Authorization Enforcement Usability Case Study

  • Steffen Bartsch
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6542)

Abstract

Authorization is a key aspect in secure software development of multi-user applications. Authorization is often enforced in the program code with enforcement statements. Since authorization is present in numerous places, defects in the enforcement are difficult to discover. One approach to this challenge is to improve the developer usability with regard to authorization. We analyze how software development is affected by authorization in a real-world case study and particularly focus on the loose-coupling properties of authorization frameworks that separate authorization policy from enforcement. We show that authorization is a significant aspect in software development and that the effort can be reduced through appropriate authorization frameworks. Lastly, we formulate advice on the design of enforcement APIs.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Ahn, G.J., Zhang, L., Shin, D., Chu, B.: Authorization management for role-based collaboration. In: IEEE International Conference on Systems, Man and Cybernetics, vol. 5, pp. 4128–4134 (October 2003)Google Scholar
  2. 2.
    Anderson, J.P.: Computer security technology planning study. Tech. Rep. ESD-TR-73-51, Deputy for Command and Management Systems, L.G. Hanscom Field, Bedford, MA (October 1972)Google Scholar
  3. 3.
    Bartsch, S.: Supporting authorization policy modification in agile development of Web applications. In: Fourth International Workshop on Secure Software Engineering (SecSE 2010). IEEE Computer Society, Los Alamitos (2010)Google Scholar
  4. 4.
    Bartsch, S., Sohr, K., Bormann, C.: Supporting Agile Development of Authorization Rules for SME Applications. In: 3rd International Workshop on Trusted Collaboration (TrustCol-2008). Springer, Heidelberg (2009)Google Scholar
  5. 5.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)CrossRefGoogle Scholar
  6. 6.
    Beznosov, K., Deng, Y., Blakley, B., Barkley, J.: A resource access decision service for corba-based distributed systems. In: Computer Security Applications Conference, Annual, p. 310 (1999)Google Scholar
  7. 7.
    Brostoff, S., Sasse, M.A., Chadwick, D.W., Cunningham, J., Mbanaso, U.M., Otenko, S.: ’R-What?’ development of a role-based access control policy-writing tool for e-scientists. Softw., Pract. Exper. 35(9), 835–856 (2005)CrossRefGoogle Scholar
  8. 8.
    Cairns, P., Cox, A.L.: Research methods for human-computer interaction. Cambridge Univ. Press, Cambridge (2008)CrossRefGoogle Scholar
  9. 9.
    Clarke, S.: Measuring API usability. Dr. Dobb’s Journal (May 2004)Google Scholar
  10. 10.
    Consel, C., Marlet, R.: Architecture software using: A methodology for language development. In: Palamidessi, C., Glaser, H., Meinke, K. (eds.) ALP 1998 and PLILP 1998. LNCS, vol. 1490, pp. 170–194. Springer, Heidelberg (1998)Google Scholar
  11. 11.
    De Win, B., Piessens, F., Joosen, W., Verhanneman, T.: On the importance of the separation-of-concerns principle in secure software engineering. In: ACSA Workshop on the Application of Engineering Principles to System Security Design (2003)Google Scholar
  12. 12.
    Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  13. 13.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, p. 11 (1982)Google Scholar
  14. 14.
    Gong, L., Ellison, G.: Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation. Pearson Education, London (2003)Google Scholar
  15. 15.
    Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. ACM Commun. 19(8), 461–471 (1976)CrossRefMATHGoogle Scholar
  16. 16.
    Herzog, A., Shahmehri, N.: A usability study of security policy management. In: Security and Privacy in Dynamic Environments (SEC), vol. 201, pp. 296–306. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Inglesant, P., Sasse, M.A., Chadwick, D., Shi, L.L.: Expressions of expertness: the virtuous circle of natural language for access control policy specification. In: Proceedings of the 4th Symposium on Usable Privacy and Security, SOUPS 2008, pp. 77–88. ACM, New York (2008)Google Scholar
  18. 18.
    Jaeger, T., Edwards, A., Zhang, X.: Consistency analysis of authorization hook placement in the linux security modules framework. ACM Trans. Inf. Syst. Secur. 7(2), 175–205 (2004)CrossRefGoogle Scholar
  19. 19.
    Johnson, M., Bellovin, S., Reeder, R., Schechter, S.: Laissez-faire file sharing. In: New Security Paradigms Workshop 2009 (2009)Google Scholar
  20. 20.
    Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C., Loingtier, J.M., Irwin, J.: Aspect-oriented programming. In: Liu, Y., Auletta, V. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  21. 21.
    Ko, A.J., DeLine, R., Venolia, G.: Information needs in collocated software development teams. In: Proceedings of the 29th International Conference on Software Engineering, ICSE 2007, pp. 344–353. IEEE Computer Society, Washington, DC (2007)Google Scholar
  22. 22.
    Lehman, M.M.: Programs, life cycles, and laws of software evolution. Proceedings of the IEEE 68(9), 1060–1076 (1980)CrossRefGoogle Scholar
  23. 23.
    Pandey, R., Hashii, B.: Providing fine-grained access control for java programs. In: Guerraoui, R. (ed.) ECOOP 1999. LNCS, vol. 1628, pp. 449–473. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  24. 24.
    Pane, J.F., Ratanamahatana, C.A., Myers, B.A.: Studying the language and structure in non-programmers’ solutions to programming problems. International Journal of Human-Computer Studies 54(2), 237–264 (2001)CrossRefMATHGoogle Scholar
  25. 25.
    Reeder, R.W., Karat, C.M., Karat, J., Brodie, C.: Usability challenges in security and privacy policy-authoring interfaces. In: Baranauskas, M.C.C., Palanque, P.A., Abascal, J., Barbosa, S.D.J. (eds.) INTERACT 2007. LNCS, vol. 4663, pp. 141–155. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Rees, J., Bandyopadhyay, S., Spafford, E.H.: Pfires: a policy framework for information security. ACM Commun. 46(7), 101–106 (2003)CrossRefGoogle Scholar
  27. 27.
    Samarati, P., de Capitani di Vimercati, S.: Access control: Policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  28. 28.
    Sohr, K., Berger, B.: Idea: Towards architecture-centric security analysis of software. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 70–78. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. 29.
    Stepien, B., Matwin, S., Felty, A.: Strategies for reducing risks of inconsistencies in access control policies. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES 2010). IEEE Computer Society, Los Alamitos (2010)Google Scholar
  30. 30.
    Stylos, J., Clarke, S., Myers, B.: Comparing API design choices with usability studies: A case study and future directions. In: Proceedings of the 18th Workshop of the Psychology of Programming Interest Group (2006)Google Scholar
  31. 31.
    von Mayrhauser, A., Vans, A.M.: Program comprehension during software maintenance and evolution. Computer 28(8), 44–55 (1995)CrossRefGoogle Scholar
  32. 32.
    Whitten, A.: Making Security Usable. Ph.D. thesis, CMU, cMU-CS-04-135 (2004)Google Scholar
  33. 33.
    Zhang, X., Oh, S., Sandhu, R.: PBDM: a flexible delegation model in RBAC. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, SACMAT 2003, pp. 149–157. ACM, New York (2003)Google Scholar
  34. 34.
    Zurko, M.E., Simon, R., Sanfilippo, T.: A user-centered, modular authorization service built on an RBAC foundation. In: IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Steffen Bartsch
    • 1
  1. 1.Technologie-Zentrum Informatik TZIUniversität BremenBremenGermany

Personalised recommendations