Taking into Account Functional Models in the Validation of IS Security Policies

Ledru, Yves; Idani, Akram; Milhau, Jérémy; Qamar, Nafees; Laleau, Régine; Richier, Jean-Luc; Labiadh, Mohamed-Amine

doi:10.1007/978-3-642-22056-2_62

Cited by 13 publications

(9 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Logically, we recognize this when ROLES − ROLES IMP ≠ ∅. Thus, we define missed roles in (11) by the difference between the two sets of specified and implemented roles:…”

Section: Validation Propertiesmentioning

confidence: 99%

“…In [6], authors proposed to transform the specification realized with SecureUML to the Z language and to analyze the policy with the Jaza tool that allows animating the specification. Authors in [11] chose to transform the specification to the B notation using the B4Msecure tool and to analyze it with the ProB tool. Authors in [14] defined a logical framework to enforce the integrity of access control policies in relational databases.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Formal Approach Based on Verification and Validation Techniques for Enhancing the Integrity of Concrete Role Based Access Control Policies

Jaidi¹,

Ayachi²

2015

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

Our research works are in the context of verifying the integrity of access control policies in relational database management systems. This paper addresses the following question: In terms of security and particularly access control, does an information system actually do what was planned for it to do? Thus, an important aspect is to help security architects verifying the correspondence between the security planning and its real implementation. We present a synthesis of the problem of access control policy integrity within relational databases. Then, we introduce our proposal for addressing this issue. We especially focus on the verification and validation of the conformity of concrete role based access control policies in a formal environment. Finally, we illustrate the relevance of our contribution through a case of study.

show abstract

“…Logically, we recognize this when ROLES − ROLES IMP ≠ ∅. Thus, we define missed roles in (11) by the difference between the two sets of specified and implemented roles:…”

Section: Validation Propertiesmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

A Formal Approach Based on Verification and Validation Techniques for Enhancing the Integrity of Concrete Role Based Access Control Policies

Jaidi¹,

Ayachi²

2015

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

show abstract

“…This requires that the designer expresses the constraint as B statements. In SecureUML these constraints can be modeled using OCL; however, there is no tool that can validate both static and functional models with such constraints [16]. Figure 9 details the operation used in the rest of this paper: secure_MedicalRecord__GetData.…”

Section: Patienthospitalrel(patientmedicalrecordrel(instance)))mentioning

confidence: 99%

Combining UML, ASTD and B for the formal specification of an access control filter

Milhau¹,

Idani²,

Laleau³

et al. 2011

Innovations Syst Softw Eng

View full text Add to dashboard Cite

International audienceCombination of formal and semi-formal methods is more and more required to produce specifications that can be, on the one hand, understood and thus validated by both designers and users and, on the other hand, precise enough to be verified by formal methods. This motivates our aim to use these complementary paradigms in order to deal with security aspects of information systems. This paper presents a methodology to specify access control policies starting with a set of graphical diagrams: UML for the functional model, SecureUML for static access control and ASTD for dynamic access control. These diagrams are then translated into a set of B machines. Finally, we present the formal specification of an access control filter that coordinates the different kinds of access control rules and the specification of functional operations. The goal of such B specifications is to rigorously check the access control policy of an information system taking advantage of tools from the B method

show abstract

“…In [22], authors formalize the specified diagrams (SecureUML diagrams) in the Z language and analyze the policy based on the specification animator Jaza tool. Authors in [23] suggested translating the SecureUML diagrams in the B notation by using the B4Msecure tool and checking the obtained models via the ProB tool. In [24], authors structure the set of roles in a graph that captures different variants of RBAC models.…”

Section: Verification and Validation Of Access Control Policiesmentioning

confidence: 99%

“…The authors in [51,52] defined an UML-B-SQL transformation that allows specifying IS with UML, translating the specifications to the formal B notation, and generating after successive refinements Java/SQL codes. The authors in [23] proposed an approach to encode UML and SecureUML diagrams in the formal B notation. According to our knowledge, the transformation in the other way (from SQL to B notation so-called SQL-B mapping) is not addressed in literature.…”

Section: Reverse-engineering and Formalization Of Access Control Polimentioning

confidence: 99%

A Methodology and Toolkit for Deploying Reliable Security Policies in Critical Infrastructures

Jaidi

Ayachi

Bouhoula

2018

Security and Communication Networks

View full text Add to dashboard Cite

Substantial advances in Information and Communication Technologies (ICT) bring out novel concepts, solutions, trends, and challenges to integrate intelligent and autonomous systems in critical infrastructures. A new generation of ICT environments (such as smart cities, Internet of Things,edge-fog-social-cloudcomputing, and big data analytics) is emerging; it has different applications to critical domains (such as transportation, communication, finance, commerce, and healthcare) and different interconnections via multiple layers of public and private networks, forming a grid of critical cyberphysical infrastructures. Protecting sensitive and private data and services in critical infrastructures is, at the same time, a main objective and a great challenge for deploying secure systems. It essentially requires setting up trusted security policies. Unfortunately, security solutions should remain compliant and regularly updated to follow and track the evolution of security threats. To address this issue, we propose an advanced methodology for deploying and monitoring the compliance of trusted access control policies. Our proposal extends the traditional life cycle of access control policies with pertinent activities. It integrates formal and semiformal techniques allowing the specification, the verification, the implementation, the reverse-engineering, the validation, the risk assessment, and the optimization of access control policies. To automate and facilitate the practice of our methodology, we introduce our systemSVIRVROthat allows managing the extended life cycle of access control policies. We refer to an illustrative example to highlight the relevance of our contributions.

show abstract

Taking into Account Functional Models in the Validation of IS Security Policies

Cited by 13 publications

References 22 publications

A Formal Approach Based on Verification and Validation Techniques for Enhancing the Integrity of Concrete Role Based Access Control Policies

A Formal Approach Based on Verification and Validation Techniques for Enhancing the Integrity of Concrete Role Based Access Control Policies

Combining UML, ASTD and B for the formal specification of an access control filter

A Methodology and Toolkit for Deploying Reliable Security Policies in Critical Infrastructures

Contact Info

Product

Resources

About