Abstract
Designing a security policy for an information system (IS) is a non-trivial task. Variants of the RBAC model can be used to express such policies as access-control rules associated to constraints. In this paper, we advocate that currently available tools do not take sufficiently into account the functional description of the application and its impact on authorisation constraints and dynamic aspects of security. We suggest to translate both security and functional models into a formal language, such as B, whose analysis and animation tools will help validate a larger set of security scenarios. We show how various kinds of constraints can be expressed and animated in this context.
Chapter PDF
Similar content being viewed by others
References
Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Computer Security Series. Artech House, Boston (2003)
Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Transaction of Software Engineering Methodology 15(1), 39–91 (2006)
Clark, D.D., Wilson, D.R.: A comparison of commercial and military computer security policies. In: IEEE Symposium on Security and Privacy, pp. 184–195 (1987)
Fernández, E.B.: A methodology for secure software design. In: Proc. of the Int. Conf. on Software Engineering Research and Practice, SERP 2004, pp. 130–136. CSREA Press (2004)
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)
Abrial, J.: The B-Book. Cambridge University Press, Cambridge (1996)
Warmer, J.B., Kleppe, A.G.: The Object Constraint Language: Precise Modeling With UML. Addison-Wesley, London (1998)
Gogolla, M., Büttner, F., Richters, M.: USE: A UML-based specification environment for validating UML and OCL. Sci. Comput. Program. 69(1-3), 27–34 (2007)
Sohr, K., Drouineaud, M., Ahn, G.J., Gogolla, M.: Analyzing and managing role-based access control policies. IEEE Trans. Knowl. Data Eng. 20(7), 924–939 (2008)
Ahn, G., Hu, H.: Towards realizing a formal RBAC model in real systems. In: 12th ACM Symp. on Access Control Models and Technologies. ACM Press, New York (2007)
Ray, I., Li, N., France, R.: Using UML to visualize role-based access-control constraints. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pp. 115–124. ACM Press, New York (2004)
Jackson, D.: Alloy: A Lightweight Object Modelling Notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256–290 (2002)
Power, D., Slaymaker, M., Simpson, A.: On the modelling and analysis of amazon web services access policies. In: Frappier, M., Glässer, U., Khurshid, S., Laleau, R., Reeves, S. (eds.) ABZ 2010. LNCS, vol. 5977, pp. 394–394. Springer, Heidelberg (2010)
Zao, J., Wee, H., Chu, J., Jackson, D.: RBAC Schema Verification Using Lightweight Formal Model and Constraint Analysis. In: Proceedings of 8th ACM Symposium on Access Control Models and Technologies (2003)
Schaad, A., Moffett, J.D.: A lightweight approach to specification and analysis of role-based access control extensions. In: Proc. of 7th SACMAT. ACM Press, New York (2002)
Yu, L., France, R., Ray, I., Ghosh, S.: A Rigorous Approach to Uncovering Security Policy Violations in UML Designs. In: Int. Conf. on Engineering Complex Computer Systems. IEEE, Los Alamitos (2009)
Toahchoodee, M., Ray, I., Anastasakis, K., Georg, G., Bordbar, B.: Ensuring spatio-temporal access control for real-world applications. In: 14th ACM Symp. on Access Control Models and Technologies, SACMAT 2009. ACM, New York (2009)
Basin, D.A., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information & Software Technology 51(5), 815–831 (2009)
Autrel, F., Cuppens, F., Cuppens-Boulahia, N., Coma-Brebel, C.: MotOrBAC 2: a security policy tool. In: SARSSI 2008: 3e Conf. sur la Sécurité des Architectures Réseaux et des Systèmes d’Information, (Télécom Bretagne) (2008)
Mammar, A., Laleau, R.: From a B formal specification to an executable code: application to the relational database domain. Inf. Softw. Technol. 48, 253–279 (2006)
Snook, C., Butler, M.: UML-B: Formal modeling and design aided by UML. ACM Transactions on Software Engineering Methodology 15(1), 92–122 (2006)
Leuschel, M., Butler, M.J.: ProB: an automated analysis toolset for the B method. STTT 10(2), 185–203 (2008)
Idani, A., Labiadh, M.A., Ledru, Y.: Infrastructure dirigée par les modèles pour une intégration adaptable et évolutive de UML et B. Ingénierie des Systèmes d’Information 15(3), 87–112 (2010)
Wildmoser, M., Nipkow, T.: Certifying Machine Code Safety: Shallow versus Deep Embedding. In: Slind, K., Bunker, A., Gopalakrishnan, G. (eds.) TPHOLs 2004. LNCS, vol. 3223, pp. 305–320. Springer, Heidelberg (2004)
Frappier, M., St-Denis, R.: EB 3: an entity-based black-box specification method for information systems. Software and Systems Modeling 2(2), 134–149 (2003)
Hoare, C.A.R.: CSP–Communicating Sequential Processes. Prentice Hall, Englewood Cliffs (1985)
Frappier, M., Gervais, F., Laleau, R., Fraikin, B., St-Denis, R.: Extending statecharts with process algebra operators. Innovations in Systems and Software Engineering 4(3), 285–292 (2008)
Harel, D.: Statecharts: A visual formalism for complex systems. Science of Computer Programming 8(3), 231–274 (1987)
Frappier, M., Gervais, F., Laleau, R., Fraikin, B.: Algebraic state transition diagrams. Technical Report 24, Université de Sherbrooke, Département d’informatique, Sherbrooke, Québec, Canada (June 2008)
Salabert, K., Milhau, J., et al.: iASTD: un interpréteur pour les ASTD. In: AFADL 2010, Poitiers, France (2010)
Milhau, J., Frappier, M., Gervais, F., Laleau, R.: Systematic translation rules from astd to event-B. In: Méry, D., Merz, S. (eds.) IFM 2010. LNCS, vol. 6396, pp. 245–259. Springer, Heidelberg (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ledru, Y. et al. (2011). Taking into Account Functional Models in the Validation of IS Security Policies. In: Salinesi, C., Pastor, O. (eds) Advanced Information Systems Engineering Workshops. CAiSE 2011. Lecture Notes in Business Information Processing, vol 83. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22056-2_62
Download citation
DOI: https://doi.org/10.1007/978-3-642-22056-2_62
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22055-5
Online ISBN: 978-3-642-22056-2
eBook Packages: Computer ScienceComputer Science (R0)