Conformance Checking of RBAC Policy and its Implementation

  • Frode Hansen
  • Vladimir Oleshchuk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3439)


The purpose a security policy is to specify rules to govern access to system resources preferably without considering implementation details. Both policy and its implementation might be altered, and after introducing changes, it is not obvious that they are consistent. Therefore, we need to validate conformance between policy and its implementation. In this paper we describe an approach based on finite-model checking to verify that a RBAC implementation conforms to a security policy. We make use of the model-checking system SPIN, and show how to express RBAC policy constraints by means of LTL and how to model an RBAC implementation in SPIN’s internal modeling language PROMELA.


Security Policy Security Requirement Linear Temporal Logic Access Control Policy Security Constraint 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House (2003)Google Scholar
  2. 2.
    Holzmann, G.: The Spin Model Checker. Addison-Wesley, Massachusetts (2004)Google Scholar
  3. 3.
    Giuri, L., Iglio, P.: A formal model for role-based access control with constraints. In: 9th IEEE Computer Security Foundations Workshop, pp. 136–145 (1996)Google Scholar
  4. 4.
    Simon, R., Zurko, M.E.: Separation of duty in role-based environments. In: 10th IEEE Computer Security Foundations Workshop, pp. 183–194 (1997)Google Scholar
  5. 5.
    Kuhn, D.R.: Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In: 2nd ACM workshop on Role-based access control, pp. 23–30 (1997)Google Scholar
  6. 6.
    Gligor, V.D., Gavrila, S.I., Ferraiolo, D.: On the formal definition of separation-of-duty policies and their composition. In: IEEE Symp. Sec. Priv., pp. 172–183 (1998)Google Scholar
  7. 7.
    Nyanchama, M., Osborn, S.: The role graph model and conflict of interest. ACM Trans. Inf. Syst. Sec. 2, 3–33 (1999)CrossRefGoogle Scholar
  8. 8.
    Hansen, F., Oleshchuk, V.: Spatial role-based access control model for wireless networks. In: IEEE Vehicular Technology Conf., vol. 3, pp. 2093–2097 (2003)Google Scholar
  9. 9.
    Hansen, F., Oleshchuk, V.: SRBAC: A spatial role-based access control model for mobile systems. In: 7th Nordic Workshop on Secure IT Systems, pp. 129–141 (2003)Google Scholar
  10. 10.
    Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: A Temporal Role-based Access Control Model. ACM Trans. Inf. Syst. Sec. 4, 191–223 (2001)CrossRefGoogle Scholar
  11. 11.
    Joshi, J.B.D., Bertino, E., Latif, U., Ghafoor, A.: Generalized Temporal Role Based Access Control Model (GTRBAC). Technical report, CERIAS TR 2001-47, Purdue University, USA (2001)Google Scholar
  12. 12.
    Clark, D.R., Wilson, D.R.: A comparison of commercial and military computer security policies. In: IEEE Symp. Sec. Priv., pp. 184–194 (1987)Google Scholar
  13. 13.
    Nash, M.J., Poland, K.R.: Some conundrums concerning separation of duty. In: IEEE Symp. Sec. Priv., pp. 201–209 (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Frode Hansen
    • 1
  • Vladimir Oleshchuk
    • 1
  1. 1.Department of Information and Communication TechnologyAgder University CollegeGrimstadNorway

Personalised recommendations