Article

Towards realizing a formal RBAC model in real systems

Authors:

Hongxin HuAuthors Info & Claims

SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

Pages 215 - 224

https://doi.org/10.1145/1266840.1266875

Published: 20 June 2007 Publication History

Abstract

There still exists an open question on how formal models can be fully realized in the system development phase. The Model Driven Development (MDD) approach has been recently introduced to deal with such a critical issue for building high assurance software systems.

There still exists an open question on how formal models can be fully realized in the system development phase. The Model Driven Development (MDD) approach has been recently introduced to deal with such a critical issue for building high assurance software systems.

The MDD approach focuses on the transformation of high-level design models to system implementation modules. However, this emerging development approach lacks an adequate procedure to address security issues derived from formal security models. In this paper, we propose an empirical framework to integrate security model representation, security policy specification, and systematic validation of security model and policy, which would be eventually used for accommodating security concerns during the system development. We also describe how our framework can minimize the gap between security models and the development of secure systems. In addition, we overview a proof-of-concept prototype of our tool that facilitates existing software engineering mechanisms to achieve the above-mentioned features of our framework.

References

[1]

The ArgoUML Project. http://argouml.tigris.org.

[2]

Dresden OCL toolkit. http://dresden-ocl.sourceforge.net.

[3]

The Octopus Project. http://www.klasse.nl/octopus.

[4]

American National Standards Institute Inc. Role Based Access Control, ANSI-INCITS 359--2004, 2004.

[5]

G.-J. Ahn and R. S. Sandhu. Role-based authorization constraints specification. ACM Trans. Inf. Syst. Secur. (TISSEC), 3(4):207--226, November 2000.

Digital Library

[6]

G.-J. Ahn and M. E. Shin. Role-based authorization constraints specification using object constraint language. In Proceedings of the 10th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pages 157--162, 2001.

Digital Library

[7]

K. Alghathbar and D. Wijesekera. authUML: a three-phased framework to analyze access control specifications in use cases. In Proceedings of the 2003 ACM workshop on Formal methods in security engineering, pages 77--86, New York, NY, USA, 2003. ACM Press.

Digital Library

[8]

J. Bacon, K. Moody, and W. Yao. A model of OASIS role-based access control and its support for active security. ACM Trans. Inf. Syst. Secur. (TISSEC), 5(4):492--540, 2002.

Digital Library

[9]

E. Bertino, P. A. Bonatti, and E. Ferrari. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. (TISSEC), 4(3):191--233, 2001.

Digital Library

[10]

E. Bertino, B. Catania, M. L. Damiani, and P. Perlasca. GEO-RBAC: a spatially aware RBAC. In Proceedings of the tenth ACM symposium on Access control models and technologies (SACMAT), pages 29--37, New York, NY, USA, 2005. ACM Press.

Digital Library

[11]

R. Chandramouli. Application of XML tools for enterprise-wide RBAC implementation tasks. In Proceedings of the fifth ACM workshop on Role-based access control, pages 11--18, Berlin, Germany, July 2000.

Digital Library

[12]

F. Chen and R. S. Sandhu. Constraints for role-based access control. In Proceedings of the first ACM Workshop on Role-based access control, Gaithersburg, Maryland, United States, 1995.

Digital Library

[13]

J. Crampton. Specifying and enforcing constraints in role-based access control. In Proceedings of the eighth ACM symposium on Access control models and technologies (SACMAT), pages 43--50, June 2003.

Digital Library

[14]

N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The ponder policy specification language. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks, pages 18--38, Bristol, UK, 2001.

Digital Library

[15]

D. Ferraiolo and D. Kuhn. Role based access control. In Proceedings of the fifth National Computer Security Conference, pages 554--563, 1992.

[16]

D. F. Ferraiolo, R. S. Sandhu, S. I. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC), 4(3):224--274, 2001.

Digital Library

[17]

R. France. A problem-oriented analysis of basic UML static requirements modeling concepts. In Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, pages 57--69, New York, NY, USA, 1999.

Digital Library

[18]

T. Jaeger. On the increasing importance of constraints. In Proceedings of the fourth ACM workshop on Role-based access control, pages 33--42, 1999.

Digital Library

[19]

T. Jaeger and J. Tidswell. Practical safety in flexible access control models. ACM Trans. Inf. Syst. Secur. (TISSEC), 4(3):158--190, 2002.

Digital Library

[20]

S. Jajodia, P. Samarati, and V. S. Subrahmanian. A logical language for expressing authorizations. In IEEE Symposium on Security and Privacy, pages 31--42, Oakland, CA, May 1997.

Digital Library

[21]

J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Language Reference Manual, Second Edition. Object Technology Series, Addison Wesley Longman, Reading, Mass, 2004.

Digital Library

[22]

J. Jürjens. UMLsec: Extending UML for secure systems development. In Proceedings of the 5th International Conference on The United Modeling Language, pages 412--425. Springer Verlag, 2002.

Digital Library

[23]

M. Koch, L. V. Mancini, and F. Parisi-Presicce. A graph-based formalism for RBAC. ACM Trans. Inf. Syst. Secur. (TISSEC), 5(3):332--365, 2002.

Digital Library

[24]

T. Lodderstedt, D. Basin, and J. Doser. SecureUML: A UML-based modeling language for model-driven security, 2002.

[25]

V. V. M. Hitchens. Tower: a language for role-based access control. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks, pages 88--106, Bristol, UK, 2001.

[26]

OASIS. XACML Language Proposal, Version 0.8. Technical Report, Organization for the Advancement of Structured Information Standards, 2002, Available electronically from http://www.oasisopen.org/committees/xacml.

[27]

I. Ray, N. Li, R. France, and D. -K. Kim. Using UML to visualize role-based access control constraints. In Proceedings of the ninth ACM symposium on Access control models and technologies (SACMAT), pages 115--124, 2004.

Digital Library

[28]

R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996.

Digital Library

[29]

M. E. Shin and G. -J. Ahn. UML-based representation of role-based access control. In Proceedings of the 9th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pages 195--200, 2000.

Digital Library

[30]

K. Sohr, G. -J. Ahn, and L. Migge. Articulating and enforcing authorisation policies with UML and OCL. In Proceedings of the 2005 workshop on Software engineering for secure systems building trustworthy applications, pages 1--7, 2005.

Digital Library

[31]

J. Tidswell and T. Jaeger. An access control model for simplifying constraint expression. In Proceedings of the 7th ACM conference on Computer and communications security, pages 154--163, Athens, Greece, November 2000.

Digital Library

[32]

J. Warmer and A. Kleppe. The Object Constraint Language: Getting your models ready for MDA. Addison-Wesley, Reading/MA, 2003.

Digital Library

Cited By

Zhu H(2021)Group Role Assignment (GRA)E‐CARGO and Role‐Based Collaboration10.1002/9781119693123.ch5(141-171)Online publication date: 19-Nov-2021
https://doi.org/10.1002/9781119693123.ch5
Al-Hadhrami N(2019)Modeling and Re-Evaluating Security in an Incremental Development of RBAC-Based Systems Using B MethodExploring Security in Software Architecture and Design10.4018/978-1-5225-6313-6.ch005(104-135)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-6313-6.ch005
Gorshkova ENovikov BShukla M(2017)A Fine-Grained Access Control Model and ImplementationProceedings of the 18th International Conference on Computer Systems and Technologies10.1145/3134302.3134310(187-194)Online publication date: 23-Jun-2017
https://dl.acm.org/doi/10.1145/3134302.3134310
Show More Cited By

Index Terms

Recommendations

Compositional Refinement of Policies in UML --- Exemplified for Access Control
ESORICS '08: Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security

The UML is the <em>de facto</em>standard for system specification, but offers little specialized support for the specification and analysis of policies. This paper presents Deontic STAIRS, an extension of the UML sequence diagram notation with ...
The approach of ensuring consistency of UML model based on rules
CompSysTech '10: Proceedings of the 11th International Conference on Computer Systems and Technologies and Workshop for PhD Students in Computing on International Conference on Computer Systems and Technologies

Expressing information system (IS) through multiple models is related with inconsistency problem, sometimes ambiguous or even contradictory information are provided in different aspect models. Unified modelling language (UML) is often used in practice ...
A decade of model-driven security
SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologies

In model-driven development, system designs are specified using graphical modeling languages like UML and system artifacts such as code and configuration data are automatically generated from the models. Model-driven security is a specialization of this ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

June 2007

254 pages

ISBN:9781595937452

DOI:10.1145/1266840

General Chair:
Volkmar Lotz
SAP Labs, France
,
Program Chair:
Bhavani Thuraisingham
University of Texas at Dallas, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 June 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SACMAT07

Sponsor:

SACMAT07: 12th ACM Symposium on Access Control Models and Technologies

June 20 - 22, 2007

Sophia Antipolis, France

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
851
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhu H(2021)Group Role Assignment (GRA)E‐CARGO and Role‐Based Collaboration10.1002/9781119693123.ch5(141-171)Online publication date: 19-Nov-2021
https://doi.org/10.1002/9781119693123.ch5
Al-Hadhrami N(2019)Modeling and Re-Evaluating Security in an Incremental Development of RBAC-Based Systems Using B MethodExploring Security in Software Architecture and Design10.4018/978-1-5225-6313-6.ch005(104-135)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-6313-6.ch005
Gorshkova ENovikov BShukla M(2017)A Fine-Grained Access Control Model and ImplementationProceedings of the 18th International Conference on Computer Systems and Technologies10.1145/3134302.3134310(187-194)Online publication date: 23-Jun-2017
https://dl.acm.org/doi/10.1145/3134302.3134310
Sergeev AMatulevicius R(2017)An Approach to Capture Role-Based Access Control Models from Spring Web Applications2017 IEEE 21st International Enterprise Distributed Object Computing Conference (EDOC)10.1109/EDOC.2017.29(159-164)Online publication date: Oct-2017
https://doi.org/10.1109/EDOC.2017.29
Aziz BAl-hadhrami NOthmane L(2016)An Incremental B-Model for RBAC-Controlled Electronic Marking SystemInternational Journal of Secure Software Engineering10.4018/IJSSE.20160401037:2(37-64)Online publication date: 1-Apr-2016
https://dl.acm.org/doi/10.4018/IJSSE.2016040103
Ledru YIdani AMilhau JQamar NLaleau RRichier JLabiadh M(2015)Validation of IS Security Policies Featuring Authorisation ConstraintsInternational Journal of Information System Modeling and Design10.4018/ijismd.20150101026:1(24-46)Online publication date: 1-Jan-2015
https://dl.acm.org/doi/10.4018/ijismd.2015010102
Al-Hadhrami NAziz BSardesai SOthmane L(2015)Incremental Development of RBAC-Controlled E-Marking System Using the B MethodProceedings of the 2015 10th International Conference on Availability, Reliability and Security10.1109/ARES.2015.95(532-539)Online publication date: 24-Aug-2015
https://dl.acm.org/doi/10.1109/ARES.2015.95
Pereira ORegateiro DAguiar R(2014)Role-Based Access control mechanisms2014 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC.2014.6912546(1-7)Online publication date: Jun-2014
https://doi.org/10.1109/ISCC.2014.6912546
Hu HAhn GJorgensen J(2013)Multiparty Access Control for Online Social NetworksIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2012.9725:7(1614-1627)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1109/TKDE.2012.97
Qamar NFaber JLedru YLiu Z(2013)Automated Reviewing of Healthcare Security PoliciesFoundations of Health Information Engineering and Systems10.1007/978-3-642-39088-3_12(176-193)Online publication date: 2013
https://doi.org/10.1007/978-3-642-39088-3_12
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents