Skip to main content
SpringerLink
Log in

Enforcing spatio-temporal access control in mobile applications

  • Published:
Computing Aims and scope Submit manuscript

Abstract

Mobile application technology is quickly evolving and being progressively utilized in the commercial and public sectors. Such applications make use of spatio-temporal information to provide better services and functionalities. Authorization to such services often depends on the credentials of the user and also on the location and time. Although researchers have proposed spatio-temporal access control models for such applications, not much has been done with respect to enforcement of spatio-temporal access control. Towards this end, we provide a practical framework that allows one to enforce spatio-temporal policies in mobile applications. Our policy enforcement mechanism illustrates the practical viability of spatio-temporal authorization models and discusses potential challenges with possible solutions. Specifically, we propose an architecture for enforcing spatio-temporal access control and demonstrate its feasibility by developing a prototype. We also provide a number of protocols for granting and revoking access and formally analyze these protocols using the Alloy constraint solver to provide assurance that our proposed approach is indeed secure.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Schaad A, Moffett J (2002) A lightweight approach to specification and analysis of role-based access control extensions. In: Proceedings of the symposium on access control models and technologies (SACMAT), pp 13–22

  2. Anne A (2004) XACML profile for role-based access control (RBAC). OASIS Access Control TC Comm Draft 1:13

    Google Scholar 

  3. Samuel A, Ghafoor A, Bertino E (2007) A framework for specification and verification of generalized spatio-temporal role based access control model. Technical report CERIAS TR 2007–08, Purdue University, West Lafayette

  4. Chaudhuri A (2009) Language-based security on Android. In: Proceedings of the ACM workshop on programming languages and analysis for security (PLAS), pp 1–7

  5. Shafiq B, Masood A, Joshi J, Ghafoor A (2005) A role-based access control policy verification framework for real-time systems. In: Proceedings of the workshop on object-oriented real-time dependable systems (WORDS), pp 13–20

  6. Bose B, Sane S (2010) DTCOT: distributed timeout based transaction commit protocol for mobile database systems. In: Proceedings of the international conference and workshop on emerging trends in technology (ICWET), Mumbai, India, pp 518–523

  7. Kim D-K, Ray I, France RB, Li N (2004) Modeling role-based access control using parameterized UML models. In: Proceedings of the 7th international conference FASE’2004, pp 180–193

  8. Daniel J (2002) Alloy: a lightweight object modelling notation. ACM Trans Softw Eng Methodol 11(2):256–290

    Article  MathSciNet  Google Scholar 

  9. Daniel M, Gerald P, Richard M (1980) A locking protocol for resource coordination in distributed databases. ACM Trans Database Syst 5(2):103–138

    Google Scholar 

  10. Technische Universität Darmstadt. FlexiProvider. http://www.flexiprovider.de/overview.html/. Accessed on 30 Nov 2012

  11. Bertino E, Catania B, Damiani ML, Perlasca P (2005) GEO-RBAC: a spatially aware RBAC. In: Proceedings of the ACM symposium on access control models and technologies (SACMAT), pp 29–37

  12. Bertino E, Piero B, Elena F (2001) TRBAC: a temporal role-based access control model. ACM Trans Inf Syst Secur 4(3):191–233

    Google Scholar 

  13. Sposaro F, Tyson G (2009) iFall: an Android application for fall monitoring and response. In: Proceedings of the annual international conference of the IEEE at Engineering in Medicine and Biology Society (EMBC), 3–6 Sept 2009, pp 6119–6122

  14. Frank S, Window S (2004) Threat modeling (Microsoft professional). Microsoft Press, Redmond (ISBN: 0735619913)

  15. Hansen F, Oleshchuk V (2003) SRBAC: a spatial role-based access control model for mobile systems. In: Proceedings of the 8th Nordic workshop secure IT systems (NORDSEC), pp 129–141

  16. Ahn G, Shin M (2001) Role-based authorization constraints specification using object constraint language. In: Proceedings of the IEEE international workshops on enabling technologies: infrastructure for collaborative enterprises (WETICE), pp 157–162

  17. Gail-Joon A, Ravi S (2000) Role-based authorization constraints specification. ACM Trans Inf Syst Secur 3(4):207–226

    Google Scholar 

  18. US Government (2012) Global positioning system. http://www.gps.gov/. Accessed on 30 Nov 2012

  19. Booch G, James R, Ivar J (2005) The unified modeling language user guide, 2nd edn. Addison-Wesley Professional, Boston

  20. Grisham P, Chen C, Khurshid S, Perry D (2006) Design and validation of a security model with the Alloy analyzer. In: Proceedings of the workshop at ACM SIGSOFT first Alloy, 6th Nov 2006, Portland, OR, USA

  21. Google Inc. (2012) Android SDK. http://developer.android.com/sdk/index.html. Accessed on 30 Nov 2012

  22. Google Inc. (2012) The Android mobile (OS). http://www.android.com/. Accessed on 30 Nov 2012

  23. Ray I, Kumar M, Yu L (2006) LRBAC: a location-aware role-based access control model. In: Proceedins of the 2nd international conference on information systems security (ICISS 2006), 17–21 Dec 2006, Indian Statistical institute, Kolkata, India, pp 147–161

  24. Ray I, Toahchoodee M (2007) A spatio-temporal role-based access control model. In: Proceedings of the DBSec, pp 211–226

  25. Jaehong P, Ravi S (2004) The \(\text{ UCON }_{\text{ ABC }}\) usage control model. ACM Trans Inf Syst Secur 7(1):128–174

  26. James J, Elisa B, Usman L, Arif G (2005) A generalized temporal role-based access control model. IEEE Trans Knowl Data Eng 17(1):4–23

    Google Scholar 

  27. James J, Elisa B, Usman L, Arif G (2005) A generalized temporal role-based access control model. IEEE Trans Knowl Data Eng 17(1):4–23

    Google Scholar 

  28. Larman C (2004) Applying UML and patterns: an introduction to object-oriented analysis and design and iterative development, 3rd edn. Prentice Hall, Englewood Cliffs

    Google Scholar 

  29. Chen L, Crampton J (2008) On spatio-temporal constraints and inheritance in role-based access control. In: Proceedings of the ACM symposium on information, computer and communications security (ASIACCS), Mar 2008, pp 205–216

  30. Lin A, Bond M, Clulow J (2007) Modeling partial attacks with Alloy. In: Proceedings of the workshop on security protocols, pp 20–33

  31. Lockhart H, Parducci B, Levinson R (2012) OASIS eXtensible access control markup language (XACML) TC. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml/. Accessed on 30 Nov 2012

  32. Tamer Özsu M, Valduriez P (1999) Principles of distributed database systems, 2nd edn. Prentice-Hall, Englewood cliffs (ISBN-10: 1441988335)

  33. Toahchoodee M, Ray I (2011) On the formalization and analysis of a spatio-temporal role-based access control model. J Comput Secur 19(3):399–452

    Google Scholar 

  34. Toahchoodee M, Ray I, Anastasakis K, Georg G, Bordbar B (2009) Ensuring spatio-temporal access control for real-world applications. In: Proceedings of the 13th ACM symposium on access control models and technologies (SACMAT), Estes Park, CO, USA, 11–13 June 2008 pp 13–22

  35. Manuel K, Francesco P-P (2006) UML specification of access control policies and their formal verification. Softw Syst Modell 5(4):429–447

    Google Scholar 

  36. Michael H, David L (2002) Writing secure code, 2nd edn. Microsoft Press, Redmond (ISBN: 0735617228)

    Google Scholar 

  37. Kirkpatrick M, Bertino E (2010) Enforcing spatial constraints for mobile RBAC systems. In: Proceedings of the 15th ACM symposium on access control models and technologies (SACMAT), Pittsburgh, pp 99–108

  38. Xu M, Wijesekera D (2009) A role-based XACML administration and delegation profile and its enforcement architecture. In: Proceedings of the 6th ACM workshop on secure web services (SWS), 13 Nov 2009, Chicago, IL, USA, pp 53–60

  39. MySQL (2012) The world’s most popular open source database. http://www.mysql.com/. Accessed on 30 Nov 2012

  40. Abdunabi R, Al-Lail M, Ray I, Robert B (2013) Specification, validation, and enforcement of a generalized spatio-temporal role-based access control model. IEEE Syst J (to be appear)

  41. Ravi S, Edward C, Hal F, Charles Y (1996) Role-based access control models. IEEE Comput 29(2):38–47

    Google Scholar 

  42. Ravi S, Kumar R, Xinwen Z (2006) Secure information sharing enabled by trusted computing and PEI models. In: Proceedings of the ACM symposium on information, computer and communications security (ASIACCS’06), 21–24 Mar 2006, Taipei, Taiwan

  43. Mondal S, Sural S (2008) Security analysis of temporal-RBAC using timed automata. In: Proceedings of the 4th international symposium on information assurance and security (IAS), 8–10 Sept 2008, pp 37–40

  44. Ravi S (1995) Rationale for the RBAC96 family of access control models. In: Proceedings of the 1st ACM workshop on role-based access control

  45. Subhendu A, Samrat M, Shamik S, Arun M (2009) Role based access control with spatiotemporal context for mobile applications. Trans Comput Sci 4:177–199

    Google Scholar 

  46. Subhendu A, Shamik S, Arun M (2007) STARBAC: spatio temporal role based access control. In: Proceedings of the OTM, pp 1567–1582

  47. Syed A, Mohammad I (2011) Location-based services handbook: applications, technologies, and security. CRC Press, Boca Raton (ISBN: 1420071963)

  48. Taghdiri M, Jackson D (2003) A lightweight formal analysis of a multicast key management scheme. In: Proceedings of the FORTE, pp 240–256

  49. Arensman W, Whipple J, Boler M (2009) A public safety application of GPS-enabled smartphones and the Android operating system. In: Proceedings of the systems, man and cybernetics (SMC), pp 2059–2061

  50. Sun W, France R, Ray I (2011) Rigorous analysis of UML access control policy models. In: Proceedings of the POLICY, pp 9–16

  51. Yu L, France RB, Ray I (2008) Scenario-based static analysis of UML class models. In: Proceedings of the ACM/IEEE 11th international conference on model driven engineering languages and systems (MoDELS), Toulouse, France, pp 234–248

  52. Yu L, France RB, Ray I, Sun W (2012) Systematic scenario-based analysis of UML design class models. In: Proceedings of a ICECCS meeting held 18–20 July 2012, Paris, France, pp 86–95

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Colorado State University, Fort Collins, CO, 80523, USA

    Ramadan Abdunabi, Wuliang Sun & Indrakshi Ray

Authors
  1. Ramadan Abdunabi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wuliang Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Indrakshi Ray
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Indrakshi Ray.

Appendices

Appendix A

1.1 Alloy specification of the access control protocol

figure b
figure c
figure d

Appendix B

1.1 Alloy specification of successful MITM attack

figure e
figure f

Appendix C

1.1 Spatio-temporal access control model specification

We present our complete model and formalize its specification using the unified modeling language (UML) and the object constraint language (OCL).

1.2 Effect of spatio-temporal constraints on RBAC entities

The RBAC entities: users, roles, permissions, and objects are associated with spatio-temporal zones.

Users We assume that each valid user, interested in doing some location-sensitive operations, carries a locating device that is able to track his location. The location of a user changes with time. The spatio-temporal zone associated with a user gives the user’s current location and time.

Note that, time and location can have different levels of granularity. For example, the current time can be expressed as 12:00:05 or 12:00 pm. Similarly, a user’s current location can be Fort Collins or it can be Colorado. The user’s current location and time information will be used for making access decisions. Consequently, we require the minimal temporal and location be used to express the spatio-temporal zone associated with a user. We define the function \(currentzone\) that returns the minimal spatio-temporal zone associated with a user. This function is formally defined as follows:

  • \(currentzone: Users \rightarrow STZones\)

Objects Objects may also be mobile like the user. Here again, we have locating devices that track the location of an object. Moreover, an object may not be accessible everywhere and anytime. For example, tellers can only review customer information at a teller office during working hours. The ozones function returns the spatio-temporal zones that determine where and when every object is available.

  • \(ozones: Objects \rightarrow 2^{STZones}\)

Roles Role can be assigned or activated only in specific locations and time. The role of on-campus student can only be assigned/activated inside the campus during the semester. The spatio-temporal zone associated with a role gives the location and time from which roles can be assigned or activated. The \(rzones\) function gives the set of spatio-temporal zones associated with a given role.

  • \(rzones: Roles \rightarrow 2^{STZones}\)

Permissions Permissions are also associated with a spatio-temporal zone that indicate where and when a permission can be invoked. For example, a permission to perform a backup of servers can be executed only from the department after 10 pm on Friday nights. The function \(pzones\) gives the zones in which a specific permission can be accessed.

  • \(pzones: Permissions \rightarrow 2^{STZones}\)

Figure 10 shows the class diagram of GSTRBAC. Therefore, a security policy of a mobile application can be specified as one possible instance of this GSTRBAC class diagram. The GSTRBAC entities: User, Role, Permission, Object, Activity, and STZone, are represented by classes. Permission is represented in the GSTRBAC class diagram as an aggregation of the classes Object and Activity. The STZone class aggregates the location and time subclasses. In STZone class, zcontainment is a reflexive association specifying that a zone can contain other zones. Different relationships between entities including UserRoleAssignment, UserRoleActivation, PermissionRoleAssignment, RoleHierarchy, and SoD are modeled using association classes which are transformed to normal classes following the modeling guidelines in [19, 28]. These association classes have binary relationships with STZone class to enforce the spatio-temporal constraints.

Fig. 10
figure 10

UML class model for STRBAC

Full size image

1.3 Effect of spatio-temporal constraints on RBAC operations

User-role assignment A user-role assignment is location and time dependent. That is, a user can be assigned to a role provided the user is in specific locations. For example, a person can be assigned the on-campus student role only when he is in the campus during the semester. This requirement is expressed using the zone concept:

  • UserRoleAssignment \(\subseteq \) users \(\times \) roles \(\times \) STZones

This relationship is depicted in the GSTRBAC class diagram as association class UserRoleAssignment. The OCL operation assignRole assigns role \(r\) to user \(u\) in zone \(z\) if \(z\) is in the set of rzones, user \(u\) is present in zone \(z\), and role \(r\) is not already assigned to user \(u\) in zone \(z\). For the lack of space, we omit the descriptions of the OCL queries used in the assignRole operation.

figure g

User-role activation A user can activate a role if the role can be activated on the specific zone and it is already assigned to that user. For example, the role of doctor trainee can only be activated in a hospital during the training period. We define the UserRoleActivation relation to determine the current active roles based on zones:

  • UserRoleActivation \(\subseteq \) users \(\times \) roles \(\times \) STZones

In GSTRBAC class diagram, UserRoleActivation class is specified in a manner similar to UserRoleAssignment. The only difference is that the activateRole operation ensures that a user is already assigned to a role before the role is being activated.

Check access This operation checks whether a user is authorized to perform some operation on an object during a certain time and from a certain location. A user is allowed to fire a missile if he is assigned the role of top secret commander and he is in the controller room of the missile during a severe crisis period. Thus, a user can access an object in a certain zone if that user has activated a role which has an appropriate permission for that object in that zone.

figure h

Permission-role assignment Permissions can only be assigned to a role during specific time and locations. For example, the permission of opening a cashier drawer in a store should be only assigned to a salesman role during the day time. The assignment of permissions to roles is specified based on zones.

  • PermissionRoleAssignment \(\subseteq \) permissions \(\times \) roles \(\times \) STZones

The following OCL operation assigns permission \(p\) to role \(r\) in zone \(z\) if \(z\) is in the set of \(pzones\) and \(rzones\).

figure i

1.4 Spatio-temporal role hierarchy

The permission-inheritance hierarchy (I-Hierarchy) and the role-activation hierarchy (A-Hierarchy) are two variations of role hierarchy (RoleHierarchy) in RBAC [27, 41]. In our model, a senior role could have a subset of junior roles in a particular zone. The spatio-temporal role hierarchies are formally defined as follows:

  • RoleHierarchy \(\subseteq \) Roles \(\times \) Roles \(\times \) STZones

  • I-Hierarchy \(\subseteq \) RoleHierarchy, A-Hierarchy \(\subseteq \) RoleHierarchy, and I-Hierarchy \(\cap \) A-Hierarchy = \(\phi \)

The subtypes of RoleHierarchy are represented in the GSTRBAC class diagram by the subclasses I-Hierarchy and A-Hierarchy, which are connected to STZone class to restrict the roles associations.

Permission-inheritance hierarchy In permission-inheritance hierarchy, a senior role \(r\) can only inherit junior role \(r'\) permissions in zone \(z\) if both roles are available in zone \(z\). A project manager inherits the permissions of a developer when he is at the customer site giving a demo. The following OCL expression specifies the spatio-temporal constraint on I-Hierarchy for adding new junior role.

figure j

The delete operation of a junior role in I-Hierarchy can be defined in the similar manner. The I-Hierarchy relationship is acyclic as shown by the following OCL constraint.

figure k

The boolean operation inheritsIH(r,z) returns true if role \(r\) is directly or indirectly a junior role of the context role in particular zone, otherwise it returns false.

figure l

We define the OCL query operation getAuthorizedPermissions(z) to get the authorized permissions for a given role at zone \(z\) through direct assignment or indirect I-Hierarchy.

figure m

Role-activation hierarchy Restricted spatio-temporal A-Hierarchy allows members of senior roles to activate junior roles in predefined spatio-temporal zones. For example, a department chair can activate a staff role during the semester inside the department building. The OCL operations of adding and deleting junior roles to the A-Hierarchy are defined in similar manner to I-Hierarchy. Further, the acyclic constraints on A-Hierarchy is enforced in the same way of the I-Hierarchy.

The only differences are that, the OCL query operation getAHJuniorRoles(z) returns all the junior role in A-Hierarchy of the context role in particular zone. Moreover, the OCL query operation getAuthorizedRoles(z) gives the authorized activation roles for the context user that are either explicitly assigned or implicitly obtained through A-Hierarchy in certain zones.

figure n

1.5 Spatio-temporal separation of duty

The static SoD (SSoD) and dynamic SoD (DSoD) are two special classes of the SoD constraints in RBAC [17]. Further, the role SSoD (RSSoD) constraints are defined on roles assignment, while the permission SSoD (PSSoD) constraints are defined on permissions assignments.

In our model, the conflicting roles and permissions in SoD are defined over some zones. The spatio-temporal RSSoD, PSSoD, and DSoD relations are formally defined as follows:

  • RSSoD \(\subseteq \) Roles \(\times \) Roles \(\times \) STZones

  • DSoD \(\subseteq \) Roles \(\times \) Roles \(\times \) STZones, and RSSoD \(\cap \) DSoD = \(\phi \)

  • PSSoD \(\subseteq \) permissions \(\times \) permissions \(\times \) STZones

The static and dynamic SoD relations are represented in the GSTRBAC class diagram using the associations classes RSSoD, PSSoD, and DSoD, which connect the conflicting entities with certain zones.

Role SSoD The same individual should not be assigned to specific roles in specific location for some duration. For example, the same user should not be assigned to billing clerk and account receivable clerk roles in the same time at specific trade corporation. The following OCL invariant forbids the assignment of conflicting roles in a particular zone.

figure o

However, the above constraint might be violated through role hierarchy relation. For example, a billing supervisor role might be a senior role of the two conflicting roles billing clerk and account clerk at the same time and in the same accounting department. The following OCL constraint prevents such situation.

figure p

Permissions SSoD PSSoD prevents the assignment of conflicting permissions to a role. For example, a loan officer is not permissible to issue loan request and approve it in the bank building during the day-time. The following OCL invariant expresses the PSSoD requirement in our model.

figure q

However, this constraint might be violated through I-Hierarchy in which a senior role inherits some junior roles that have been mutually assigned conflicting permissions. The following OCL invariant prevents the violation of PSSoD via I-Hierarchy.

figure r

DSoD Two conflicting activation roles cannot be activated in some spatio-temporal zones by the same user. For example, the simultaneous activation of cashier and cashier supervisor is forbidden during the working hours in the same store to deter such user from committing a fraud. The DSoD constraints are expressed in OCL invariants in a similar manner to the RSSoD constraints. The only difference is that the OCL invariants prevent the activations of conflicting roles that are connected by DSoD in some zones through either the explicit role assignment or the implicit A-Hierarchy.

1.6 Spatio-temporal prerequisite constraints

In RBAC, the prerequisite constraints obligates that some actions to be taken prior to performing an operation [16].

Prerequisite constraints on user-role assignment The prerequisite constraint on roles assignments imposes that a user must be assigned to some less critical roles in a given spatio-temporal zone before being assigned more critical roles in specific zones. For example, the role of emergency-nurse can be assigned to John in the urgent care unit from 12:00 to 5:00 am if he is assigned the role of nurse-on-night-duty at the hospital during those hours. The following OCL invariant expresses the prerequisite constraints on user-role assignment. The query operation getPreqAssRoles() returns all the assignment prerequisite roles needed for assigning a certain role.

figure s

Prerequisite constraints on permission-role assignment The prerequisite constraints on permissions assignments indicates that a role can be assigned a permission in a specific zone if some prerequisite permissions are already assigned to that role in the same zone. For example, a bank teller must have the permission of reading an account during working hours before he can be given the permission to update that account. The prerequisite constraint on permission-role assignment can be specified using OCL expression as follows.

figure t

Prerequisite user-role activation A role can be activated if some prerequisite roles are already activated in specific zones. For example, in a university the teaching assistant role can be activated during a semester in a department if the student role can be activated during the same time. This requirement is specified in our model in the same way of the prerequisite user-role assignment constraint except that the OCL query getPreqAssRoles() is substituted with getPreqActRole(). The query operation getPreqActRole() returns all activation prerequisite roles needed to activate a role.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Abdunabi, R., Sun, W. & Ray, I. Enforcing spatio-temporal access control in mobile applications. Computing 96, 313–353 (2014). https://doi.org/10.1007/s00607-013-0340-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00607-013-0340-2

Keywords

Mathematics Subject Classification

Search

Navigation