Integration of Security Policy into System Modeling
We address the proof-based development of (system) models satisfying a security policy. The security policy is expressed in a model called OrBAC, which allows one to state permissions and prohibitions on actions and activities and belongs to the family of role-based access control formalisms. The main question is to validate the link between the security policy expressed in OrBAC and the resulting system; a first abstract B model is derived from the OrBAC specification of the security policy and then the model is refined to introduce properties that can be expressed in OrBAC. The refinement guarantees that the resulting B (system) model satisfies the security policy. We present a generic development of a system with respect to a security policy and it can be instantiated later for a given security policy.
Keywordsrefinement integration security policy
Unable to display preview. Download preview PDF.
- 1.Abou El Kalam, A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: 4th IEEE International Workshop on Policies for Distributed Systems and Networks (Policy 2003) (June 2003)Google Scholar
- 2.Abrial, J.-R.: Etude systéme: méthode et exemple, http://www.atelierb.societe.com/documents.html
- 5.Bell, D.E., LaPadula, L.J.: Secure computer systems: Unified exposition and multics interpretation. MTR-2997 (ESD-TR-75-306), available as NTIS AD-A023 588, MITRE Corporation (1976)Google Scholar
- 6.Biba, K.: Integrity consideration for secure computer systems. Technical Report MTR-3153, MITRE Corporation (1975)Google Scholar
- 7.Cansell, D., Méry, D.: Logical foundations of the B method. Computers and Informatics 22 (2003)Google Scholar
- 9.Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. The MIT Press, Cambridge (2000)Google Scholar
- 10.ClearSy. Web site B4free set of tools for development of B models (2004)Google Scholar
- 11.Cuppens, F.: Orbac web page, http://www.orbac.org
- 13.Gavrila, S.I., Barkley, J.F.: Formal specification for role based access control user/role and role/role relationship management. In: ACM Workshop on Role-Based Access Control, pp. 81–90 (1998)Google Scholar
- 14.Lampson, B.: Protection. In: Proceedings of the 5th Annual Princeton Conference on Information Sciences and Systems, pp. 437–443. Princeton University (1971)Google Scholar
- 15.Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)Google Scholar