Skip to main content
Springer Nature Link
Log in

Automatic Conformance Checking of Role-Based Access Control Policies via Alloy

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6542))

Included in the following conference series:

Abstract

Access control policies are a crucial aspect of many security-critical software systems. It is generally accepted that the construction of access control policies is not a straightforward task. Further, any mistakes in the process have the potential to give rise both to security risks, due to the provision of inappropriate access, and to frustration on behalf of legitimate end-users when they are prevented from performing essential tasks. In this paper we describe a tool for constructing role-based access control (RBAC) policies, which are automatically checked for conformance with constraints described using predicate logic. These constraints may represent general healthiness conditions that should hold of all policies conforming to a general model, or capture requirements pertaining to a particular deployment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Zhang, N., Ryan, M., Guelev, D.: Evaluating access control policies through model checking. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 446–460. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  2. Crampton, J., Huth, M.: Towards an access-control framework for countering insider threats. In: Bishop, M., Gollman, D., Hunker, J., Probst, C. (eds.) Insider Threats in Cyber Security and Beyond. Springer, Heidelberg (2010)

    Google Scholar 

  3. Bertino, E., Crampton, J.: Security for distributed systems: Foundations of access control. In: Qian, Y., Tipper, D., Krishnamurthy, P., Joshi, J. (eds.) Information Assurance: Survivability and Security in Networked Systems, pp. 39–80. Morgan Kaufmann, San Francisco (2007)

    Google Scholar 

  4. Gouglidis, A., Mavridis, I.: On the definition of access control requirements for grid and cloud computing systems. In: Networks for Grid Applications. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 25, part 2, pp. 19–26 (2010)

    Google Scholar 

  5. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  6. De Capitani di Vimercati, S., Foresti, S., Samarati, P.: Authorization and access control. In: Petkovíc, M., Jonker, W. (eds.) Security, Privacy, and Trust in Modern Data Management, pp. 39–53. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  7. Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-based access control. Artech House Publishers, Boston (2003)

    MATH  Google Scholar 

  8. Jackson, D.: Alloy: a lightweight object modelling notation. ACM Transactions on Software Engineering Methodologies 11(2), 256–290 (2002)

    Article  Google Scholar 

  9. Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT Press, Cambridge (2006)

    Google Scholar 

  10. Simpson, A.C., Power, D.J., Russell, D., Slaymaker, M.A., Kouadri-Mostefaoui, G., Ma, X., Wilson, G.: A healthcare-driven framework for facilitating the secure sharing of data across organisational boundaries. Studies in Health Technology and Informatics 138, 3–12 (2008)

    Google Scholar 

  11. Slaymaker, M.A., Power, D.J., Russell, D., Wilson, G., Simpson, A.C.: Accessing and aggregating legacy data sources for healthcare research, delivery and training. In: Proceedings of the 2008 ACM Symposium on Applied Computing (SAC 2008), pp. 1317–1324 (2008)

    Google Scholar 

  12. Slaymaker, M.A., Power, D.J., Russell, D., Simpson, A.C.: On the facilitation of fine-grained access to distributed healthcare data. In: Jonker, W., Petković, M. (eds.) SDM 2008. LNCS, vol. 5159, pp. 169–184. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  13. Simpson, A.C., Power, D.J., Russell, D., Slaymaker, M.A., Bailey, V., Tromans, C.E., Brady, J.M., Tarassenko, L.: GIMI: the past, the present, and the future. Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences 368, 3891–3905 (2010)

    Article  Google Scholar 

  14. Ferraiolo, D.F., Sandhu, R.S., Gavrilla, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security 4(3), 224–274 (2001)

    Article  Google Scholar 

  15. El Kalam, A.A., Baida, R.E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks (Policy 2003), Como, Italie (2003)

    Google Scholar 

  16. Power, D.J., Slaymaker, M.A., Simpson, A.C.: On formalising and normalising role-based access control systems. The Computer Journal 52(3), 303–325 (2009)

    Article  Google Scholar 

  17. Torlak, E., Jackson, D.: Kodkod: A relational model finder. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 632–647. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  18. Woodcock, J.C.P., Davies, J.W.M.: Using Z: Specification, Refinement, and Proof. Prentice-Hall, Englewood Cliffs (1996)

    MATH  Google Scholar 

  19. Power, D.J., Slaymaker, M.A., Simpson, A.C.: On the modelling and analysis of amazon web services access policies. In: Frappier, M., Glässer, U., Khurshid, S., Laleau, R., Reeves, S. (eds.) ABZ 2010. LNCS, vol. 5977, p. 394. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  20. Slaymaker, M.A., Power, D.J., Simpson, A.C.: Formalising and validating RBAC-to-XACML translation using lightweight formal methods. In: Frappier, M., Glässer, U., Khurshid, S., Laleau, R., Reeves, S. (eds.) ABZ 2010. LNCS, vol. 5977, pp. 349–362. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  21. Crampton, J.: Specifying and enforcing constraints in role-based access control. In: Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT 2003), pp. 43–50 (2003)

    Google Scholar 

  22. Hu, H., Ahn, G.: Enabling verification and conformance testing for access control model. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT 2008), pp. 195–204 (2008)

    Google Scholar 

  23. Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. International Journal on Software Tools for Technology Transfer 10(6), 503–520 (2007)

    Article  Google Scholar 

  24. Zhang, N., Guelev, D.P., Ryan, M.: Synthesising verified access control systems through model checking. Journal of Computer Security 16(1), 1–61 (2007)

    Article  Google Scholar 

  25. Becker, M.Y.: Specification and analysis of dynamic authorisation policies. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium (CSF 2009), pp. 203–217 (2009)

    Google Scholar 

  26. Behnke, R., Berghammer, R., Meyer, E., Schneider, P.: RELVIEW - A system for calculating with relations and relational programming. In: Astesiano, E. (ed.) ETAPS 1998 and FASE 1998. LNCS, vol. 1382, pp. 318–321. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computing Laboratory, Oxford University, Wolfson Building, Parks Road, Oxford, OX1 3QD, United Kingdom

    David Power, Mark Slaymaker & Andrew Simpson

Authors
  1. David Power
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mark Slaymaker
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrew Simpson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Google Inc., 1288 Pear Ave, 94043, Mountain View, CA, USA

    Úlfar Erlingsson

  2. Computer Science Department, University of Twente, Drienerlolaan 5, 7522 NB, Enschede, The Netherlands

    Roel Wieringa

  3. Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Den Dolech 2, 5612 AZ, Eindhoven, The Netherlands

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Power, D., Slaymaker, M., Simpson, A. (2011). Automatic Conformance Checking of Role-Based Access Control Policies via Alloy. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2011. Lecture Notes in Computer Science, vol 6542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19125-1_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-19125-1_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-19124-4

  • Online ISBN: 978-3-642-19125-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics