A Rigorous Framework for Specification, Analysis and Enforcement of Access Control Policies

Margheri, Andrea; Masi, Massimiliano; Pugliese, Rosario; Tiezzi, Francesco

doi:10.1109/tse.2017.2765640

Cited by 20 publications

(20 citation statements)

References 48 publications

(178 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…As formally proved in [16], these constraints ensure that the corresponding FACPL (and, hence, XACML) policy evaluates an request to a certain decision dec if and only if the constraint c corresponding to dec is satisfiable with respect to the request. Therefore, once the Analyser receives the sensed request req and its response res, it first translates req into a set of SMT assertions, say c req , modelling the attributes forming the requests.…”

Section: Algorithm 1 Access Logs Comparison Algorithmmentioning

confidence: 96%

“…To this aim, there are available in the literature a few fullfledged analysis frameworks for XACML [14], [15], [16]. Differently from others, the framework in [16] enjoys the benefits of using formal method techniques to model and analyse XACML policies.…”

Section: A Architecturementioning

confidence: 99%

“…Differently from others, the framework in [16] enjoys the benefits of using formal method techniques to model and analyse XACML policies. The pursued approach rests on FACPL, a formal language to represent XACML, and on its translation procedure to Satisfiability Modulo Theory (SMT) constraints [17].…”

Section: A Architecturementioning

confidence: 99%

“…The FACPL-based framework ensures compelling properties on the analysis on XACML policies, hence on detecting PDP violations. Differently from other analysis framework (e.g., those in [14], [15], [16]), it ensures, experimental proves on its semantic compliance with XACML; the proves have been defined by using the XACML implementation Balana and the validation tool X-CREATE [24]. On the other hand, it ensures that the FACPL translation procedure to SMT constraints is formally proved correct according to the FACPL semantics.…”

Section: A Security Considerationsmentioning

confidence: 99%

See 3 more Smart Citations

Decentralised Runtime Monitoring for Access Control Systems in Cloud Federations

Ferdous

Margheri

Paci

et al. 2017

2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS)

Self Cite

View full text Add to dashboard Cite

Abstract-Cloud federation is an emergent cloud-computing paradigm where partner organisations share data and services hosted on their own clouds platforms. In this context, it is crucial to enforce access control policies that satisfy the data protection and privacy requirements of the partner organisations. However, due to the distributed nature of cloud federations, the access control system alone does not guarantee that its deployed components cannot be circumvented while processing access requests. Therefore, in order to promote accountability and transparency of access control decisions in federated clouds, we present a decentralised runtime monitoring architecture based on a blockchain technology. The logging components and data of the proposed infrastructure are deployed on the blockchain. This guarantees that the runtime monitoring components and the access logs cannot be compromised by malicious users to disguise their actions. We evaluate the performance of the runtime monitoring infrastructure with respect to detecting policy violations, and the cost of deploying the logging components and data on the blockchain.

show abstract

Section: Algorithm 1 Access Logs Comparison Algorithmmentioning

confidence: 96%

Section: A Architecturementioning

confidence: 99%

Section: A Architecturementioning

confidence: 99%

Section: A Security Considerationsmentioning

confidence: 99%

See 2 more Smart Citations

Decentralised Runtime Monitoring for Access Control Systems in Cloud Federations

Ferdous

Margheri

Paci

et al. 2017

2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Recent work by Margheri et al [31] proposes a framework for the specification, analysis, and enforcement of ABAC [25] (attributebased access control) policies; RBAC can be seen as a specific case of ABAC, where role is one of the attributes. In this work, both AC requests and policies are expressed in a high-level language called FACPL; they are then translated into constraints to be solved using an SMT solver.…”

Section: Related Workmentioning

confidence: 99%

Model-driven run-time enforcement of complex role-based access control policies

Fadhel

Bianculli

Briand

2018

Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

View full text Add to dashboard Cite

A Role-based Access Control (RBAC) mechanism prevents unauthorized users to perform an operation, according to authorization policies which are defined on the user's role within an enterprise. Several models have been proposed to specify complex RBAC policies. However, existing approaches for policy enforcement do not fully support all the types of policies that can be expressed in these models, which hinders their adoption among practitioners.In this paper we propose a model-driven enforcement framework for complex policies captured by GemRBAC+CTX, a comprehensive RBAC model proposed in the literature. We reduce the problem of making an access decision to checking whether a system state (from an RBAC point of view), expressed as an instance of the Gem-RBAC+CTX model, satisfies the constraints corresponding to the RBAC policies to be enforced at run time. We provide enforcement algorithms for various types of access requests and events, and a prototype tool (MORRO) implementing them. We also show how to integrate MORRO into an industrial Web application. The evaluation results show the applicability of our approach on a industrial system and its scalability with respect to the various parameters characterizing an AC configuration. CCS CONCEPTS• Security and privacy → Access control; • Software and its engineering → Model-driven software engineering; KEYWORDS role-based access control, enforcement, policies, model-driven engineering ACM Reference Format:

show abstract

An automated framework for continuous development and testing of access control systems

Daoudagh

Lonetti

Marchetti

2020

J Software Evolu Process

View full text Add to dashboard Cite

Automated testing in DevOps represents a key factor for providing fast release of new software features assuring quality delivery. In this paper, we introduce DOXAT, an automated framework for continuous development and testing of access control mechanisms based on the XACML standard. It leverages mutation analysis for the selection and assessment of the test strategies and provides automated facilities for test oracle definition, test execution, and results analysis, in order to speedup and automate the Plan, Code, Build, and Test phases of DevOps process. We show the usage of the framework during the planning and testing phases of the software development cycle of a PDP example.

show abstract

A Rigorous Framework for Specification, Analysis and Enforcement of Access Control Policies

Cited by 20 publications

References 48 publications

Decentralised Runtime Monitoring for Access Control Systems in Cloud Federations

Decentralised Runtime Monitoring for Access Control Systems in Cloud Federations

Model-driven run-time enforcement of complex role-based access control policies

An automated framework for continuous development and testing of access control systems

Contact Info

Product

Resources

About