A Rigorous Approach to Uncovering Security Policy Violations in UML Designs

Yu, Liangli; France, Robert; Ray, Indrakshi; Ghosh, Sudipto

doi:10.1109/iceccs.2009.16

Cited by 12 publications

(8 citation statements)

References 19 publications

(28 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several counterexamples are generated to examine the policy which they are interested in. Yu et al [16] propose scenarios in terms of state transitions to uncover violations in security policies. Such approaches and Alloy analyzer (unlike model checkers) have advantages over model checking tools since model checking merely considers closed-world view of systems [16]; that means no inputs are taken from external resources.…”

Section: Rbac Constraints and Alloymentioning

confidence: 99%

“…Yu et al [16] propose scenarios in terms of state transitions to uncover violations in security policies. Such approaches and Alloy analyzer (unlike model checkers) have advantages over model checking tools since model checking merely considers closed-world view of systems [16]; that means no inputs are taken from external resources. In their approach, all operation calls take the form of scenarios and a system state is a configuration of objects.…”

Section: Rbac Constraints and Alloymentioning

confidence: 99%

See 1 more Smart Citation

Taking into Account Functional Models in the Validation of IS Security Policies

Ledru

Idani

Milhau

et al. 2011

Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications

View full text Add to dashboard Cite

International audienceDesigning a security policy for an information system (IS) is a non-trivial task. Variants of the RBAC model can be used to express such policies as access-control rules associated to constraints. In this paper, we advocate that currently available tools do not take sufficiently into account the functional description of the application and its impact on authorisation constraints and dynamic aspects of security. We suggest to translate both security and functional models into a formal language, such as B, whose analysis and animation tools will help validate a larger set of security scenarios. We show how various kinds of constraints can be expressed and animated in this context

show abstract

Section: Rbac Constraints and Alloymentioning

confidence: 99%

Section: Rbac Constraints and Alloymentioning

confidence: 99%

Taking into Account Functional Models in the Validation of IS Security Policies

Ledru

Idani

Milhau

et al. 2011

Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications

View full text Add to dashboard Cite

show abstract

“…Yu et al [6] propose a technique to uncover violations in security rules specified by using RBAC. Their technique implements role activation and SoD constraints and role hierarchy using UML and OCL.…”

Section: Semi-formal Approachesmentioning

confidence: 99%

“…In turn, one can specify and validate a (sub)set of access control rules. A few example studies are [6][7] [8][9] [10]. In the sequel, we call these semiformal techniques.…”

Section: Introductionmentioning

confidence: 99%

Evaluating RBAC Supported Techniques and their Validation and Verification

Qamar

Ledru

Idani

2011

2011 Sixth International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

International audienceThis paper evaluates the security specification techniques that employ Role Based Access Control (RBAC) variants. RBAC offers a special kind of access control mechanism based on the use of roles to grant permissions. Its variants include role hierarchy and separation of duty (SoD) constraints. The overall management of a RBAC supported system is made through its administrative, review and supporting system functions. In this paper, a summary of semi-formal and formal techniques employing RBAC is provided along with their benefits and limitations. Here, semi-formal techniques refer to UML+OCL while formal ones are based on Alloy. This paper may guide through the process of selecting an appropriate technique to specify security rules. This is done by analyzing the degree of coverage of RBAC including some extensions like SoD and role hierarchy. We also investigate the use of validation and verification tools in these techniques. We find that formal techniques are more amenable to automated analysis as compared to semi-formal ones. Semi-formal techniques are rich in specifying RBAC variants but have prototypic tools. Session based dynamic aspects of RBAC have been partly covered in both techniques

show abstract

“…The approach also builds upon our previous work on the Scenario-based UML Design Analysis (SUDA) approach [22], [23]. A designer uses SUDA to check whether a specific functional scenario is supported by a design class model in which operations are specified using the OCL.…”

Section: Introductionmentioning

confidence: 99%

Rigorous Analysis of UML Access Control Policy Models

Sun

France

Ray

2011

2011 IEEE International Symposium on Policies for Distributed Systems and Networks

Self Cite

View full text Add to dashboard Cite

The use of the Unified Modeling Language (UML) for specifying security policies is attractive because it is expressive and has a wide user base in the software industry. However, there are very few mature tools that support rigorous analysis of UML models. Alloy is a formal specification language that has been used to rigorously analyze security policies, but few practitioners have the background needed to develop good Alloy models. We propose a new approach to policy analysis in which designers use UML at the front-end to describe their security policies and the Alloy Analyzer is used at the backend to analyze the modeled properties. The UML-to-Alloy and Alloy-to-UML transformations obviate the need for security designers to understand the Alloy specification language. The proposed approach supports the analysis of both functional and structural aspects of security policies.

show abstract

A Rigorous Approach to Uncovering Security Policy Violations in UML Designs

Cited by 12 publications

References 19 publications

Taking into Account Functional Models in the Validation of IS Security Policies

Taking into Account Functional Models in the Validation of IS Security Policies

Evaluating RBAC Supported Techniques and their Validation and Verification

Rigorous Analysis of UML Access Control Policy Models

Contact Info

Product

Resources

About