Abstract
The capture, deployment and enforcement of appropriate access control policies are crucial aspects of many modern software-based systems. Previously, there has been a significant amount of research undertaken with respect to the formal modelling and analysis of access control policies; however, only a limited proportion of this work has been concerned with dynamic policies. In this paper we explore techniques for the modelling, analysis and subsequent deployment of such policies—which may rely on external data. We use the Alloy modelling language to describe constraints on policies and external data; utilising these constraints, we test static instances constructed from the current state of the external data. We present Gauge, a constraint checker for static instances that has been developed to be complementary to Alloy, and show how it is possible to test systems of much greater complexity via Gauge than can typically be handled by a model finder.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Kumar, A., Karnik, N., Chafle, G.: Context sensitivity in role-based access control. ACM SIGOPS Operating Systems Review 36(3), 53–66 (2002)
Bhatti, R., Bertino, E., Ghafoor, A.: A trust-based context-aware access control model for web-services. Distributed and Parallel Databases 18(1), 83–105 (2005)
Hulsebosch, R.J., Salden, A.H., Bargh, M.S., Ebben, P.W.G., Reitsma, J.: Context sensitive access control. In: Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT 2005), pp. 111–119 (2005)
Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and reasoning about dynamic access-control policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006)
Simpson, A.C., Power, D.J., Russell, D., Slaymaker, M.A., Kouadri-Mostefaoui, G., Ma, X., Wilson, G.: A healthcare-driven framework for facilitating the secure sharing of data across organisational boundaries. Studies in Health Technology and Informatics 138, 3–12 (2008)
Slaymaker, M.A., Power, D.J., Russell, D., Simpson, A.C.: On the facilitation of fine-grained access to distributed healthcare data. In: Jonker, W., Petković, M. (eds.) SDM 2008. LNCS, vol. 5159, pp. 169–184. Springer, Heidelberg (2008)
Ferraiolo, D.F., Sandhu, R.S., Gavrilla, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security 4(3), 224–274 (2001)
Zhang, N., Ryan, M., Guelev, D.P.: Synthesising verified access control systems in XACML. In: Proceedings of the 2nd ACM Workshop on Formal Methods in Security Engineering (FMSE 2004), pp. 56–65 (2004)
Bryans, J.W., Fitzgerald, J.S.: Formal engineering of XACML access control policies in VDM++. In: Butler, M., Hinchey, M.G., Larrondo-Petrie, M.M. (eds.) ICFEM 2007. LNCS, vol. 4789, pp. 37–56. Springer, Heidelberg (2007)
Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT Press, Cambridge (2006)
Schaad, A., Moffett, J.D.: A lightweight approach to specification and analysis of role-based access control extensions. In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT 2002), pp. 13–22 (2002)
Hughes, G., Bultan, T.: Automated verification of access control policies. Technical Report 2004-22, University of California, Santa Barbara (2004)
Fisler, K., Krishnamurthi, S., Meyerovich, L., Tshantz, M.C.: Verification and change-impact analysis of access-control policies. In: Inverardi, P., Jazayeri, M. (eds.) ICSE 2005. LNCS, vol. 4309, pp. 196–205. Springer, Heidelberg (2006)
Frias, M.F., Galeotti, J.P., Pombo, C.G.L., Aguirre, N.M.: DynAlloy: upgrading Alloy with actions. In: Inverardi, P., Jazayeri, M. (eds.) ICSE 2005. LNCS, vol. 4309, pp. 442–451. Springer, Heidelberg (2006)
Frias, M.F., Pombo, C.G.L., Galeotti, J.P., Aguirre, N.M.: Efficient analysis of DynAlloy specifications. ACM Transactions on Software Engineering and Methodology (TOSEM)Â 17(1), Article number 4 (2007)
Shaikh, R.A., Adi, K., Logrippo, L., Mankovski, S.: Inconsistency detection method for access control policies. In: Proceedings of 6th International Conference on Information Assurance and Security (IAS 2010), pp. 204–209 (2010)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)
Power, D.J., Slaymaker, M.A., Simpson, A.C.: On formalizing and normalizing role-based access control systems. The Computer Journal 52(3), 305–325 (2009)
Power, D.J., Slaymaker, M.A., Simpson, A.C.: Automatic conformance checking of role-based access control policies via alloy. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 15–28. Springer, Heidelberg (2011)
Ahn, G.J., Sandhu, R.S.: Role-based authorization constraint specification. ACM Transactions on Information and Systems Security 3(4), 207–226 (2000)
Crampton, J.: Specifying and enforcing constraints in role-based access control. In: Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT 2003), pp. 43–50 (2003)
Power, D.J., Politou, E.A., Slaymaker, M.A., Simpson, A.C.: Towards secure grid-enabled healthcare. Software: Practice and Experience 35(9), 857–871 (2005)
Hosmer, H.H.: Metapolicies I. ACM SIGSAC Review 10(2-3), 18–43 (1992)
Spivey, J.M.: The Z Notation: A Reference Manual. Prentice-Hall, Englewood Cliffs (1992)
Woodcock, J.C.P., Davies, J.W.M.: Using Z: Specification, Refinement, and Proof. Prentice-Hall, Englewood Cliffs (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Power, D., Slaymaker, M., Simpson, A. (2011). Conformance Checking of Dynamic Access Control Policies. In: Qin, S., Qiu, Z. (eds) Formal Methods and Software Engineering. ICFEM 2011. Lecture Notes in Computer Science, vol 6991. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24559-6_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-24559-6_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24558-9
Online ISBN: 978-3-642-24559-6
eBook Packages: Computer ScienceComputer Science (R0)