It is undoubted that the role of security engineering is getting more important than ever as our world is becoming more digital and networked. However, the traditional software development process has shown the ine ciency in facing with the following three main challenges for nowadays security engineering. First, (software) systems are getting more and more complex. Especially, taking into account security concerns while developing (already complex) systems makes the development process more stressful, error-prone and di cult. Second, security threats are getting more dangerous, varied, and changing quickly. These make security requirements more complex, di cult to deal with. Security features are often scattered and tangled throughout the entire system. It is hard to integrate them properly into the traditional development process. However, they are rarely taken into account at early stages of the development processes [ 2 ]. In other words, the overall system design often misses the cautious engineering of security. Third, even though the complexity of systems (especially including security concerns) that have to be produced and maintained is continuously increasing, economic pressure reduces development time and increases the frequency of modi cations are made. All these issues constantly require more productive and exible security engineering methods for better supporting the development and maintenance of reliable secure systems.

Model-Driven Engineering (MDE) has been considered by some researcher [ 1 ] as a solution to the handling of complex and evolving software systems. As a specialization of MDE, Model-Driven Security (MDS) aims at providing means to tackle the complexity and increase the productivity in modern secure systems development. MDS enables security models more productive, i.e., models could be manipulated automatically in every development stage. The three main challenges mentioned above could be solved by MDS [ 5 ]. However, there are weaknesses of the MDS state of the art. Our recent systematic review of MDS [ 5 ] shows that more MDS work is needed to deal with multiple security concerns at the same time. Moreover, not many MDS approaches have fully leveraged the Aspect-Oriented Modeling (AOM) techniques to specify multiple security concerns and enhance the modularity of secure systems. There is also lack of a complete tool chain (based on model transformations) to automate the derivation from MDS models to code. Following the advances in MDS, this research work aims at 1) developing new (AOM) modeling techniques to represent multiple security concerns, 2) (automatically) composing security models with the business logic model (called target model), and 3) testing the security model composition and the resulting secure system against security requirements. These three objectives converge to an integrated MDS framework (and tool chain) which 1) allows a target system model to embed various security concerns, 2) enables the generation of implementation code including con gured security infrastructures, and 3) makes these security properties testable by construction.

The remainder of this paper is structured as follows. Section 2 describes the main objectives, and the main (expected) contributions of our proposed research. It is followed by Section 3 that shows our main research modules, and track record of the archived results so far and what missing. Finally, the conclusion and future work are presented in Section 4. 2 2.1

Research Objectives There are three main research objectives in this work. First. we aim at proposing a portfolio of well-de ned security models without any consideration of a target model i.e., the model in which the security models will be inserted or composed. Consequently, each security concern will be modeled in isolation leading to a better understanding and modularization of these security concerns.

Second, we propose to automatically compose a subset of selected security models with the target system model to obtain a new model of the system augmented of security properties. This model composition can be performed using model transformations or model composers. Once various security models speci ed, the automation of the composition should allow to adapt more easily the target model to di erent situations by allowing the automated composition of appropriate security models. Moreover, the model of the systems augmented of security properties can be used for formal analyze of security properties.

Third, we propose to exploit the model composition operators to make the nal implementation testable by construction. Composing security models (viewpoints) into the target model will lead to a more detailed model, which will nally be implemented. The code production is error prone and the conformance of the implementation with the security policy must be tested. The composition operators we propose may o er an elegant way 1) to make the implemented security mechanisms testable, in the sense they can be made observable at runtime, 2) to propose a security fault model to perform mutation analysis on the nal code. 2.2

Expected Contributions From our proposed approach, the main expected contributions of our work are as follows: 1) a library of security concerns and a set of Domain Speci c Languages (DSLs) for specifying these security concerns; 2) a model-driven framework for composing security models (conforming to these DSLs) with the target model; and 3) a mutation analysis approach for testing the resulting secure systems. 3

This section shows the four main modules of our research, with the results that have been achieved so far, and the approach on how to complete the thesis. 3.1

Literature Review of Model-Driven Security This module focuses on the state-of-the-art of MDS and the key aspects of our project, i.e. modeling, composing, and testing of security concerns. Because we realized that there was not any real systematic review of MDS, we conducted one whose results are presented in [ 5 ]. The results show not only a clear picture of current main approaches in MDS but also the current status of key aspects in MDS.

The results suggest that more attention should be paid for dealing with multiple security concerns at the same time. Most current approaches only deal with solely one security concern, especially authorization. Besides, there are signi cantly less MDS papers tackling integrity, availability, and authentication than authorization and con dentiality. An important remark is that more work should be done to have (DSLs) models with well-de ned semantics of various security concerns. These models must be extensively, formally de ned in order to enable the integration with automated analysis tools (based on well-established formal methods) and/or program synthesis tools. On the other hand, a tool chain (based on model transformations) to derive from models (to models, then) to implementation code is also an important piece of future work. Regarding modeling approaches, there are very few selected papers propose a full AOM approach that security concerns are speci ed as aspects and eventually woven into the primary model(s). Last but not least, there is a lack of empirical studies for MDS approaches so more empirical studies should be conducted.

The details of ve main MDS approaches have been discussed in our book chapter, namely Advances in MDS [ 4 ]. Moreover, we are working on extending [ 5 ] for submission to a journal. 3.2

Modeling Security Concerns As discussed in [ 5 ], domain speci c languages (DSLs) could be de ned for specifying security concerns. We aim at proposing a set of DSLs which specialized for capturing well-de ned semantics of various security concerns. These DSLs are used for creating well-speci ed security models without any consideration of a target model i.e., the model in which the security models will be inserted or composed. Currently, we are trying to introduce these DSLs in a full AOM approach, e.g. using Reusable Aspect Model [ 3 ]. Consequently, each security concern will be modeled in isolation leading to a better understanding and modularization of these security concerns.

As the rst approach, we focused on dealing with the authorization problem, especially access control (role-based access control, RBAC) and delegation. In [ 6 ], it has been shown that various RBAC-based delegation features can be speci ed using our metamodel (DSL). Our DSL supports complex delegation characteristics like temporary, recurrence delegation, transfer delegation, multiple and multi-step delegation, etc. On the other hand, the business logic (base system) can be speci ed using another DSL, e.g. an architecture (componentbased) metamodel [ 6 ]. In the next step, we target to deal with multiple security concerns at the same time in a full AOM approach. 3.3

Composing Security Models with the Target System In the modeling module of our approach, security concerns are modeled independently with business logic. In this module, security models have to be composed with the target system model to obtain a new model of the system augmented of security properties. Fig. 1 presents an overview of our extensive model-driven approach for access control and delegation management [ 6 ], [ 7 ]. In our approach, delegation is considered as a \meta-level" mechanism which impacts the existing access control policies, like an aspect can impact a base program. We claim that to handle advanced delegation rules, an ideal solution is to separate the delegation rules from the access control policy, each being speci ed in isolation, and then compose/weave them together to obtain a new access control policy (called active security policy) re ecting the both access control and delegation.

As can be seen in Fig. 1, a complete model-driven framework has been proposed to enable dynamic enforcement of delegation and access control policies Delegation metamodel

Access

Control metamodel evolution cft cft conforms to (cft) Architecture metamodel

cft cft M2

Delegation policy Access Control policy evolution Base model change/evolution

M1

Model transformation

Active security policy

Model composition

Securityenforced architecture model

Self adaptation test test validation

Proxy

Proxy cocmoBmpuospinnoeennsetsnsltosgic

components

In this paper, we have presented our research work with its main modules and track record. Regarding the rst module which is literature review, we have conducted a systematic literature review of MDS and a book chapter on advances in MDS. This module is more or less done even though we are still working on a journal version of the review. In the second module which is modeling of security concerns, we have dealt with access control and delegation. But there is still more work to be done for modeling multiple security concerns. The third module focuses on composing models. We have proposed a framework for modeldriven adaptive delegation. Our model-driven framework needs to be improved for handling multiple security concerns at the same time. And last but not least, the fourth module is about security testing. Our work on testing delegation policy enforcement via mutation analysis [ 8 ] is at the beginning. We will continue working on that. In the end, we also would like to have an industrial case study for evaluating our approach.