Automated Analysis of Scenario-Based Specifications of Distributed Access Control Policies with Non-mechanizable Activities

  • Michele Barletta
  • Silvio Ranise
  • Luca Viganò
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7783)


The advance of web services technologies promises to have far-reaching effects on the Internet and enterprise networks allowing for greater accessibility of data. The security challenges presented by the web services approach are formidable. In particular, access control solutions should be revised to address new challenges, such as the need of using certificates for the identification of users and their attributes, human intervention in the creation or selection of the certificates, and (chains of) certificates for trust management. With all these features, it is not surprising that analyzing policies to guarantee that a sensitive resource can be accessed only by authorized users becomes very difficult. In this paper, we present an automated technique to analyze scenario-based specifications of access control policies in open and distributed systems. We illustrate our ideas on a case study arising in the e-government area.


Access Control Trust Management Access Control Policy Substrate Theory Constraint Logic Program 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Accorsi, R.: A security-aware simulation method for generating business process event logs. In: Symp. on Data-Driven Process Discovery and Analysis (2012)Google Scholar
  2. 2.
    Alberti, F., Armando, A., Ranise, S.: Efficient Symbolic Automated Analysis of Administrative Role Based Access Control Policies. In: 6th ASIACCS. ACM (2011)Google Scholar
  3. 3.
    Barletta, M., Calvi, A., Ranise, S., Viganò, L., Zanetti, L.: WSSMT: Towards the Automated Analysis of Security-Sensitive Services and Applications. In: Proc. 12th SYNASC, pp. 417–424. IEEE Computer Society (2010)Google Scholar
  4. 4.
    Barletta, M., Ranise, S., Viganò, L.: Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented Architectures. In: Proc. SecureCom 2009, pp. 289–299. IEEE CS (2009), full version at
  5. 5.
    Barletta, M., Ranise, S., Viganò, L.: Automated Analysis of Scenario-based Specifications of Distributed Access Control Policies with Non-Mechanizable Activities, Extended Version (2012),
  6. 6.
    Becker, M.Y., Nanz, S.: The role of abduction in declarative authorization policies. In: Hudak, P., Warren, D.S. (eds.) PADL 2008. LNCS, vol. 4902, pp. 84–99. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Becker, M.Y., Nanz, S.: A logic for state-modifying authorization policies. ACM Trans. Inf. Syst. Secur. 13(3) (2010)Google Scholar
  8. 8.
    Bertino, E., Crampton, J., Paci, F.: Access Control and Authorization Constraints for WS-BPEL. In: Proc. ICWS 2006, pp. 275–284. IEEE CS (2006)Google Scholar
  9. 9.
    Brightwell, G., Winkler, P.: Counting linear extensions is #P-complete. In: Proc. STOC, pp. 175–181. ACM (1991)Google Scholar
  10. 10.
    Diaper, D.: Task analysis for human-computer interaction. Prentice-Hall (1990)Google Scholar
  11. 11.
    Enderton, H.B.: A Mathematical Introduction to Logic. Academic Press (1972)Google Scholar
  12. 12.
    Gunter, E., Yasmeen, A., Gunter, C., Nguyen, A.: Specifying and analyzing workflows for automated identification and data capture. In: Proc. HICSS 2009, pp. 1–11. IEEE CS (2009)Google Scholar
  13. 13.
    Gurevich, Y., Neeman, I.: Dkal: Distributed-knowledge authorization language. In: Proceedings of CSF, pp. 149–162. IEEE CS (2008)Google Scholar
  14. 14.
    Gurevich, Y., Roy, A.: Operational Semantics for DKAL: Application and Analysis. In: Fischer-Hübner, S., Lambrinoudakis, C., Pernul, G. (eds.) TrustBus 2009. LNCS, vol. 5695, pp. 149–158. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Hurlin, C., Kirchner, H.: Semi-automatic synthesis of security policies by invariant-guided abduction. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 157–175. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Lamport, L., Schneider, F.B.: Pretending atomicity. Technical report. In: Research Report 44, Digital Equipment Corporation Systems Research (1989)Google Scholar
  17. 17.
    Li, N., Mitchell, J.C.: DATALOG with constraints: A foundation for trust management languages. In: Dahl, V. (ed.) PADL 2003. LNCS, vol. 2562, pp. 58–73. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9, 391–420 (2006)CrossRefGoogle Scholar
  19. 19.
    Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management. Journal of Computer Security 11(1), 35–86 (2003)Google Scholar
  20. 20.
    Pruesse, G., Ruskey, F.: Generating Linear Extensions Fast. SIAM J. Comp. 23(2), 373–386 (1994)MathSciNetzbMATHCrossRefGoogle Scholar
  21. 21.
    Ranise, S.: On the Verification of Security-Aware E-services. Journal of Symbolic Computation 47, 1066–1088 (2012)MathSciNetzbMATHCrossRefGoogle Scholar
  22. 22.
    Rudolph, E., Graubmann, P., Grabowski, J.: Tutorial on message sequence charts. Computer Networks and ISDN Systems 28(12), 1629–1641 (1996)CrossRefGoogle Scholar
  23. 23.
    Shin, D., Wysk, R., Rothrock, L.: Formal model of human material-handling tasks for control of manufacturing systems. IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans 36(4), 685–696 (2006)CrossRefGoogle Scholar
  24. 24.
    Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints in workflow. In: Proc. CSF, pp. 155–169. IEEE CS (2004)Google Scholar
  25. 25.
    Yasmeen, A., Gunter, E.: Automated framework for formal operator task analysis. In: Proc.  ISSTA 2011 (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Michele Barletta
    • 1
  • Silvio Ranise
    • 2
  • Luca Viganò
    • 1
  1. 1.Dipartimento di InformaticaUniversità di VeronaItaly
  2. 2.FBK-IrstTrentoItaly

Personalised recommendations