Testing and specifying of Misuse Cases by using a DSL in the CIBO project

Context and Problem Introduction During the CIBO (CheckIn-BeOut) project an electronic ticket solution was developed, that allows users to buy bus tickets with their mobile phones. Therefor, as he enters the bus, the user has to sign in to an android-app with his email address and password. During the tour the position of the user is being detected via GPS, to recognize at which moment the user is leaving the bus. As soon as that happens, the ticket price for the tour will be calculated automatically. To ensure the security of the system, it is important to consider unwanted behavior, initiated by the user, and prevent it if possible. Thus no user shall be able to circumvent the system (e.g. to manipulate the calculation of the ticket price) or harm it in any way. To remove possible weaknesses, it may help to model such unwanted behavior first. Therefor so called misuse cases, which were introduced 2000 by G. Sindre and A. L. Opdahl [1], are suitable. In contrast to use cases, which describe scenarios that can occur, while a user is interacting with the system, misuse cases describe scenarios that shall not occur. So the appearance of such events shall be prevented by the system as far as possible. To describe such misuse cases for the CIBO project in a consistent and clear way, the development of a domain-specific language (DSL) [3] is a good way to do so. In contrast to a general-purpose language (GPL), which can be used for many different applications, the characteristics of misuse cases in CIBO can be considered especially, while using a DSL, because it was designed exclusively for this purpose.

Purpose of the Bachelor Thesis The purpose of the bachelor thesis is to describe requirements for a DSL, which later can be used to document misuse cases in CIBO in an appropriate way. In cooperation with the IVU a catalog of representative misuse cases will be created, in which misuse cases with the same properties will be assigned to the same class. Those classes form a meta-model for misuse cases. To check, whether the unwanted functionality is actually executed or prohibited by the system, a procedure shall be developed, which describes how to derive test cases out of misuse cases. Therefor the ideas and approaches of use case-based testing are transfered to misuse cases. By analyzing the given misuse cases of the created catalog it is possible to specify requirements for the DSL, that shall later be used to support the documentation of misuse cases. The concepts and properties, that result explicitly from the CIBO project, shall be considered especially, to be able to describe the DSL as suitable as possible. This means, the resulting DSL shall solve all domain-specific problems, but no problem outside of the domain. To be able to describe misuse cases uniformly, it may help to adapt the structure of templates [2].


  • definition and identification of misuse cases in the context of CIBO ? creation of a catalog of misuse cases (with IVU)
  • combining misuse cases in classes
  • transformation of misuse cases to test cases
  • description of requirements for a DSL to document misuse cases


  1. [1]  G. Sindre, A. L. Opdahl, ?Eliciting Security Requirements by Misuse Cases?, Pro- ceedings 37th International Conference on Technology of Object-Oriented Languages and Systems, TOOLS-Pacific 2000, 2000, pp. 120-131.
  2. [2]  G. Sindre, A. L. Opdahl, ?Templates for Misuse Case Description?, Proceedings 7th International Workshop on Requirements Engineering, Foundation for Software Quality, 2001.
  3. [3]  Markus Voelter, ?DSL Engineering - Designing, Implementing and Using Domain- Specific Languages?, Januar 2013.

Project information



Thesis for degree:



Nora Nickel