Abstract
In this paper, a formal specification approach of the attribute-based access control (ABAC) is proposed using the Event-B method. We apply an a priori formal verification to build a correct model in a stepwise manner. Correctness of the specification model is insured during the construction steps. The model is composed of abstraction levels that are generated through refinement operations. A set of ABAC properties is defined in each level of refinement starting from the highest abstract level to the most concrete one. These properties are preserved by proofs with the behavior specification. The approach is illustrated in healthcare web services.
Similar content being viewed by others
References
Abrial, J.R.: Modeling in Event-B: system and software engineering. Cambridge University Press, Cambridge (2010)
Abrial, J.R., Butler, M., Hallerstede, S., Hoang, T.S., Mehta, F., Voisin, L.: Rodin: an open toolset for modelling and reasoning in event-b. Int. J. Softw. Tools Technol. Transf. 12(6), 447–466 (2010)
Akeel, F., Salehi Fathabadi, A., Paci, F., Gravell, A., Wills, G.: Formal modelling of data integration systems security policies. Data Sci. Eng. 1(3), 139–148 (2016). https://doi.org/10.1007/s41019-016-0016-y
Anderson, A., Nadalin, A., Parducci, B., Engovatov, D., Lockhart, H., Kudo, M., Humenn, P., Godik, S., Anderson, S., Crocker, S., et al.: Extensible access control markup language (XACML) version 1.0. OASIS (2003)
Benyagoub, S., Ouederni, M., Aït-Ameur, Y., Mashkoor, A.: Incremental construction of realizable choreographies. In: NASA Formal Methods Symposium, pp. 1–19. Springer, New York (2018)
Farah, Z., Ait-Ameur, Y., Ouederni, M., Tari, K.: A correct-by-construction model for asynchronously communicating systems. Int. J. Softw. Tools Technol. Transf. 19(4), 465–485 (2017)
Heljanko, K., Junttila, T., Keinänen, M., Lange, M., Latvala, T.: Bounded model checking for weak alternating büchi automata. In: International Conference on Computer Aided Verification, pp. 95–108. Springer, New York (2006)
Hoang, T.S., Basin, D., Abrial, J.R.: Specifying access control in event-b. Tech. Rep. (2009). https://doi.org/10.3929/ethz-a-006733720
Hu, V., Ferraiolo, D., Kuhn, D., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to attribute based access control (abac) definition and considerations, pp. 162–800. National Institute of Standards and Technology Special Publication (2014)
Hu, V.C., Kuhn, D.R., Ferraiolo, D.F.: Attribute-based access control. Computer 48(2), 85–88 (2015)
Hu, V.C., Kuhn, R., Yaga, D.: Verification and test methods for access control policies/models. NIST Spec. Publ. 800, 192 (2017)
Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transf. 10(6), 503–520 (2008)
Huynh, N., Frappier, M., Mammar, A., Laleau, R., Desharnais, J.: A formal validation of the RBAC ANSI 2012 standard using b. Sci. Comput. Program. 131, 76–93 (2016)
Hwang, J., Xie, T., Hu, V., Altunay, M.: Acpt: A tool formodeling and verifying access control policies. In: 2010 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 40–43. IEEE (2010)
Idani, A., Ledru, Y.: B for modeling secure information systems. In: International Conference on Formal Engineering Methods, pp. 312–318. Springer, New York (2015)
Jayaraman, K., Tripunitara, M., Ganesh, V., Rinard, M., Chapin, S.: Mohawk: Abstraction-refinement and bound-estimation for verifying access control policies. ACM Trans. Inf. Syst. Secur. 15(4), 18 (2013)
Leuschel, M., Butler, M.: Prob: A model checker for b. In: International Symposium of Formal Methods Europe, pp. 855–874. Springer, New York (2003)
Mammass, M., Ghadi, F.: Access control models: State of the art and comparative study. In: 2014 Second World Conference on Complex Systems (WCCS), pp. 431–435. IEEE (2014)
Martin, E., Hwang, J., Xie, T., Hu, V.: Assessing quality of policy properties in verification of access control policies. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 163–172. IEEE (2008)
Méry, D., Singh, N.K.: Formal specification of medical systems by proof-based refinement. ACM Trans. Embed. Comput. Syst. 12(1), 15 (2013)
Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3(2), 85–106 (2000)
Seol, K., Kim, Y.G., Lee, E., Seo, Y.D., Baik, D.K.: Privacy-preserving attribute-based access control model for xml-based electronic health record system. IEEE Access 6, 9114–9128 (2018)
Shu, C.c., Yang, E.Y., Arenas, A.E.: Detecting conflicts in abac policies with rule-reduction and binary-search techniques. In: IEEE International Symposium on Policies for Distributed Systems and Networks, 2009. POLICY 2009, pp. 182–185. IEEE (2009)
Thiranant, N., Sain, M., Lee, H.J.: A design of security framework for data privacy in e-health system using web service. In: 16th International Conference on Advanced Communication Technology, pp. 40–43. IEEE (2014)
Wang, L., Wijesekera, D., Jajodia, S.: A logic-based framework for attribute based access control. In: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pp. 45–55. ACM (2004)
Yong, J., Bertino, E., Roberts, M.T.D.: Extended rbac with role attributes. PACIS 2006 Proceedings, p. 8 (2006)
Zhang, N., Ryan, M., Guelev, D.P.: Evaluating access control policies through model checking. In: International Conference on Information Security, pp. 446–460. Springer, New York (2005)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Gadouche, H., Farah, Z. & Tari, A. A correct-by-construction model for attribute-based access control. Cluster Comput 23, 1517–1528 (2020). https://doi.org/10.1007/s10586-019-02976-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-019-02976-4