Automated Legal Compliance Checking by Security Policy Analysis

  • Silvio Ranise
  • Hari SiswantoroEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10489)


Legal compliance-by-design is the process of developing a software system that processes personal data in such a way that its ability to meet specific legal provisions is ascertained. In this paper, we describe techniques to automatically check the compliance of the security policies of a system against formal rules derived from legal provisions by re-using available tools for security policy verification. We also show the practical viability of our approach by reporting the experimental results of a prototype for checking compliance of realistic and synthetic policies against the European Data Protection Directive (EU DPD).


  1. 1.
    Ardagna, C., Cremonini, M., Capitani, D., di Vimercati, S., Samarati, P.: A privacy-aware access control system. JCS 16(4), 369–392 (2008)CrossRefGoogle Scholar
  2. 2.
    Armando, A., Ranise, S., Traverso, R., Wrona, K.: SMT-based enforcement and analysis of NATO content-based protection and release policies. In: ABAC@CODASPY, pp. 35–46. ACM (2016)Google Scholar
  3. 3.
    Backes, M., Karjoth, G., Bagga, W., Schunter, M.: Efficient comparison of enterprise privacy policies. In: Proceedings of the 2004 ACM Symposium on Applied Computing, pp. 375–382. ACM (2004)Google Scholar
  4. 4.
    Bertolissi, C., dos Santos, D., Ranise, S.: Automated synthesis of run-time monitors to enforce authorization policies in business processes. In: Proceedings of the ASIACCS. ACM (2015)Google Scholar
  5. 5.
    Capitani, D., di Vimercati, S., Foresti, S., Jajodia, S., Samarati, P.: Access control policies and languages. IJCSE 3(2), 94–102 (2007)CrossRefGoogle Scholar
  6. 6.
    Fatema, K., Debruyne, C., Lewis, D., OSullivan, D., Morrison, J.P., Mazed, A.: A semi-automated methodology for extracting access control rules from the European data protection directive. In: SPW 2016, pp. 25–32. IEEE (2016)Google Scholar
  7. 7.
    Governatori, G., Hoffmann, J., Sadiq, S., Weber, I.: Detecting regulatory compliance for business process models through semantic annotations. In: Ardagna, D., Mecella, M., Yang, J. (eds.) BPM 2008. LNBIP, vol. 17, pp. 5–17. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00328-8_2 CrossRefGoogle Scholar
  8. 8.
    Guarda, P., Ranise, S., Siswantoro, H.: Security analysis and legal compliance checking for the design of privacy-friendly information systems. In: Proceedings of the 22nd ACM on SACMAT, pp. 247–254. ACM (2017)Google Scholar
  9. 9.
    Hu, V.C., Ferraiolo, D., Kuhn, R., Friedman, A.R., Lang, A.J., Cogdell, M.M., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to ABAC Definition and Considerations (Draft). No. 800-162 in NIST (2013)Google Scholar
  10. 10.
    Jaeger, T., Tidswell, J.E.: Practical safety in flexible access control models. ACM Trans. Inf. Syst. Secur. 4(2), 158–190 (2001)CrossRefGoogle Scholar
  11. 11.
    Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31540-4_4 CrossRefGoogle Scholar
  12. 12.
    Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: IEEE Symposium on Security and Privacy, pp. 176–190 (2012)Google Scholar
  13. 13.
    Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Analysis of XACML policies with SMT. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 115–134. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46666-7_7 Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Fondazione Bruno KesslerTrentoItaly

Personalised recommendations