Verifiable composition of access control and application features

Song, Eun-Jee; Reddy, Raghu; Ray, Indrakshi; Georg, Geri; Alexander, Robert R.

doi:10.1145/1063979.1064001

Cited by 32 publications

(22 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Kim et al represent RBAC policies as UML patterns that are then instantiated on a model, using UML template diagrams [24]. Song et al use Aspect-Oriented Modelling to represent RBAC policies as crosscutting concerns in a UML model, and provides support for verifying properties that the model should satisfy [38]. Sun et al translate UML models to Alloy in order to verify properties using a SAT solver [39].…”

Section: Access Control and Verificationmentioning

confidence: 99%

Run-time generation, transformation, and verification of access control models for self-protection

Bailey

Montrieux

Lemos

et al. 2014

Proceedings of the 9th International Symposium on Software Engineering for Adaptive and Self-Managing Systems

View full text Add to dashboard Cite

Self-adaptive access control, in which self-* properties are applied to protecting systems, is a promising solution for the handling of malicious user behaviour in complex infrastructures. A major challenge in self-adaptive access control is ensuring that chosen adaptations are valid, and produce a satisfiable model of access. The contribution of this paper is the generation, transformation and verification of Role Based Access Control (RBAC) models at run-time, as a means for providing assurances that the adaptations to be deployed are valid. The goal is to protect the system against insider threats by adapting at run-time the access control policies associated with system resources, and access rights assigned to users. Depending on the type of attack, and based on the models from the target system and its environment, the adapted access control models need to be evaluated against the RBAC metamodel, and the adaptation constraints related to the application. The feasibility of the proposed approach has been demonstrated in the context of a fully working prototype using malicious scenarios inspired by a well documented case of insider attack.

show abstract

Section: Access Control and Verificationmentioning

confidence: 99%

Run-time generation, transformation, and verification of access control models for self-protection

Bailey

Montrieux

Lemos

et al. 2014

Proceedings of the 9th International Symposium on Software Engineering for Adaptive and Self-Managing Systems

View full text Add to dashboard Cite

show abstract

“…However, it focuses only on how to model RBAC and MAC systems in UML without considering how this approach can be used to design a secure software system. In another effort [27], Ray et al integrate RBAC and MAC policies into an application using an aspect-oriented approach to separate access control features from other application features.…”

Section: State Of the Art Surveymentioning

confidence: 99%

“…Many contributions have been presented in the state of the art for specifying and enforcing security at UML design [1,2,4,5,6,7,8,14,16,17,18,19,20,22,23,27,28,30]. While sharing almost the same objectives, these contributions Cite this document as follows: http://www.jot.fm/general/JOT template LaTeX.tgz * The research leading to this work was possible due to funding and scientific collaboration with Software Research, Ericsson Canada.…”

Section: Introductionmentioning

confidence: 99%

Usability of Security Specification Approaches for UML Design: A Survey.

Talhi¹,

Mouheb²,

Lima³

et al. 2009

JOT

View full text Add to dashboard Cite

Since it is the de facto language for software specification and design, UML is the target language used by almost all state of the art contributions handling security at specification and design level. However, these contributions differ in the covered security requirements, specification approaches, verification tools, etc. This paper investigates the main approaches adopted for specifying and enforcing security at UML design and surveys the related state of the art. The main contribution of this paper is a discussion of these approaches from usability viewpoint. A set of criteria has been defined and used in this usability discussion. The discussed UML approaches are stereotypes and tagged values, OCL, and behavior diagrams. Extending the UML meta-language or creating new meta-languages for security specification are also covered by this study.

show abstract

“…Song et al [39] have demonstrated the use of a role-based access control (RBAC) within the AOM approach [4]. However, the approach where XACML can be used as it is to specify the access control policies is more suitable.…”

Section: Aom Approachesmentioning

confidence: 99%

Specifying and Composing Concerns Expressed in Domain-Specific Modeling Languages

Hovsepyan

Baelen

Berbers

et al. 2009

Objects, Components, Models and Patterns

View full text Add to dashboard Cite

Summary. Separation of concerns and levels of abstraction are key software engineering principles that can help master the increasing complexity of software applications. Aspect-oriented modeling (AOM) and domain-specific modeling languages (DSML) are two important and promising approaches in this context. However, little research is done to investigate the synergy between AOM and DSMLs. In this paper we present an asymmetric approach to compose modularized concerns expressed in different DSMLs with an application base model expressed in a general-purpose modeling language (GPML). This allows to specify each concern in the most appropriate modeling language. We introduce the concept of a concern interface, expressed in a GPML, that serves as a common language between a specific concern and the application base. In addition, we use an explicit composition model to specify the syntactic and the semantic links between entities from the different concerns. We explore these concepts using an application where we modularize the user interface modeled in WebML and the access control specified in XACML. The modularized concerns are then composed with an application base that has been specified in UML.

show abstract

Verifiable composition of access control and application features

Cited by 32 publications

References 21 publications

Run-time generation, transformation, and verification of access control models for self-protection

Run-time generation, transformation, and verification of access control models for self-protection

Usability of Security Specification Approaches for UML Design: A Survey.

Specifying and Composing Concerns Expressed in Domain-Specific Modeling Languages

Contact Info

Product

Resources

About