A Model-Driven and Generative Approach to Holistic Security

  • Frederik GossenEmail author
  • Tiziana Margaria
  • Johannes Neubauer
  • Bernhard Steffen
Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)


Functional and technical cyber-resilience gain increasing relevance for the health and integrity of connected and interoperating systems. In this chapter we demonstrate the power and flexibility of extreme model-driven design to provide holistic security to security-agnostic applications. Using C-IME, our integrated modelling environment for C/C++, we show how easily a modelled application can be enhanced with hardware security features fully automatically during code generation. We illustrate how to use this approach and design environment to make any modelled application ready to securely store its data in potentially insecure environments. The same approach can be used to secure communication over potentially insecure channels. In fact, our approach does not require any changes of the application model. Rather, our integrated modelling environment provides a dedicated modelling language for code generators which resorts to a Domain Specific Language for security. It is realized as a palette of security primitives whose implementation is based on underlying hardware security technology. The code generator injects security appropriately into the models of the applications under development. We illustrate the use of this security-injecting code generator on the case study of a to-do list management application. The code generator is generic and can be used to secure the file handling of any application modelled in the C-IME.



This work was supported, in part, by Science Foundation Ireland grant 13/RC/2094 and co-funded under the European Regional Development Fund through the Southern & Eastern Regional Operational Programme to Lero - the Irish Software Research Centre (


  1. 1.
    Ancona D, Lagorio G, Zucca E (2002) A formal framework for java separate compilation. In: ECOOP Proceedings, ECOOP’02. Springer, London, pp 609–636Google Scholar
  2. 2.
    Björck F, Henkel M, Stirna J, Zdravkovic J (2015) Cyber resilience – Fundamentals for a definition. Springer, Cham, pp 311–316Google Scholar
  3. 3.
    Boßelmann S, Frohme M, Kopetzki D, Lybecait M, Naujokat S, Neubauer J, Wirkner D, Zweihoff P, Steffen B (2016) Dime: a programming-less modeling environment for web applications. In: Proceedings of the ISoLA’16 Proceedings. LNCS, vol 9953. Springer, Cham, pp 809–832CrossRefGoogle Scholar
  4. 4.
    Boßelmann S, Kühn D, Margaria T (2017) A fully model-based approach to the design of the secube™ community web app. In: Proceedings of the 2017 12th International Conference on Design Technology of Integrated Systems In Nanoscale Era (DTIS). IEEE, Piscataway, pp 1–7Google Scholar
  5. 5.
    Boßelmann S, Neubauer J, Naujokat S, Steffen B (2016) Model-driven design of secure high assurance systems: an introduction to the open platform from the user perspective. In: Margaria T, Solo MGA (eds) SAM’16. Special track “End-to-end Security and Cybersecurity: from the Hardware to Application”. CSREA Press, USA, pp 145–151Google Scholar
  6. 6.
    Devanbu PT, Stubblebine S (2000) Software engineering for security: a roadmap. In: FOSE Proceedings, ICSE’00. ACM, New York, pp 227–239Google Scholar
  7. 7.
    Dropbox. Accessed 18 Nov 2017
  8. 8.
    Dropbox hack leads to leaking of 68m user passwords on the internet. Accessed 18 Nov 2017
  9. 9.
    Elahi G, Yu E, Li T, Liu L (2011) Security requirements engineering in the wild: a survey of common practices. In: Proceedings of the 2011 IEEE 35th COMPSAC. IEEE, Piscataway, pp 314–319Google Scholar
  10. 10.
    Engeler E (1971) Structure and meaning of elementary programs. In: Proceedings of the Symposium on Semantics of Algorithmic Languages. Springer, Berlin, pp 89–101CrossRefGoogle Scholar
  11. 11.
    Farulla GA, Indaco M, Legay A, Margaria T (2016) Model driven design of secure properties for vision-based applications: a case study. In: Proceedings of the International Conference on Security and Management (SAM). World Congress in Computer Science Computer Engineering and Applied Computing (WorldComp). CSREA Press, USA, pp 1–6Google Scholar
  12. 12.
    Farulla GA, Lamprecht AL (2017) Model checking of security properties: a case study on human-robot interaction processes. In: Proceedings of the 2017 12th International Conference on Design Technology of Integrated Systems in Nanoscale Era (DTIS). IEEE, Piscataway, pp 1–6Google Scholar
  13. 13.
    Farulla GA, Prinetto P, Varriale A (2017) Holistic security via complex HW/SW platforms. In: Proceedings of the 2017 12th International Conference on Design Technology of Integrated Systems in Nanoscale Era (DTIS). IEEE, Piscataway, pp 1–6Google Scholar
  14. 14.
    Google Drive. Accessed 18 Nov 2017
  15. 15.
    Gossen F, Neubauer J, Steffen B (2017) Securing C/C++ applications with a secube™-based model-driven approach. In: Proceedings of the 2017 12th International Conference on Design Technology of Integrated Systems in Nanoscale Era (DTIS). IEEE, Piscataway, pp 1–7Google Scholar
  16. 16.
    Gossen F, Tiziana M, Göke T (2016) Modelling the people recognition pipeline in access control systems. Proc Inst Syst Program RAS 28:205–220CrossRefGoogle Scholar
  17. 17.
    Jonsson B, Margaria T, Naeser G, Nyström J, Steffen B (2001) Incremental requirement specification for evolving systems. Nordic J Comput, 8(1):65–87zbMATHGoogle Scholar
  18. 18.
    Jorges S, Kubczak C, Pageau F, Margaria T (2007) Model driven design of reliable robot control programs using the jABC. In: Fourth IEEE International Workshop on Engineering of Autonomic and Autonomous Systems, EASe’07. IEEE, Piscataway, pp 137–148CrossRefGoogle Scholar
  19. 19.
    Jörges S, Lamprecht AL, Margaria T, Schaefer I, Steffen B (2012) A constraint-based variability modeling framework. Int J Softw Tools Technol Transfer, Springer, Berlin, Heidelberg, 14(5):511–530CrossRefGoogle Scholar
  20. 20.
    Jörges S, Margaria T, Steffen B (2008) Genesys: service-oriented construction of property conform code generators. Innov Syst Softw Eng 4(4):361–384CrossRefGoogle Scholar
  21. 21.
    Kiczales G, Lamping J, Mendhekar A, Maeda C, Lopes C, Loingtier JM, Irwin J (1997) Aspect-oriented programming. In: Akşit M, Matsuoka S (eds) ECOOP’97. LNCS, vol 1241. Springer, Berlin, pp 220–242Google Scholar
  22. 22.
    Lamprecht AL, Naujokat S, Margaria T, Steffen B (2010) Synthesis-based loose programming. In: Proceedings of the 2010 Seventh International Conference on the Quality of Information and Communications Technology. IEEE, Piscataway, pp 262–267Google Scholar
  23. 23.
    Lamprecht A, Steffen B, Margaria T (2016) Scientific workflows with the jABC framework – a review after a decade in the field. STTT 18(6):629–651CrossRefGoogle Scholar
  24. 24.
    Margaria T, Steffen B (2007) LTL guided planning: revisiting automatic tool composition in ETI. In: Proceedings of the 31st IEEE Software Engineering Workshop (SEW 2007). IEEE, Piscataway, pp 214–226CrossRefGoogle Scholar
  25. 25.
    Margaria T, Steffen B (2010) Simplicity as a driver for agile innovation. Computer 43(6):90–92CrossRefGoogle Scholar
  26. 26.
    Margaria T, Floyd BD, Steffen B (2011) IT simply works: simplicity and embedded systems design. In: Proceedings of the IEEE 35th COMPSACW. IEEE, Piscataway, pp 194–199Google Scholar
  27. 27.
    Margaria T, Steffen B (2004) Lightweight coarse-grained coordination: a scalable system-level approach. STTT 5(2–3):107–123CrossRefGoogle Scholar
  28. 28.
    Margaria T, Steffen B (2008) Agile IT: thinking in user-centric models. In: Margaria T, Steffen B (eds) ISoLA’08 Proceedings. Springer, Berlin/Heidelberg, pp 490–502Google Scholar
  29. 29.
    Margaria T, Steffen B (2009) Business process modelling in the jABC: the one-thing-approach. In: Cardoso J, van der Aalst W (eds) Handbook of research on business process modeling. IGI Global, HersheyGoogle Scholar
  30. 30.
    Margaria T, Steffen B (2012) Service-orientation: conquering complexity with XMDD. In: Hinchey M, Coyle L (eds) Conquering complexity. Springer, London, pp 217–236CrossRefGoogle Scholar
  31. 31.
    Naujokat S, Lybecait M, Kopetzki D, Steffen B (2018) Cinco: a simplicity-driven approach to full generation of domain-specific graphical modeling tools. Int J Softw Tools Technol Transfer 20:327. CrossRefGoogle Scholar
  32. 32.
    Neubauer J, Steffen B (2013) Plug-and-play higher-order process integration. Computer 46(11):56–62CrossRefGoogle Scholar
  33. 33.
    Neubauer J, Steffen B (2013) Second-order servification. In: Herzwurm G, Margaria T (eds) Software business. From physical products to software services and solutions. LNBIP, vol 150. Springer, Heidelberg, pp 13–25CrossRefGoogle Scholar
  34. 34.
    Onedrive. Accessed 18 Nov 2017
  35. 35.
    Sklavos N, Touliou K, Efstathiou C (2006) Exploiting cryptographic architectures over hardware vs. software implementations: advantages and trade-offs. In: Biolek D (ed) AEE’06 Proceedings, WSEAS. Stevens Point, Wisconsin, pp 147–151Google Scholar
  36. 36.
    Steffen B, Margaria T, Freitag B (1993) Module configuration by minimal model construction. Technical report, Technical Report MIP Technical Report MIP 9313, Fakultät für Mathematik und Informatik, Universität PassauGoogle Scholar
  37. 37.
    Steffen B, Naujokat S (2016) Archimedean points: the essence for mastering change. Trans Found Mastering Change 1:22–46CrossRefGoogle Scholar
  38. 38.
    Varriale A, Vatajelu EI, Natale GD, Prinetto P, Trotta P, Margaria T (2016) Secube™: an open-source security platform in a single SOC. In: DTIS Proceedings. IEEE, Piscataway, pp 1–6Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2019

Authors and Affiliations

  • Frederik Gossen
    • 1
    Email author
  • Tiziana Margaria
    • 1
  • Johannes Neubauer
    • 2
  • Bernhard Steffen
    • 2
  1. 1.University of Limerick and Lero – The Irish Software Research CentreLimerickIreland
  2. 2.TU Dortmund UniversityDortmundGermany

Personalised recommendations