Skip to main content
SpringerLink
Log in

A correct-by-construction model for attribute-based access control

Illustration: web-based healthcare services

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

In this paper, a formal specification approach of the attribute-based access control (ABAC) is proposed using the Event-B method. We apply an a priori formal verification to build a correct model in a stepwise manner. Correctness of the specification model is insured during the construction steps. The model is composed of abstraction levels that are generated through refinement operations. A set of ABAC properties is defined in each level of refinement starting from the highest abstract level to the most concrete one. These properties are preserved by proofs with the behavior specification. The approach is illustrated in healthcare web services.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

References

  1. Abrial, J.R.: Modeling in Event-B: system and software engineering. Cambridge University Press, Cambridge (2010)

    Book  Google Scholar 

  2. Abrial, J.R., Butler, M., Hallerstede, S., Hoang, T.S., Mehta, F., Voisin, L.: Rodin: an open toolset for modelling and reasoning in event-b. Int. J. Softw. Tools Technol. Transf. 12(6), 447–466 (2010)

    Article  Google Scholar 

  3. Akeel, F., Salehi Fathabadi, A., Paci, F., Gravell, A., Wills, G.: Formal modelling of data integration systems security policies. Data Sci. Eng. 1(3), 139–148 (2016). https://doi.org/10.1007/s41019-016-0016-y

    Article  Google Scholar 

  4. Anderson, A., Nadalin, A., Parducci, B., Engovatov, D., Lockhart, H., Kudo, M., Humenn, P., Godik, S., Anderson, S., Crocker, S., et al.: Extensible access control markup language (XACML) version 1.0. OASIS (2003)

  5. Benyagoub, S., Ouederni, M., Aït-Ameur, Y., Mashkoor, A.: Incremental construction of realizable choreographies. In: NASA Formal Methods Symposium, pp. 1–19. Springer, New York (2018)

  6. Farah, Z., Ait-Ameur, Y., Ouederni, M., Tari, K.: A correct-by-construction model for asynchronously communicating systems. Int. J. Softw. Tools Technol. Transf. 19(4), 465–485 (2017)

    Article  Google Scholar 

  7. Heljanko, K., Junttila, T., Keinänen, M., Lange, M., Latvala, T.: Bounded model checking for weak alternating büchi automata. In: International Conference on Computer Aided Verification, pp. 95–108. Springer, New York (2006)

  8. Hoang, T.S., Basin, D., Abrial, J.R.: Specifying access control in event-b. Tech. Rep. (2009). https://doi.org/10.3929/ethz-a-006733720

    Article  MATH  Google Scholar 

  9. Hu, V., Ferraiolo, D., Kuhn, D., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to attribute based access control (abac) definition and considerations, pp. 162–800. National Institute of Standards and Technology Special Publication (2014)

  10. Hu, V.C., Kuhn, D.R., Ferraiolo, D.F.: Attribute-based access control. Computer 48(2), 85–88 (2015)

    Article  Google Scholar 

  11. Hu, V.C., Kuhn, R., Yaga, D.: Verification and test methods for access control policies/models. NIST Spec. Publ. 800, 192 (2017)

    Google Scholar 

  12. Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transf. 10(6), 503–520 (2008)

    Article  Google Scholar 

  13. Huynh, N., Frappier, M., Mammar, A., Laleau, R., Desharnais, J.: A formal validation of the RBAC ANSI 2012 standard using b. Sci. Comput. Program. 131, 76–93 (2016)

    Article  Google Scholar 

  14. Hwang, J., Xie, T., Hu, V., Altunay, M.: Acpt: A tool formodeling and verifying access control policies. In: 2010 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 40–43. IEEE (2010)

  15. Idani, A., Ledru, Y.: B for modeling secure information systems. In: International Conference on Formal Engineering Methods, pp. 312–318. Springer, New York (2015)

  16. Jayaraman, K., Tripunitara, M., Ganesh, V., Rinard, M., Chapin, S.: Mohawk: Abstraction-refinement and bound-estimation for verifying access control policies. ACM Trans. Inf. Syst. Secur. 15(4), 18 (2013)

    Article  Google Scholar 

  17. Leuschel, M., Butler, M.: Prob: A model checker for b. In: International Symposium of Formal Methods Europe, pp. 855–874. Springer, New York (2003)

  18. Mammass, M., Ghadi, F.: Access control models: State of the art and comparative study. In: 2014 Second World Conference on Complex Systems (WCCS), pp. 431–435. IEEE (2014)

  19. Martin, E., Hwang, J., Xie, T., Hu, V.: Assessing quality of policy properties in verification of access control policies. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 163–172. IEEE (2008)

  20. Méry, D., Singh, N.K.: Formal specification of medical systems by proof-based refinement. ACM Trans. Embed. Comput. Syst. 12(1), 15 (2013)

    Article  Google Scholar 

  21. Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3(2), 85–106 (2000)

    Article  Google Scholar 

  22. Seol, K., Kim, Y.G., Lee, E., Seo, Y.D., Baik, D.K.: Privacy-preserving attribute-based access control model for xml-based electronic health record system. IEEE Access 6, 9114–9128 (2018)

    Article  Google Scholar 

  23. Shu, C.c., Yang, E.Y., Arenas, A.E.: Detecting conflicts in abac policies with rule-reduction and binary-search techniques. In: IEEE International Symposium on Policies for Distributed Systems and Networks, 2009. POLICY 2009, pp. 182–185. IEEE (2009)

  24. Thiranant, N., Sain, M., Lee, H.J.: A design of security framework for data privacy in e-health system using web service. In: 16th International Conference on Advanced Communication Technology, pp. 40–43. IEEE (2014)

  25. Wang, L., Wijesekera, D., Jajodia, S.: A logic-based framework for attribute based access control. In: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pp. 45–55. ACM (2004)

  26. Yong, J., Bertino, E., Roberts, M.T.D.: Extended rbac with role attributes. PACIS 2006 Proceedings, p. 8 (2006)

  27. Zhang, N., Ryan, M., Guelev, D.P.: Evaluating access control policies through model checking. In: International Conference on Information Security, pp. 446–460. Springer, New York (2005)

Download references

Author information

Authors and Affiliations

  1. Medical Computing Laboratory(LIMED), Computer Science Department, Faculty of Exact Sciences, University of Bejaia, Bejaia, Algeria

    Hania Gadouche, Zoubeyr Farah & Abdelkamel Tari

Authors
  1. Hania Gadouche
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zoubeyr Farah
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Abdelkamel Tari
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hania Gadouche.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gadouche, H., Farah, Z. & Tari, A. A correct-by-construction model for attribute-based access control. Cluster Comput 23, 1517–1528 (2020). https://doi.org/10.1007/s10586-019-02976-4

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-019-02976-4

Keywords

Search

Navigation