Abstract
Controlling access to resources is essential for ensuring correctness of system functioning. Role-Based Access Control (RBAC) is a popular authorisation model that regulates the user’s rights to manage system resources based on the user’s role. In this paper, we extend the traditional static approach to defining RBAC and propose as well as formalise a dynamic RBAC model. It allows a designer to explicitly define the dependencies between the system states and permissions to access and modify system resources. To facilitate a systematic description and verification of the dynamic access rights, we propose a contract-based approach and then we demonstrate how to model and verify dynamic RBAC in Event-B. The approach is illustrated by a case study – a reporting management system.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abdunabi, R., Al-Lail, M., Ray, I., France, R.B.: Specification, validation, and enforcement of a generalized spatio-temporal role-based access control model. IEEE Syst. J. 7(3), 501–515 (2013)
Abrial, J.R.: Modeling in Event-B. Cambridge University Press, Cambridge (2010)
Cabot, J., Clarisó, R., Riera, D.: Verifying UML/OCL operation contracts. In: Leuschel, M., Wehrheim, H. (eds.) IFM 2009. LNCS, vol. 5423, pp. 40–55. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00255-7_4
Ferraiolo, D.F., Sandhu, R.S., Gavrila, S.I., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
Fuchs, L., Pernul, G., Sandhu, R.S.: Roles in information security - a aurvey and classification of the research area. Comput. Secur. 30(8), 748–769 (2011)
Laibinis, L., Troubitsyna, E.: A contract-based approach to ensuring component interoperability in Event-B. In: Petre, L., Sekerinski, E. (eds.) From Action Systems to Distributed Systems - The Refinement Approach, pp. 81–96. Chapman and Hall/CRC (2016)
Leuschel, M., Butler, M.J.: ProB: an automated analysis toolset for the B method. STTT 10(2), 185–203 (2008)
Meyer, B.: Design by contract: the Eiffel method. Proc. Tools 26, 446 (1998)
Milhau, J., Idani, A., Laleau, R., Labiadh, M., Ledru, Y., Frappier, M.: Combining UML, ASTD and B for the formal specification of an access control filter. ISSE 7(4), 303–313 (2011)
ProB: Animator and Model Checker. https://www3.hhu.de/stups/prob/index.php/. Accessed 06 June 2018
Rauf, I., Troubitsyna, E.: Generating cloud monitors from models to secure clouds. In: DSN 2018. IEEE Computer Society (2018, in print)
Rauf, I., Vistbakka, I., Troubitsyna, E.: Formal verification of stateful services with REST APIs using Event-B. In: IEEE ICWS 2018. IEEE (2018, in print)
Ray, I., Kumar, M., Yu, L.: LRBAC: a location-aware role-based access control model. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 147–161. Springer, Heidelberg (2006). https://doi.org/10.1007/11961635_10
Rodin: Event-B platform. http://www.event-b.org/. Accessed 06 June 2018
Sun, W., France, R.B., Ray, I.: Rigorous analysis of UML access control policy models. In: POLICY 2011, pp. 9–16. IEEE Computer Society (2011)
Tarasyuk, A., Troubitsyna, E., Laibinis, L.: Integrating stochastic reasoning into Event-B development. Formal Asp. Comput. 27(1), 53–77 (2015)
Troubitsyna, E., Laibinis, L., Pereverzeva, I., Kuismin, T., Ilic, D., Latvala, T.: Towards security-explicit formal modelling of safety-critical systems. In: Skavhaug, A., Guiochet, J., Bitsch, F. (eds.) SAFECOMP 2016. LNCS, vol. 9922, pp. 213–225. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45477-1_17
Troubitsyna, E., Vistbakka, I.: Deriving and formalising safety and security requirements for control systems. In: SAFECOMP 2018. LNCS. Springer, Cham (2018, in print)
Vistbakka, I., Barash, M., Troubitsyna, E.: Towards creating a DSL facilitating modelling of dynamic access control in Event-B. In: Butler, M., Raschke, A., Hoang, T.S., Reichl, K. (eds.) ABZ 2018. LNCS, vol. 10817, pp. 386–391. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-91271-4_28
Vistbakka, I., Troubitsyna, E.: Towards integrated modelling of dynamic access control with UML and Event-B. In: IMPEX/FM&MDD 2017. EPTCS, vol. 271, pp. 105–116 (2018)
Vistbakka, I., Troubitsyna, E., Kuismin, T., Latvala, T.: Co-engineering safety and security in industrial control systems: a formal outlook. In: Romanovsky, A., Troubitsyna, E.A. (eds.) SERENE 2017. LNCS, vol. 10479, pp. 96–114. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-65948-0_7
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Vistbakka, I., Troubitsyna, E. (2018). Modelling and Verification of Dynamic Role-Based Access Control. In: Atig, M., Bensalem, S., Bliudze, S., Monsuez, B. (eds) Verification and Evaluation of Computer and Communication Systems. VECoS 2018. Lecture Notes in Computer Science(), vol 11181. Springer, Cham. https://doi.org/10.1007/978-3-030-00359-3_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-00359-3_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00358-6
Online ISBN: 978-3-030-00359-3
eBook Packages: Computer ScienceComputer Science (R0)