise-scale solutions. 2.
test sequences from the model to establish Building systems can be organized around a set of
conformance of the code regarding the model. For models by imposing a series of transformations
security-critical systems, this approach allows one to between models, organized into an architectural
consider security requirements from early on in the framework of layers and transformations. 3. A
development process]. formal underpinning for describing models in a set of
Design Directions: What context information? such met models facilitates meaningful integration and
as the context types, the required context quality, and transformation among models, and is the basis for
the collection process. How the structure, the automation through tools. 4. Acceptance and broad
behavior or the parameters of the application need to adoption of this model-based approach requires
be changed? What mechanisms required for the industry standards to provide openness to consumers,
collection of the context elements? What adaptation and faster competition among vendors].
mechanisms? What target platform? How to Design Principals: The designer has to specify how
generate Code ?] the application can adapt to the context. separating
Procedures: Firstly you build a Computation non-functional concerns, such as distribution,
Independent Model (CIM). Then you build a security, and transactions from the functional
Platform Independent Model (PIM). To create the application concerns. It is not practically attainable
PIM you use UML, MOF and CWM (Figure 3). to implement all the concerns in one single
And then you automatically create a Platform transformation. Besides splitting up transformations
Specific Model (PSM) out of the PIM. The according to technical concerns, Designer should
interesting thing is that you can fully concentrate the decompose transformations according to non-
development on the functionality and behavior of the functional concerns. The designer first has to define
software and leave technology on the side. When the abstract transformations that transform the
you‟re finished with the PIM you can transform your models without introducing technical details. Then
PIM in any proprietary platform you want (e.g. he has to define more and more concrete
CORBA, J2EE, .NET, XMI/XML). This is the step transformations that generate concrete platform-
of automatic code generation from PIM to PSM. specific models. Consequently he will first define the
The specific code can be for: Pervasive services, non-functional transformations. Then he will identify
Security, Events, Transactions, Directory, and more. the target platform. Finally, he will specify the
From there you have the base to go to every domain technical transformations. Designer has to identify
you like (finance, e-commerce, telecom, healthcare, the non-functional services required by the
transportation, space, manufacturing, and more). application that must be provided by the underlying
MDA offers you also platform interoperability, middleware, Designers have to imagine all the
portability, platform independence and productivity. possible adaptations according to the context. The
If you once have completed your PIM, you can designer can study the existing context and
switch to another technology by regenerating the adaptation platforms and choose the one that best
code from it]. satisfies the requirements in terms of these
Technical: The developer creates a model and stores mechanisms. The designer specifies the PIM to
it in the UML 1.5 /XMI 1.2 (we have UML 2.0 now) PSMs transformations that will transform the
file format. The file is imported by the verification abstract models defined throughout the design

Ubiquitous Computing and Communication Journal 3

direction of the MDD approach into concrete models wants to trigger actions if current context satisfies a
that are specific to the chosen context platform and specific situation. To enhance the quality of service
adaptation platform respectively]. of application, context information can be used as
additional information for services or applications.
3.2 Storing Context Information These two purposes of context information usage can
Most of context systems store acquired context be combined together. We can use context
data into their repository. Context models are closely information for many types of context-aware
related to context storing. Context information can application. We present several examples of context-
be represented in many ways from very simple data aware application categories. Context-Aware
model like key-value model to complex ontological Personalization Providing personalized contents or
model [16] , and many factors such as expressiveness, information based on user‟s current context
flexibility, generality, and computational cost to information (e.g. tour guide service) Automatic
process context-aware data depend on what kind of Device Configuration Automatically setting up
context model is used in the system. Figure 1 shows device‟s configuration according to user‟s current
a set of example context models. Context data situation (e.g. screen brightness of PDA) Context-
constantly acquired by sensors may require a large aware User Interface Optimizing user interface based
amount of storage space, and saving context history on user‟s current context (e.g. emphasize icons that
data may be useful for many context-aware user may select) Context-aware Suggestion
applications. However, portable devices that Providing suggestions to users behavior based on
participates in context- aware application have scarce user‟s current situation (e.g. warning dangerous
resources, thus, a context-aware system should have situation).
sufficient ability to manage storage resources.
4 DESIGN COSIDERATIONS OF CONTEXT-
3.3 Controlling Context Abstraction Level AWARE SYSTEMS

Context-aware system is responsible for When designing context-aware system, we need

controlling abstraction level of context information to consider many aspects of context-aware systems.
and performs context abstraction in two ways: Context-aware systems can be implemented many
Context aggregation and Context interpretation. ways and can have different structure, depending on
Context aggregation means that the system what the development focus of the system is. In this
aggregates many low-level signals (raw data) into section, we discuss several design considerations.
manageable number of high level information.
4.1 Architecture Style
Context interpretation is another method that
interprets context information and adds semantics. It Context-aware system‟s representative
is hard for context-aware systems to directly use the architecture styles can be categorized into three:
raw data provided by sensors. So, context-aware Stand-alone, Distributed, and Centralized
systems translate sensed signals into meaningful data Architecture. Figure 2 shows the simplified
so that they can understand and use context data architecture diagram of each category.
more easily. Additionally, context-aware systems can Characteristics, advantages, and disadvantages of
reduce the number of context data and achieve better each are explained below. Stand-alone Architecture
performance by controlling the level of context a basic architecture that directly accesses sensors and
abstraction. If the context abstraction is separated does not consider context sharing of devices. This
from a context-aware application, then the context- architecture can be relatively easily implemented but
aware application does not have to know the details has limitations due to the fact that it can‟t process
of sensors but still can use the sensed context data by device collaboration. This architecture is appropriate
the sensors. for small and simple application or domain-specific
3.4 Utilizing Context Information for application. Distributed Architecture Context-aware
Applications systems, which have distributed architecture, can
store context information in many separated devices,
Utilizing acquired and abstracted context and there is no additional central server. Each device
information as useful information for services or is independent with other devices, thus, context-
applications is the final step of the general context- aware system can ignore failure or bottleneck
aware system process. Context-aware systems use problem and still can continue context-aware
context information for two purposes: Context operations. Each device manages its own context
information as triggering condition and context information and share context information with other
information as additional information. Context devices by communicating with other devices, thus
information can be used as a triggering condition of an ad-hoc communication protocol is required.
an action. A context-aware system can use context However, it is hard for a device to know overall
information as action triggering condition when it situation of every device when using ad-hoc
communication protocols. Usually mobile devices

Ubiquitous Computing and Communication Journal 4

lack of resources and computation power, so, responsible for protecting user‟s context information
distributed architecture are with limitations in from illegal accesses.
dealing with computationally intensive applications.
Centralized Architecture (Context Server) Sensors 4.4 Performance and Scalability
and devices are connected to a centralized context Many operations for context-aware applications
server that has rich resource and computational have to be processed in real time, and some context-
power, and context information is stored in a aware systems have need of reasoning and inference
centralized server. functionalities which require high computational cost
and resource. However, resource-poor mobile
devices mainly participate in context-aware
applications in most cases. Thus, context-aware
system developer should consider how to manage
resources for achieving acceptable performance and
scalability. Also communication protocol must scale
adequately to deal with a large number of
communicating devices.

5 MODEL-BASED SECURITY
ENGINEERING
Jürjens in [17, 18, 19, 20] developed Model-
Based Security Engineering (MBSE) as a soundly
based approach for developing security critical
Figure 2: Context-Aware Systems Architecture Styles software.
One can use MBSE within first constructs a model of
If a device needs to get other device‟s context the system. Then, the implementation is derived from
information, the device queries the centralized server the model, generate test sequences from the model to
and gets the result. In this architecture, every establish conformance of the code regarding the
communication is performed by querying the context model. For security-critical systems, this approach
server, so the communication protocol can be allows one to consider security requirements from
relatively simple than distributed architecture. By early on in the development process.
using a computationally powerful device as a
Part of the MBSE approach is the UML extension
centralized server, many applications which require
UMLsec for secure systems development. The
high resources and cost can be performed. However,
UMLsec extension is given in form of a UML profile
there is a disadvantage of this approach in that it is
using the standard UML extension mechanisms. The
crucial if the centralized server fails or bottleneck
UMLsec can be used to specify and implement
problem occurs.
security patterns, and is supported by dedicated
4.2 Handling Dynamicity secure systems development processes, in particular
Handling dynamicity is one of important an Aspect-Oriented Modeling approach which
considerations to make a context-aware system separates complex security mechanisms from the
possible to process sophisticated context-aware core functionality of the system in order to allow a
applications. Entities varying from simple sensors, security verification of the particularly security-
resource-poor mobile devices to central server with critical parts, and also of the composed model [21].
high performance participate to process context- Sommerville in [22] stress on challenges that
aware applications. At the same time, connections software developers have to take care on
and disconnections of many entities may implementing Aspect-Oriented Development (AOD),
dynamically occur. A context-aware system should which mainly; the degree of aspects independency
be able to discover and deal with dynamically and the software testing process (with aspect
changing heterogeneous entities and resources. environment) which not yet defined well.
Unfortunately, the pace of required change affects
4.3 Privacy Protection developers‟ ability to establish and maintain
Privacy protection is one of the important desirable levels of quality of systems. Author will
considerations to step forward to successful focus on these subtitles ; Model Driven Architecture,
implementation of context-aware systems. Context- Model-Based Security, UMLsec since they are
aware systems autonomously gather information establishing the playing ground for successfulness
from the users, so some of the users may feel approach:
uncomfortable in that the system can use or open
5.1 Model Driven Architecture (MDA)
their information without any notice. Thus, a
context-aware system should let users to express Model Driven Architecture (MDA) is a
their privacy needs. Context-aware systems are software development lifecycle that uses models as

Ubiquitous Computing and Communication Journal 5

its core development artifacts [23]. The idea behind framework of layers and transformations.
MDA is to raise the level of abstractions in software 3. A formal underpinning for describing models in a
engineering to develop complex applications in set of metamodels facilitates meaningful integration
simpler ways [24]. The MDA approach generally and transformation among models, and is the basis
separates the system functionality from the for automation through tools.
implementation details. It is a framework for Model- 4. Acceptance and broad adoption of this model-
Driven Software Development (MDSD) defined by based approach requires industry standards to
the Object Management Group (OMG). MDA is provide openness to consumers, and faster
language, vendor and middleware neutral and competition among vendors.
therefore a very interesting topic for every software
development company. The focus of MDA lies on The core standards of MDA are: Unified Modeling
the modelling task. Language (UML) is a graphical language for
visualizing, specifying, constructing and
documenting the artifacts for software systems and
can be used for designing models in PIM; Meta
Object Facility (MOF) is an integration framework
for defining, manipulating and integrating metadata
and data in a platform independent manner. It is the
standard language for expressing metamodels. A
metamodel uses MOF to formally define the abstract
syntax of a set of modeling constructs, and XML
Metadata Interchange (XMI) is an integration
framework for defining, interchanging, manipulating
and integrating XML data and objects. XMI can also
be used to automatically produce XML DTDs and
XML schemas from UML and MOF models.

Figure 3: OMG Model Driven Architecture Model 5.2 Model-Based Security (MBS)

Firstly you build a Computation Independent Jürjens and Yu, in [25], the following
Model (CIM). Then you build a Platform framework and analysis regard the MBS. The usage
Independent Model (PIM). To create the PIM you of the framework as illustrated in Figure 4.
use UML, MOF and CWM (Figure 3). And then you
automatically create a Platform Specific Model
(PSM) out of the PIM. The interesting thing is that
you can fully concentrate the development on the
functionality and behaviour of the software and leave
technology on the side. When you‟re finished with
the PIM you can transform your PIM in any
proprietary platform you want (e.g. CORBA, J2EE,
.NET, XMI/XML). This is the step of automatic
code generation from PIM to PSM. The specific
code can be for: Pervasive services, Security, Events,
Transactions, Directory, and more. From there you
have the base to go to every domain you like
(finance, e-commerce, telecom, healthcare,
transportation, space, manufacturing, and more).
MDA offers you also platform interoperability, Figure 4: Tool-flow of the MBSE suite [25]
portability, platform independence and productivity.
If you once have completed your PIM, you can Proceeds as follows: The developer creates a model
switch to another technology by regenerating the and stores it in the UML 1.5 /XMI 1.2 (we have
code from it. There are four principles that underlie UML 2.0 now) file format. The file is imported by
the OMG‟s MDA approach: the verification framework into the internal Metadata
1. Models expressed in a well-defined notation are a Repository (MDR). MDR is an XMI-specific data-
cornerstone to system understanding for enterprise- binding library which directly provides a
scale solutions. representation of an XMI file at the abstraction level
2. Building systems can be organized around a set of of a UML model through Java Metadata Interfaces
models by imposing a series of transformations (JMI). This allows the developer to operate directly
between models, organized into an architectural with UML concepts, such as classes, state charts, and

Ubiquitous Computing and Communication Journal 6

stereotypes. fulfilled. and provide some further requirements on
It is part of the Net beans project. Each plugin the security assessment process for mobile
accesses the model through the JMI interfaces communication architectures. In particular by the
generated by the MDR library, they may receive high number of architectural alternatives.
additional textual input, and they may return both a That may need to be analyzed; Reproducability: The
UML model and textual output. There are two kinds results need to be reproducible for a given
of model analysis plug-ins: The static checkers parse architecture without risk of misinterpretation,
the model, verify its static features, and deliver the Delegability: It is required that at least parts of the
results to the error analyzer. The dynamic checkers analysis can be delegated to be feasible in practice,
translate the relevant fragments of the UML model Efficiency: The analysis must be performed in a
into the input language for example of an ATP. The given time-frame with a defined expectation
ATP is spawned by the framework as an external regarding thoroughness and scope. The necessary
process; its results are delivered back to the error amount of work done by a human security expert
analyzer. The error analyzer uses the information should be reducable by limiting the scope of the
received from the static and dynamic checkers to analysis, Parallelization: It must be possible that
produce a text report for the developer describing the parts of the analysis can be performed in parallel and
problems found, and a modified UML model, where independently, Traceability: Results of the analysis
the errors that are found are visualized. Besides the must be traceable and give guidance how negative
automated theorem prover binding presented, there results can be improved on, and Expressiveness:
are other analysis plugins including a model-checker Results must carry enough information to enable an
binding and plugins for simulation and test-sequence overall risk analysis of a given architecture. To
generation. achieve these requirements, we decided to evaluate
The developer can then use the aspect weaver to the use of a security assessment process which
weave in security aspects on the model or into the includes the use of models related to the given
code that can be generated. The resulting code can architectures and security requirements, and of
then again be analyzed for security requirements. automated tools to analyze these models against the
The framework is designed to be extensible: given security requirements. To keep the amount of
advanced users can define stereotypes, tags, and additional training bounded, we chose an approach
first-order logic constraints which are then based on the Unified Modeling Language (UML),
automatically translated to the automated theorem and one of the options available here is the security
prover for verification on a given UML model. extension UMLsec of the UML.
Similarly, new adversary models can be defined. In
particular, the automated translation of UMLsec 5.4 UMLsec
diagrams to first-order logic (FOL) formulas which Jürjens, Schreck, and Bartmann in [26] provide
allows automated analysis of the diagrams using that a Part of the MBSE approach is the UML
ATPs for FOL is explained in [18]. In case the result extension UMLsec for secure systems development
is that there may be an attack, in order to fix the flaw which allows the evaluation of UML specifications
in the code, it would be helpful to retrieve the attack for vulnerabilities using a formal semantics of a
trace. Since theorem provers such as e-SETHEO are simplified fragment of the UML. The UMLsec
highly optimized for performance by using abstract extension is given in form of a UML profile using
derivations, it is not trivial to extract this the standard UML extension mechanisms.
information. Therefore, we also implemented a tool Stereotypes are used together with tags to formulate
which Trans forms the logical formulas explained the security requirements and assumptions.
above to Prolog. While the analysis in Prolog is not Constraints give criteria that determine whether the
useful to establish whether there is an attack in the requirements are met by the system design, by
first place (because it is in order of magnitudes referring to a precise semantics of the used fragment
slower that using e-SETHEO and in general there are of UML. The security-relevant information added
termination problems with its depth-first search using stereotypes includes security-relevant
algorithm), Prolog works fine in the case where one information covering the following aspects: Security
already knows that there is an attack, and it only assumptions on the physical system level, for
needs to be shown explicitly (because it explicitly example the stereotype, when applied to a link in a
assigned values to variables durch its search, which UML deployment diagram, states that this
can then be queried). connection has to be encrypted. Security
requirements on the logical level, for example related
5.3 Requirements on Analysis to the secure handling and communication of data,
Jurjensin , Schreck, and Bartmann in [26] define and Security policies that system parts are required
:the main goal of a security analysis AS: A to obey. The UMLsec can then be used to check the
satisfactory level of confidence that a given security constraints associated with UMLsec stereotypes
policy or particular security requirements are mechanically, based on XMI output of the diagrams

Ubiquitous Computing and Communication Journal 7

from the UML drawing tool in use [18, 27]. There is functional application concerns. is not practically
also a framework for implementing verification attainable to implement all the concerns in one single
routines for the constraints associated with the transformation. Besides splitting up transformations
UMLsec stereotypes. Thus advanced users of the according to technical concerns, Designer should
UMLsec approach can use this framework to decompose transformations according to non-
implement verification routines for the constraints of functional concerns. Each transformation should
self-defined stereotypes. The semantics for the address only one non-functional concern so that it
fragment of UML used for UMLsec is defined in becomes easy to implement and to reuse [28]. This
[17] using so-called UML Machines, which is a kind work policy leads to a set of transformations
of state machine with input/output interfaces and sequences that need to be applied subsequently to
UML-type communication mechanisms. weave all non-functional concerns into the
application model. The designer first has to define
6 PROPOSED DESIGN PRINICPALS the abstract transformations that transform the
models without introducing technical details. Then
Design and development of context-aware he has to define more and more concrete
mobile applications is particularly complex. Context transformations that generate concrete platform-
acquisition is not an easy process [28]. Context is specific models. Consequently he will first define the
changing rapidly in rich information environment non-functional transformations. Then he will identify
and the adaptation process can be based on different the target platform. Finally, he will specify the
types of mechanisms depending on the required technical transformations. Designer has to identify
dynamism and may be related to the semantics of the the non-functional services required by the
application. Consequently, Securing context-aware application that must be provided by the underlying
mobile applications development needs specific middleware, such as distribution, security, remote
development mechanisms. Several middleware data access, deployment, etc. In the case of context-
products have been defined to ease the development aware applications, these services are also required
of context-aware applications from different point of to be adaptive. Designers have to imagine all the
view, but yet no solution has been specifically possible adaptations according to the context. From
proposed to design secure context-aware mobile security design perspective the goal is to
applications.UML profile allows designers to model automatically generate the model for How the
the contexts that impact an application and the How structure, the behaviour or the parameters of the
the structure, the behaviour or the parameters of the application need to be changed in context-aware
application need to be changed? according to this environments? of these non-functional services
context. (security ). In one hand defined and on the other
6.1 Design Directions hand platform independent. Once context collection
From point view of design, the following questions mechanisms, adaptation mechanisms and required
are essential and represent design directions: non-functional services are identified, the designer
What context information? Such as the context can study the existing context and adaptation
types, the required context quality, and the platforms and choose the one that best satisfies the
collection process. How the structure, the requirements in terms of these mechanisms. The
behaviour or the parameters of the application need designer specifies the PIM to PSMs transformations
to be changed? What mechanisms required for the that will transform the abstract models defined
collection of the context elements? What throughout the design direction of the MDD
adaptation mechanisms? What target platform? approach into concrete models that are specific to the
How to generate Code? chosen context platform and adaptation platform
respectively. The generated variability models of the
6.2 Design Principals non-functional services also need to be transformed
The designer has to specify how the according to the services provided by the chosen
application can adapt to the context. Aspect-oriented underlying middleware [28].
programming enables developers to build
applications by separating functional from non- 7 RELATED WORKS
functional aspects of the application. These aspects In order to effectively identify the research issue,
are combined using pointcuts and weaving [29]. To a set of research work on related fields have been
develop adaptive applications using this approach, explored in two tracks:
the adaptation process is implemented as non-
functional aspects. Model transformations can 7.1 Model-Based Security Track
provide a more general sense of separation of Jürjens in [18] state that developing security-
concerns than just pure technical concerns [30] by critical systems is difficult and there are many well-
separating non-functional concerns, such as known examples of security weaknesses exploited in
distribution, security, and transactions from the practice. Thus a sound methodology supporting

Ubiquitous Computing and Communication Journal 8

secure systems development is urgently needed. We both the model and the code level. In the approach
present an extensible verification framework for supported by these tools, one firstly specifies the
verifying UML models for security requirements. In security-critical part of the system using the UML
particular, it includes various plugins performing security extension UMLsec. The models are
different security analyses on models of the security automatically verified for security properties using
extension UMLsec of UML. Here, we concentrate on automated theorem provers. These are implemented
an automated theorem prover binding to verify within a framework that supports implementing
security properties of UMLsec models which make verification routines, based on XMI output of the
use of cryptography (such as cryptographic diagrams from UML CASE tools. Advanced users
protocols). The work aims to contribute towards can use this open-source framework to implement
usage of UML for secure systems development in verification routines for the constraints of self-
practice by offering automated analysis routines defined security requirements. In a second step, one
connected to popular CASE tools. Jürjens and Fox in verifies that security-critical parts of the model are
[19] present tool-support for checking UML models correctly implemented in the code, and applies
and C code against security requirements. A security hardening transformations where that is not
framework supports implementing verification the case. This is supported by tools that (1) establish
routines, based on XMI output of the diagrams from traceability through refactoring scripts and (2)
UML CASE tools, and on control flow generated modularize security hardening advices through
from the C code. The tool also supports weaving aspect oriented programming. Jürjens, Schreck, and
security aspects into the code generated from the Bartmann in [26] Present a field report on the
models. Advanced users can use this open-source employment of the UMLsec method in an industrial
framework to implement verification routines for the telecommunications context as well as indications of
constraints of self defined security requirements. its benefits and limitations, and added that, In order
They focus on a verification routine that to make mobile communication secure, the security
automatically verifies cryptobased software for analysis has to be an integral part of the system
security requirements by using automated theorem design and IT management process. The perform
provers. Tolk and Turnitsa in [31] discuss the main security analysis of a mobile system architecture at a
challenges for Homeland Security applications and large German telecommunications company, by
stress on the one of them which is the fact that the making use of an approach to Model-based Security
different supporting organizations, services, and Engineering that is based on the UML extension
nations come to the table with existing information UMLsec. The focus lies on the security mechanisms
technology, supporting established business and and security policies of the mobile applications
organization processes, and using organization- which were analyzed using the UMLsec method and
specific data models. They show how to support tools. Using the UMLsec notation, the user was able
multi-organization processes with a federation of to annotate his models with information regarding
their heterogeneous IT solutions based on the the security critical aspects of the system in a concise
alignment and orchestration of applications with and clear way. Employing the UML profile of
regard to the underlying models of those solutions. UMLsec, developers familiar with the extension
While processes are orchestrated and aligned top- mechanisms of the UML should have no problem to
down, the supporting IT is migrated into a Homeland learn UMLsec quickly. Furthermore, by embedding
Security System-of-Systems bottom-up. Web the security analysis directly into the IT development
services allow the loose coupling of participating and management process, a better understanding and
systems and the consistent application of data clearer communication of these issues is made
engineering allows the auto-configuration of data possible.
mediation layers. This is made possible by
7.2 Context-Aware Application Modeling
considering first the solutions themselves, and their
models (the top-down approach), and only then the In context-aware applications modelling,
application of data engineering to aligning those several context models have been defined, such as
models (the bottom-up approach). Beres, Baldwin, the key-value pairs [33], the object-oriented model
and Shiu in [32] present an innovative way to assess [34], the sentient object model [35], and the models
the effectiveness of security controls where based on ontologies [36]. They proposed a high level
measurable aspects of controls are first captured in abstraction of context information, unfortunately,
models and then the models are used to analyze the without methodology for solving the model context-
security data gathered from the IT environment. The aware applications and their adaptation according to
aim is to lift the risk and security control assessment this context. On one hand developing reusable
lifecycle from a series of people based processes to solutions for context acquisition, interpretation, and
one where model based technology enhances and rapid prototyping of context-aware applications as
automates the process. Jürjens and Yu in [25] present context Toolkit [37, 5], SOCAM [38], CoBrA [39],
tools to support Model-Based Security engineering at CASS [40], and CORTEX [41]. On the other hand

Ubiquitous Computing and Communication Journal 9

the adaptation mechanisms as : CARISMA [42], K [12] P. Brown, The Stick-e Document: a Framework for Creating
Context-Aware Applications. In: Proceedings of Electronic
Components [43], ReMMoc [44], OpenORB [45], Publishing ‟96. pp 259-272, (1996).
CORTEX [41], and RAM [46]. Most of existing [13] Rodden, T., Cheverst, K., Davies, K. Dix, A.. Exploiting
work has proposed tools to simplify the complicated Context in HCI Design for Mobile Systems. Workshop on
development process of context-aware applications Human Computer Interaction with Mobile Devices, 1998.
[14] Pascoe, J. Adding Generic Contextual Capabilities to
without tackling the problem of their modelling and Wearable Computers. In: Proceedings of 2nd International
security . These middleware and frameworks that Symposium on Wearable Computers, pp 92-99, 1998.
enable context collection and that can even provide [15] S. Akselsen , W. Finnset,J. Grav, B. Kassah, F. Kileng:
adaptation mechanisms. But at the same time they MOBIKON-mobile Tjenester og Kontekst ,(2002).
[16] T. Strang, C. Linnhoff-Popien, “A Context Modeling
offer the research community many advantages in Survey”, Workshop on Advanced Context Modeling,
enabling the separation of context management and Reasoning and Management, UbiComp, (2004).
processing from the development process of
applications. They play a significant role in [17] J. Jürjens. Secure Systems Development with UML.
simplifying the development of context-aware Springer-Verlag, (2004).
applications by implementing the mechanisms that [18] J. Jürjens. Sound methods and effective tools for model-
collect and interpret the context as well as the based security engineering with UML. In 27th Int. Conf. on
mechanisms that adapt the application to the context, Software. Engineering. IEEE Computer Society, (2005).
but introduce several technical details in the
[19] [3] J. Jürjens and J. Fox. Tools for model-based security
developed applications and reduce their portability.
engineering. In 28th International Conference on Software
Sheng and Benatallah in [47], propose a UML based Engineering (ICSE 2006). ACM, (2006).
solution to design context-aware web services. [20] J. Jürjens. Security analysis of crypto-based Java programs
Hendricksen and Rakotonirainy in [48] is another using automated theorem provers. In 21st IEEE/ACM Int.
Conf. Autom. Software. Eng., (2006).
modeling approach that includes an extension to the
[21] B. Best et al. Model-based Security Engineering of
Object-Role Modeling by context information. This Distributed Information Systems using UMLsec. 29th
approach allows developers to program with context International Conference on Software Engineering
at a high level without the need to consider issues (ICSE'07), ( 2007).
[22] I. Sommerville. Software Engineering, 8/E, Pearson
related to context collection. These works are
Education Germany, (2007).
focused on context modeling and do not support [23] Object Management Group, "MDA Guide Version 1.0.1",
adaptation aspects. The MBSE approach defines a 2003.
complete process that covers all the production of [24] ABC: "An Introduction to CMMI", http:// www.cio.com ,
03/25/2009.
secure context-aware mobile applications.
[25] J. Jürjens, Yijun Yu: Tools for model-based security
engineering: models vs. code. ASE 2007: 545-546,(2007)
8 References [26] J. Jürjens, J. Schreck, P. Bartmann: Model-based security
[1] M. Covingtony, P. Fogla, Z. Zhan, M. Ahamad, A Context- analysis for mobile communications. ICSE 2008: 683-692,
Aware Security Architecture for Emerging Applications, (2008)
Proceedings of the 18th Annual Computer Security [27] UMLsec tool, 2001-08. http://computing
Applications Conference (ACSAC.02),(2002). research.open.ac.uk/jj/umlsectool.
[2] M. Covington, W. Long, S. Srinivasan, A, Dey, M. Ahamad, [28] D. Ayed, D. Delanote, and Y. Berbers, MDD Approach for
and G. Abowd. Securing context-aware applications using the Development of Context-Aware Applications, (2007).
environment roles. In Proceedings of the 6th ACM [29] Kiczales, G.: Aspect-Oriented Programming. surveys
Symposium on Access Control Models and Technologies, 28A(4), (1996).
pages 10–20, (2001). [30] Vanhooff, B., Ayed, D., Berbers, Y.: A framework for
[3] M. Covington, M. Moyer, and M. Ahamad. Generalized transformation chain designprocesses. In: First European
role-based access control for securing future applications. In Workshop on Composition of Model Transformations -
Proceedings of the 23rd National Information Systems CMT (2006).
Security Conference (NISSC), pages 40–51, (2000). [31] Tolk A. and Turnitsa D. ,Conceptual modeling of
[4] P.Brézillon1 and G. Mostéfaoui, Context-Based Security information exchange requirements based on ontological
Policies: A New Modeling Approach, Proceedings of the means, Simulation Conference, (2007).
Second IEEE Annual Conference on Pervasive Computing [32] Baldwin A., Beres Y.,Shiu S. ,Using assurance models to aid
and Communications Workshops (PERCOMW‟04),( 2004). the risk and governance life cycle, ACM, (2007).
[5] A. Dey, „Understanding and Using Context‟, Personal and [33] Schilit, B., Theimer, M., Welch, B.: Customising mobile
Ubiquitous Computing archive, Volume 5, Issue 1 (2001). applications. In: Proceedings of USENIX Symposium on
[6] A. Peddemors, M. Lankhorst, J. de Heer: Combining Mobile and Location-Independent Computing. (August
presence, location and instant messaging in a context-aware 1993) 129–138
mobile application framework, (2002). [34] Henricksen, K., Indulska, J., Rakotonirainy, A.: Modeling
[7] M. Chung, J. Choi, S. Yang, S. Rhyoo,Context-Aware context information in pervasive computing systems. In:
Security Services in DAA Security Model, International Pervasive 2002, Zurich, Switzerland (2002) 167–180
Conference on Advanced Language Processing and Web [35] Harter, A., Hopper, A., Steggles, P., Ward, A.: The anatomy
Information Technology, (2008). of a context-aware application. In: Mobile Computing and
[8] A. Dey. : Providing Architectural Support for Building Networking. (1999) 59–68
Context-Aware Applications, Ph. D. Dissertation, Georgia [36] Preuveneers, D., Berbers, Y.: Semantic and syntactic
Institute of Technology, (2000). modeling of component-based services for context-aware
[9] G. Chen. : A Survey of Context-Aware Mobile pervasive systems using owl-s. In: First International
[10] Computing Research, Dartmouth Univ.TR2000-38. (2000). Workshop on Managing Context Information in Mobile and
[11] A. Dey and G. Abowd, Towards a Better Understanding of Pervasive Environments. (2005) 30–39
Context and Context-Awareness, (1999).

Ubiquitous Computing and Communication Journal 10

[37] Dey, A., Abowd, G., Salber, D.: A Conceptual Framework [44] Grace, P., Blair, G.S., Samuel, S.: ”remmoc: A reflective
and Toolkit for Supporting the Rapid Prototyping of middleware to support mobile client interoperability”. In:
Context-aware Applications. Human-computer Interaction International Symposium on Distributed Objects and
16(2-4 (special issue on context-aware computing)) Applications(DOA), Catania, Sicily, Italy (November 2003)
(December 2001) 97–166,(2001). [45] Blair, G.S., Coulson, G., Robin, P., Papathomas, M.: An
[38] Gu, T., Pung, H.K., Zhang, D.Q.: AMiddleware for Building Architecture for Next Generation Middleware. In:
Context-aware Mobile Services. In: IEEE Vehicular Proceedings of the IFIP International Conference on
Technology Conference (VTC), Milan, Italy (2004) Distributed Systems Platforms and Open Distributed
[39] Chen, H.: An Intelligent Broker Architecture for Pervasive Processing, London (1998).
Context-Aware Systems. PhD thesis, University of [46] David, P., Ledoux, T.: An Infrastructure for Adaptable
Maryland, Baltimore County (2004) Middleware. In: DOA‟02, Irvine, California, USA, Springer-
[40] Fahy, P., Clarke, S.: A Middleware for Mobile Context- Verlag (October 2002)
aware Applications. In: Workshop on Context Awareness, [47] Sheng, Q.Z., Benatallah, B.: ContextUML: A UML-Based
MobiSys ,(2004). Modeling Language for Model-Driven Development of
[41] Sorensen, C.F., Wu, M., Sivaharan, T., Blair, G.S., Okanda, Context-Aware Web Services. In: The 4th International
P., Friday, A., Duran- Limon, H.A.: A Context-aware Conference on Mobile Business (ICMB05). (2005)
Middleware for Applications in Mobile Ad Hoc [48] Hendricksen, K., I.J., Rakotonirainy, A.: Generating context
Environments. In: Middleware for Pervasive and Ad-hoc management infrastructure from high-level context models.
Computing. (2004) 107– 110
[42] Capra, L., Emmerich, W., Mascolo, C.: CARISMA:
Context-Aware Reflective mIddleware System for Mobile
Applications. IEEE Transactions on Software Engineering
29(10) (October 2003) 929–945
[43] Dowling, J., Cahill, V.: The K-Component Architecture
Meta-model for Self-Adaptive Software. In: Reflection
2001. (2001)

Ubiquitous Computing and Communication Journal 11