Skip to main content
SpringerLink
Log in

Verification of Authorization Policies Modified by Delegation

  • Chapter
Engineering Secure Future Internet Services and Systems

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8431))

  • 1315 Accesses

Abstract

Delegation is widely used in large organizations where access to systems needs to be controlled and often depends on the role of a user within the organization. Delegation allows to grant access rights under certain, often temporal conditions. Usually, a delegation policy specifies the authority to delegate, and an administrative delegation operation performs the changes in the authorization policy accordingly. Unfortunately, the consequences of these changes are not checked in common practice before delegation is ‘in-effect.’ In this work, we present a systematic, automated approach to verify, before the actual enforcement in the system, whether a subject has the right to perform delegation, and that this delegation will not introduce Separation of Duties’ (SoD) conflicts. We implement the delegation operation as an ATL transformation and apply our previous work on automatic transformation verification to check an authorization policy that is modified by a delegation policy. Our approach allows us to check, following an automated process: i) that delegation is only performed when conditions, for legitimate delegation, that we formalize using OCL, hold; ii) that the output of our transformation is always a valid authorization policy when it is obtained by executing the delegation operation using as input a valid authorization and delegation policy; iii) the absence of SoD’ conflicts in the resulting authorization policy, for which we provide patterns that can be instantiated following policy’s rules, as we illustrate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abassi, R., Fatmi, S.G.E.: Delegation management modeling in a security policy based environment. In: Bouhoula, A., Ida, T., Kamareddine, F. (eds.) SCSS. EPTCS, vol. 122, pp. 85–95 (2013)

    Google Scholar 

  2. Alam, M., Hafner, M., Breu, R.: Constraint based role based access control in the sectet–framework model-driven approach. Journal of Computer Security 16(2), 223–260 (2008)

    Google Scholar 

  3. Barka, E., Sandhu, R.: Role-based delegation model/hierarchical roles (rbdm1). In: 20th Annual Computer Security Applications Conference, pp. 396–404 (2004)

    Google Scholar 

  4. Barka, E., Sandhu, R.S.: Framework for role-based delegation models. In: 16th Annual Computer Security Applications Conference (ACSAC 2000), December 11-15. IEEE Computer Society, New Orleans (2000)

    Google Scholar 

  5. Basin, D., Clavel, M., Doser, J., Egea, M.: A metamodel-based approach for analyzing security-design models. In: Engels, G., Opdyke, B., Schmidt, D.C., Weil, F. (eds.) MODELS 2007. LNCS, vol. 4735, pp. 420–435. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  6. Basin, D.A., Clavel, M., Egea, M.: A decade of model-driven security. In: Breu, R., Crampton, J., Lobo, J. (eds.) Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011, June 15-17, pp. 1–10. ACM (2011)

    Google Scholar 

  7. Ben-Ghorbel-Talbi, M., Cuppens, F., Cuppens-Boulahia, N., Bouhoula, A.: A delegation model for extended rbac. Int. J. Inf. Sec. 9(3), 209–236 (2010)

    Article  Google Scholar 

  8. Büttner, F., Egea, M., Cabot, J.: On verifying atl transformations using ‘off-the-shelf’ smt solvers. In: France, R.B., Kazmeier, J., Breu, R., Atkinson, C. (eds.) MODELS 2012. LNCS, vol. 7590, pp. 432–448. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  9. Büttner, F., Egea, M., Cabot, J., Gogolla, M.: Verification of atl transformations using transformation models and model finders. In: Aoki, T., Taguchi, K. (eds.) ICFEM 2012. LNCS, vol. 7635, pp. 198–213. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  10. Crampton, J., Khambhammettu, H.: Delegation in role-based access control. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 174–191. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  11. Damianou, N., Dulay, N., Lupu, E.C., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  12. Database Systems Group–University of Bremen: UML-based Specification Enviroment (2013), http://sourceforge.net/projects/useocl/

  13. Eclipse Community: Eclipse modeling project – Kepler release (2013), http://www.eclipse.org/modeling/

  14. Gaaloul, K., Zahoor, E., Charoy, F., Godart, C.: Dynamic authorisation policies for event-based task delegation. In: Pernici, B. (ed.) CAiSE 2010. LNCS, vol. 6051, pp. 135–149. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  15. Jouault, F., Allilaire, F., Bézivin, J., Kurtev, I.: Atl: A model transformation tool. Sci. Comput. Program. 72(1-2), 31–39 (2008)

    Article  MATH  Google Scholar 

  16. Jürjens, J.: UMLsec: Extending uml for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  17. Kuhlmann, M., Gogolla, M.: From UML and OCL to Relational Logic and Back. In: France, R.B., Kazmeier, J., Breu, R., Atkinson, C. (eds.) MODELS 2012. LNCS, vol. 7590, pp. 415–431. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  18. Memon, M.A., Hashmani, M., Sohr, K.: Validation of temporary delegation and revocation of roles with uml and ocl. International Journal of Computer Theory and Engineering 2(1), 1793–8201 (2010)

    Google Scholar 

  19. Nguyen, P.H., Nain, G., Klein, J., Mouelhi, T., Traon, Y.L.: Model-driven adaptive delegation. In: AOSD, pp. 61–72 (2013)

    Google Scholar 

  20. OMG: Meta Object Facility (MOF) 2.0 Query/Views/Transformation Specification v1.1). Object Management Group, Inc. (2011), Internet: http://www.omg.org/spec/QVT/1.1

  21. OMG: Meta Object Facility (MOF) Core Specification 2.4.1 (Document formal/2013-06-01). Object Management Group, Inc. (2013), Internet: http://www.omg.org/spec/MOF/2.4.1/PDF

  22. Selim, G.M.K., Büttner, F., Cordy, J.R., Dingel, J., Wang, S.: Automated verification of model transformations in the automotive industry. In: Moreira, A., Schätz, B., Gray, J., Vallecillo, A., Clarke, P. (eds.) MODELS 2013. LNCS, vol. 8107, pp. 690–706. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  23. Shin, M.E., Ahn, G.J.: Uml-based representation of role-based access control. In: IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 2000), pp. 195–200. IEEE Computer Society (2000)

    Google Scholar 

  24. Sohr, K., Ahn, G.-J., Gogolla, M., Migge, L.: Specification and validation of authorisation constraints using uml and ocl. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 64–79. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  25. Sohr, K., Kuhlmann, M., Gogolla, M., Hu, H., Ahn, G.J.: Comprehensive two-level analysis of role-based delegation and revocation policies with uml and ocl. Information & Software Technology 54(12), 1396–1417 (2012)

    Article  Google Scholar 

  26. Tisi, M., Jouault, F., Fraternali, P., Ceri, S., Bézivin, J.: On the use of higher-order model transformations. In: Paige, R.F., Hartman, A., Rensink, A. (eds.) ECMDA-FA 2009. LNCS, vol. 5562, pp. 18–33. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  27. Torlak, E., Jackson, D.: Kodkod: A Relational Model Finder. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 632–647. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  28. Twidle, K.P., Dulay, N., Lupu, E., Sloman, M.: Ponder2: A policy system for autonomous pervasive environments. In: Calinescu, R., Liberal, F., Marín, M., Herrero, L.P., Turro, C., Popescu, M. (eds.) Fifth International Conference on Autonomic and Autonomous Systems, ICAS 2009, Valencia, Spain, April 20-25, pp. 330–335. IEEE Computer Society (2009)

    Google Scholar 

  29. Zhang, L., Ahn, G.J., Tseng Chu, B.: A rule-based framework for role-based delegation and revocation. ACM Trans. Inf. Syst. Secur. 6(3), 404–441 (2003)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Atos, Research & Innovation, Madrid, Spain

    Marina Egea

  2. Database Systems Group, University of Bremen, Germany

    Fabian Büttner

Authors
  1. Marina Egea
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabian Büttner
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. INKO, Software Engineering, Universität Duisburg-Essen, 47048, Duisburg, Germany

    Maritta Heisel

  2. Department of Computer Science, KU Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Wouter Joosen

  3. Computer Science Department, Network, Information and Computer Security Lab, University of Malaga, 29071, Malaga, Spain

    Javier Lopez

  4. Istituto di Informatica e Telematica (IIT), Consiglio Nazionale delle Ricerche (CNR), Via G. Moruzzi 1, 56124, Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Egea, M., Büttner, F. (2014). Verification of Authorization Policies Modified by Delegation. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds) Engineering Secure Future Internet Services and Systems. Lecture Notes in Computer Science, vol 8431. Springer, Cham. https://doi.org/10.1007/978-3-319-07452-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-07452-8_12

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-07451-1

  • Online ISBN: 978-3-319-07452-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation