Gail-Joon Ahn
Hongxin Hu
ABSTRACT
There still exists an open question on how formal models can be fully realized in the system development phase. The Model Driven Development (MDD) approach has been recently introduced to deal with such a critical issue for building high assurance software systems.
There still exists an open question on how formal models can be fully realized in the system development phase. The Model Driven Development (MDD) approach has been recently introduced to deal with such a critical issue for building high assurance software systems.
The MDD approach focuses on the transformation of high-level design models to system implementation modules. However, this emerging development approach lacks an adequate procedure to address security issues derived from formal security models. In this paper, we propose an empirical framework to integrate security model representation, security policy specification, and systematic validation of security model and policy, which would be eventually used for accommodating security concerns during the system development. We also describe how our framework can minimize the gap between security models and the development of secure systems. In addition, we overview a proof-of-concept prototype of our tool that facilitates existing software engineering mechanisms to achieve the above-mentioned features of our framework.
- The ArgoUML Project. http://argouml.tigris.org.Google Scholar
- Dresden OCL toolkit. http://dresden-ocl.sourceforge.net.Google Scholar
- The Octopus Project. http://www.klasse.nl/octopus.Google Scholar
- American National Standards Institute Inc. Role Based Access Control, ANSI-INCITS 359--2004, 2004.Google Scholar
- G.-J. Ahn and R. S. Sandhu. Role-based authorization constraints specification. ACM Trans. Inf. Syst. Secur. (TISSEC), 3(4):207--226, November 2000. Google ScholarDigital Library
- G.-J. Ahn and M. E. Shin. Role-based authorization constraints specification using object constraint language. In Proceedings of the 10th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pages 157--162, 2001. Google ScholarDigital Library
- K. Alghathbar and D. Wijesekera. authUML: a three-phased framework to analyze access control specifications in use cases. In Proceedings of the 2003 ACM workshop on Formal methods in security engineering, pages 77--86, New York, NY, USA, 2003. ACM Press. Google ScholarDigital Library
- J. Bacon, K. Moody, and W. Yao. A model of OASIS role-based access control and its support for active security. ACM Trans. Inf. Syst. Secur. (TISSEC), 5(4):492--540, 2002. Google ScholarDigital Library
- E. Bertino, P. A. Bonatti, and E. Ferrari. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. (TISSEC), 4(3):191--233, 2001. Google ScholarDigital Library
- E. Bertino, B. Catania, M. L. Damiani, and P. Perlasca. GEO-RBAC: a spatially aware RBAC. In Proceedings of the tenth ACM symposium on Access control models and technologies (SACMAT), pages 29--37, New York, NY, USA, 2005. ACM Press. Google ScholarDigital Library
- R. Chandramouli. Application of XML tools for enterprise-wide RBAC implementation tasks. In Proceedings of the fifth ACM workshop on Role-based access control, pages 11--18, Berlin, Germany, July 2000. Google ScholarDigital Library
- F. Chen and R. S. Sandhu. Constraints for role-based access control. In Proceedings of the first ACM Workshop on Role-based access control, Gaithersburg, Maryland, United States, 1995. Google ScholarDigital Library
- J. Crampton. Specifying and enforcing constraints in role-based access control. In Proceedings of the eighth ACM symposium on Access control models and technologies (SACMAT), pages 43--50, June 2003. Google ScholarDigital Library
- N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The ponder policy specification language. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks, pages 18--38, Bristol, UK, 2001.Google ScholarDigital Library
- D. Ferraiolo and D. Kuhn. Role based access control. In Proceedings of the fifth National Computer Security Conference, pages 554--563, 1992.Google Scholar
- D. F. Ferraiolo, R. S. Sandhu, S. I. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC), 4(3):224--274, 2001. Google ScholarDigital Library
- R. France. A problem-oriented analysis of basic UML static requirements modeling concepts. In Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, pages 57--69, New York, NY, USA, 1999. Google ScholarDigital Library
- T. Jaeger. On the increasing importance of constraints. In Proceedings of the fourth ACM workshop on Role-based access control, pages 33--42, 1999. Google ScholarDigital Library
- T. Jaeger and J. Tidswell. Practical safety in flexible access control models. ACM Trans. Inf. Syst. Secur. (TISSEC), 4(3):158--190, 2002. Google ScholarDigital Library
- S. Jajodia, P. Samarati, and V. S. Subrahmanian. A logical language for expressing authorizations. In IEEE Symposium on Security and Privacy, pages 31--42, Oakland, CA, May 1997. Google ScholarDigital Library
- J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Language Reference Manual, Second Edition. Object Technology Series, Addison Wesley Longman, Reading, Mass, 2004. Google ScholarDigital Library
- J. Jürjens. UMLsec: Extending UML for secure systems development. In Proceedings of the 5th International Conference on The United Modeling Language, pages 412--425. Springer Verlag, 2002. Google ScholarDigital Library
- M. Koch, L. V. Mancini, and F. Parisi-Presicce. A graph-based formalism for RBAC. ACM Trans. Inf. Syst. Secur. (TISSEC), 5(3):332--365, 2002. Google ScholarDigital Library
- T. Lodderstedt, D. Basin, and J. Doser. SecureUML: A UML-based modeling language for model-driven security, 2002.Google Scholar
- V. V. M. Hitchens. Tower: a language for role-based access control. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks, pages 88--106, Bristol, UK, 2001.Google ScholarCross Ref
- OASIS. XACML Language Proposal, Version 0.8. Technical Report, Organization for the Advancement of Structured Information Standards, 2002, Available electronically from http://www.oasisopen.org/committees/xacml.Google Scholar
- I. Ray, N. Li, R. France, and D. -K. Kim. Using UML to visualize role-based access control constraints. In Proceedings of the ninth ACM symposium on Access control models and technologies (SACMAT), pages 115--124, 2004. Google ScholarDigital Library
- R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996. Google ScholarDigital Library
- M. E. Shin and G. -J. Ahn. UML-based representation of role-based access control. In Proceedings of the 9th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pages 195--200, 2000. Google ScholarDigital Library
- K. Sohr, G. -J. Ahn, and L. Migge. Articulating and enforcing authorisation policies with UML and OCL. In Proceedings of the 2005 workshop on Software engineering for secure systems building trustworthy applications, pages 1--7, 2005. Google ScholarDigital Library
- J. Tidswell and T. Jaeger. An access control model for simplifying constraint expression. In Proceedings of the 7th ACM conference on Computer and communications security, pages 154--163, Athens, Greece, November 2000. Google ScholarDigital Library
- J. Warmer and A. Kleppe. The Object Constraint Language: Getting your models ready for MDA. Addison-Wesley, Reading/MA, 2003. Google ScholarDigital Library
Index Terms
- Towards realizing a formal RBAC model in real systems
Recommendations
Compositional Refinement of Policies in UML --- Exemplified for Access Control
ESORICS '08: Proceedings of the 13th European Symposium on Research in Computer Security: Computer SecurityThe UML is the <em>de facto</em>standard for system specification, but offers little specialized support for the specification and analysis of policies. This paper presents Deontic STAIRS, an extension of the UML sequence diagram notation with ...
The approach of ensuring consistency of UML model based on rules
CompSysTech '10: Proceedings of the 11th International Conference on Computer Systems and Technologies and Workshop for PhD Students in Computing on International Conference on Computer Systems and TechnologiesExpressing information system (IS) through multiple models is related with inconsistency problem, sometimes ambiguous or even contradictory information are provided in different aspect models. Unified modelling language (UML) is often used in practice ...
A decade of model-driven security
SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologiesIn model-driven development, system designs are specified using graphical modeling languages like UML and system artifacts such as code and configuration data are automatically generated from the models. Model-driven security is a specialization of this ...
Comments