research-article

Validation of security policies by the animation of Z specifications

Authors:

Jean-Luc Richier,

Mohamed-Amine LabiadhAuthors Info & Claims

SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologies

Pages 155 - 164

https://doi.org/10.1145/1998441.1998471

Published: 15 June 2011 Publication History

Abstract

Designing a security policy for an information system is a non-trivial task. In this paper, we consider the design of a security policy based on a variant of the RBAC model, close to SecureUML. This variant includes constraints for the separation of duty, as well as contextual constraints. Contextual constraints use information about the state of the functional model of the application to grant permissions to users. These constraints add flexibility to the security policy, but make its validation more difficult. In this paper, we first review two tools, USE and SecureMOVA, which can be used to analyse and validate a security policy. These tools focus on analyses of static aspects of the secured system. We then propose a new tool, based on the Z formal language, which uses animation of the specification to validate the static as well as dynamic aspects of the security policy, taking into account possible evolutions of the state of the functional model. We discuss how the security policy and the functional application are described to the tool, and what kind of queries and animations can be performed to analyse nominal and malicious behaviours of the system.

References

[1]

J. Abrial. The B-Book. Cambridge Univ. Press, 1996.

[2]

F. Autrel, F. Cuppens, N. Cuppens-Boulahia, and C. Coma-Brebel. MotOrBAC 2: a security policy tool. In SARSSI'08 : 3e conf. Sécurité des Architectures Réseaux et des Systèmes d'Information, 2008.

[3]

D. A. Basin, M. Clavel, J. Doser, and M. Egea. Automated analysis of security-design models. Inf. & Softw. Technology, 51(5):815--831, 2009.

Digital Library

[4]

D. A. Basin, J. Doser, and T. Lodderstedt. Model driven security: From UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol., 15(1):39--91, 2006.

Digital Library

[5]

D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security policies. In IEEE Symp. on Security and Privacy, 1987.

[6]

S. Dupuy, Y. Ledru, and M. Chabre-Peccoud. An Overview of RoZ: A Tool for Integrating UML and Z Specifications. In Proc. 12th Conf. on Advanced information Systems Engineering (CAiSE '00), pages 417--430. LNCS, Vol. 1789, Springer, 2000.

Digital Library

[7]

D. Ferraiolo, D. Kuhn, and R. Chandramouli. Role-Based Access Control. Computer Security Series. Artech House, 2003.

Digital Library

[8]

D. F. Ferraiolo, R. S. Sandhu, S. I. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for Role-based Access Control. In ACM Transactions on Information and System Security (TISSEC'-01), pages 224--274, 2001.

Digital Library

[9]

M. Gogolla, F. Büttner, and M. Richters. USE: A UML-based specification environment for validating UML and OCL. Science of Computer Programming, 69(1--3):27--34, 2007.

Digital Library

[10]

ISO. Information technology -- Z formal specification notation -- Syntax, type system and semantics, 2002.

[11]

D. Jackson. Software Abstractions: logic, language and analysis. MIT Press, 2006.

Digital Library

[12]

J. Jürjens. Secure Systems Development with UML. Springer, 2004.

Digital Library

[13]

Y. Ledru. Using Jaza to Animate RoZ Specifications of UML Class Diagrams. In Proc. 30th Annual IEEE/NASA Software Engineering Workshop (SEW-30 2006). IEEE CS Press, 2006.

Digital Library

[14]

M. Leuschel and M. J. Butler. ProB: an automated analysis toolset for the B method. Software Tools for Technology Transfer, 10(2):185--203, 2008.

Digital Library

[15]

K. Sohr, M. Drouineaud, G.-J. Ahn, and M. Gogolla. Analyzing and managing role-based access control policies. IEEE Trans. Knowl. Data Eng., 20(7):924--939, 2008.

Digital Library

[16]

M. Toahchoodee, I. Ray, K. Anastasakis, G. Georg, and B. Bordbar. Ensuring spatio-temporal access control for real-world applications. In SACMAT 2009, 14th ACM Symp. on Access Control Models and Technologies. ACM, 2009.

Digital Library

[17]

M. Utting. Jaza User Manual and Tutorial, 2005. http://www.cs.waikato.ac.nz/ marku/jaza/.

[18]

J. B. Warmer and A. G. Kleppe. The Object Constraint Language: Precise Modeling With UML. Addison-Wesley, October 1998.

Digital Library

Cited By

Martnez SCosentino VCabot J(2018)Model-based analysis of Java EE web security misconfigurationsComputer Languages, Systems and Structures10.1016/j.cl.2017.02.00149:C(36-61)Online publication date: 20-Dec-2018
https://dl.acm.org/doi/10.1016/j.cl.2017.02.001
Martínez SCosentino VCabot J(2016)Model-based analysis of Java EE web security configurationsProceedings of the 8th International Workshop on Modeling in Software Engineering10.1145/2896982.2896986(55-61)Online publication date: 14-May-2016
https://dl.acm.org/doi/10.1145/2896982.2896986
Ledru YIdani AMilhau JQamar NLaleau RRichier JLabiadh M(2015)Validation of IS Security Policies Featuring Authorisation ConstraintsInternational Journal of Information System Modeling and Design10.4018/ijismd.20150101026:1(24-46)Online publication date: Jan-2015
https://doi.org/10.4018/ijismd.2015010102
Show More Cited By

Index Terms

Validation of security policies by the animation of Z specifications

Recommendations

Validation of IS Security Policies Featuring Authorisation Constraints

Designing a security policy for an information system IS is a non-trivial task. Variants of the RBAC model can be used to express such policies as access-control rules associated to constraints. In this paper, we advocate that currently available tools ...
Security policy compliance with violation management
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineering

A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the ...
Embedding security policies into a distributed computing environment

This paper discusses the implementation of security policies in multipolicy systems. Multipolicy systems are systems supporting a multitude of security policies, each policy governing the applications within its own and precisely defined security ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologies

June 2011

196 pages

ISBN:9781450306881

DOI:10.1145/1998441

General Chair:
Ruth Breu
University of Innsbruck, Austria
,
Program Chairs:
Jason Crampton
Royal Holloway, University of London, UK
,
Jorge Lobo
IBM, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 June 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT '11

Sponsor:

SIGSAC

SACMAT '11: 16th ACM Symposium on Access Control Models and Technologies

June 15 - 17, 2011

Innsbruck, Austria

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
214
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Martnez SCosentino VCabot J(2018)Model-based analysis of Java EE web security misconfigurationsComputer Languages, Systems and Structures10.1016/j.cl.2017.02.00149:C(36-61)Online publication date: 20-Dec-2018
https://dl.acm.org/doi/10.1016/j.cl.2017.02.001
Martínez SCosentino VCabot J(2016)Model-based analysis of Java EE web security configurationsProceedings of the 8th International Workshop on Modeling in Software Engineering10.1145/2896982.2896986(55-61)Online publication date: 14-May-2016
https://dl.acm.org/doi/10.1145/2896982.2896986
Ledru YIdani AMilhau JQamar NLaleau RRichier JLabiadh M(2015)Validation of IS Security Policies Featuring Authorisation ConstraintsInternational Journal of Information System Modeling and Design10.4018/ijismd.20150101026:1(24-46)Online publication date: Jan-2015
https://doi.org/10.4018/ijismd.2015010102
Radhouani AIdani ALedru YRajeb N(2015)Symbolic Search of Insider Attack Scenarios from a Formal Information System ModelingTransactions on Petri Nets and Other Models of Concurrency X - Volume 941010.1007/978-3-662-48650-4_7(131-152)Online publication date: 1-Jul-2015
https://dl.acm.org/doi/10.1007/978-3-662-48650-4_7
Viganò L(2013)The SPaCIoS ProjectProceedings of the 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation10.1109/ICST.2013.75(497-498)Online publication date: 18-Mar-2013
https://dl.acm.org/doi/10.1109/ICST.2013.75
Qamar NFaber JLedru YLiu Z(2013)Automated Reviewing of Healthcare Security PoliciesFoundations of Health Information Engineering and Systems10.1007/978-3-642-39088-3_12(176-193)Online publication date: 2013
https://doi.org/10.1007/978-3-642-39088-3_12
Qamar NLedru YIdani A(2011)Validation of security-design models using ZProceedings of the 13th international conference on Formal methods and software engineering10.5555/2075089.2075113(259-274)Online publication date: 26-Oct-2011
https://dl.acm.org/doi/10.5555/2075089.2075113
Suhendra V(2011)A Survey on Access Control DeploymentSecurity Technology10.1007/978-3-642-27189-2_2(11-20)Online publication date: 2011
https://doi.org/10.1007/978-3-642-27189-2_2

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents