Hybrid Enforcement of Category-Based Access Control

  • Asad Ali
  • Maribel Fernández
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8743)


Access control policies are often partly static, i.e. no dependence on any run-time information, and partly dynamic. However, they are usually enforced dynamically - even the static parts. We propose a new hybrid approach to policy enforcement using the Category-Based Access Control (CBAC) meta-model. We build on previous work, which established a static system for the enforcement of (static) hierarchical Role-Based Access Control (RBAC) policies. We modify the previous policy language, JPol, to specify static and dynamic categories. We establish an equivalence between static categories and static roles (in RBAC), therefore we are able to use the previous design patterns and static verification algorithm, with some changes, to enforce static categories. For dynamic categories, we propose a new design methodology and generate code in the target program to do the necessary run-time checks.


Access Control Static Category Action Call Access Control Policy Policy Enforcement 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ali, A., Fernández, M.: Static enforcement of role-based access control. In: Ravara, A., Ter Beek, M. (eds.) Proceedings of the 10th International Workshop Automated Specification and Verification of Web Systems. EPTCS (2014)Google Scholar
  2. 2.
    Barker, S.: The next 700 access control models or a unifying meta-model? In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009, pp. 187–196. ACM, New York (2009)Google Scholar
  3. 3.
    Basin, D., Doser, J., Lodderstedt, T.: Model driven security: From uml models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)CrossRefGoogle Scholar
  4. 4.
    Bertolissi, C., Fernández, M.: Category-based authorisation models: Operational semantics and expressive power. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 140–156. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Bodden, E., Lam, P., Hendren, L.: Partially evaluating finite-state runtime monitors ahead of time. ACM Trans. Program. Lang. Syst. 7, 7:1–7:52 (2012)Google Scholar
  6. 6.
    Eduardo, B.: Fernandez, Tami Sorgente, and Maria M. Larrondo-Petrie. Even more patterns for secure operating systems. In: Proceedings of the 2006 Conference on Pattern Languages of Programs, PLoP 2006, pp. 10:1–10:9. ACM, New York (2006)Google Scholar
  7. 7.
    Ferraiolo, D., Kuhn, R.: Role-based access control. In:15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  8. 8.
    Gosling, J., Joy, B., Steele, G., Bracha, G.: Java(TM) Language Specification, The (3rd edn.) (Java (Addison-Wesley)), 3rd edn. Addison-Wesley Professional (2005)Google Scholar
  9. 9.
    Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM Trans. Program. Lang. Syst. 28(1), 175–205 (2006)CrossRefGoogle Scholar
  10. 10.
    Krasner, G.E., Pope, S.T.: A cookbook for using the model-view controller user interface paradigm in Smalltalk-80. J. Object Oriented Program. 1(3), 26–49 (1988)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Asad Ali
    • 1
  • Maribel Fernández
    • 1
  1. 1.Department of InformaticsKing’s College LondonStrandUK

Personalised recommendations