A framework of composable access control features: Preserving separation of access control concerns from models to code

Computers and Security

Volumn 29, Issue 3, 2010, Pages 350-379

  Pavlich Mariscal, Jaime A ^a   Demurjian, Steven A ^b   Michel, Laurent D ^b  

^a UNIVERSIDAD CATÓLICA DEL NORTE   (Chile)

^b UNIVERSITY OF CONNECTICUT   (United States)

Author keywords

Access controls; Model driven development; Separation of concerns; Software engineering; UML

Indexed keywords

ACCESS CONTROL MODELS; ACCESS CONTROL POLICIES; DISCRETIONARY ACCESS CONTROL; INTEGRAL PART; MANDATORY ACCESS CONTROL; MODEL DRIVEN DEVELOPMENT; ROLE-BASED ACCESS CONTROL; SECURITY POLICY; SEPARATION OF CONCERNS; SMALL COMPONENTS; SOFTWARE APPLICATIONS; SOFTWARE DEVELOPMENT PROCESS; STRUCTURE-PRESERVING;

COMPUTER CONTROL; COMPUTER SOFTWARE; DESIGN; SECURITY SYSTEMS;

ACCESS CONTROL;

EID: 77949562741     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2009.11.005     Document Type: Article

References (64)

1. Alghathbar K. Validating the enforcement of access control policies and separation of duty principle in requirement engineering. Information and Software Technology 49 2 (2007) 142-157
2. Alhadidi D., Belblidia N., Debbabi M., and Bhattacharya P. {lambda} _SAOP: A Security AOP Calculus. The Computer Journal (2009)
3. Alpern B., and Schneider F.B. Defining liveness. Information Processing Letters 21 4 (1985) 181-185
4. AspectJ-Team. The AspectJ Programming Guide, 2003.
5. Basin D., Doser J., and Lodderstedt T. Model driven security: from uml models to access control infrastructures. ACM Transactions on Software Engineering and Methodology 15 1 (January 2006) 39-91
6. Bell D., and LaPadula L. Secure computer systems: mathematical foundations model. Technical report (1975), Mitre Corporation
7. Bell D., and LaPadula L. Secure computer system: unified exposition and multics interpretation. Technical report (1976), Mitre Corporation
8. Biba K. Integrity considerations for secure computer systems. Technical report (1977), Mitre Corporation
9. Bodkin R. Enterprise security aspects. In: Proceedings of the AOSD technology for application-level security workshop, vol. 9, 2004.
10. Budinsky F., Steinberg D., Merks E., Ellersick R., and Grose T.J. Eclipse modeling framework (2004), Addison-Wesley
11. Clarke S, Harrison W, Ossher H, Tarr P. Subject-oriented design: towards improved alignment of requirements, design, and code. In: Proceedings of OOPSLA 1999, 1999.
12. Daniel S. Dantas. Analyzing security advice in functional aspect-oriented programming languages. PhD thesis, Princeton, NJ, USA, 2007.
13. De-Win B, Piessens F, Joosen W, Verhanneman T. The importance of the separation-of-concerns principle in secure software engineering; 2002.
14. De-Win B. Engineering application-level security through aspect-oriented software development. PhD thesis, Department of Computer Science, K.U.Leuven, Leuven, Belgium; 2004.
15. Doan Thuong. A framework for software security in UML with assurance. PhD thesis, The University of Connecticut; 2008.
16. DoD. Trusted computer system evaluation criteria. 5200.28-STD. DoD; 1985.
17. Ellis HJ, Phillips C, Liebrand M, Ting TC. Role delegation for a distributed, unified RBAC/MAC. In: Proceedings of sixteenth annual IFIP WG 11.3 working conference on data and application security; 2002.
18. Epstein P, Sandhu R. Towards a UML based approach to role engineering. In: Proceedings of the fourth ACM workshop on role-based access control; 1999.
19. Erlingsson, and Schneider. SASI enforcement of security policies: a retrospective. WNSP: new security paradigms workshop (2000), ACM Press
20. Evans David, Twyman Andrew. Flexible policy-directed code safety. In: Security and Privacy, IEEE Symposium on, vol. 0; 1999, p. 0032.
21. Farias A. Towards a security aspect for java. Master's thesis, Vrije Universiteit Brussel; 2001.
22. Ferraiolo D, Barkley J, Kuhn D. Role-based access controls. In: 15th NIST-NCSC national computer security conference; 1992.
23. Ferraiolo D., Sandhu R., Gavrila S., Kuhn D., and Chandramouli R. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4 (2001) 224-274
24. Ferraiolo D., Kuhn D.R., and Chandramouli R. Role-based access control (2003), Artech House
25. Gamma E., Helm R., Johnson R., and Vlissides J. Design patterns: elements of reusable object-oriented software (1995), Addison-Wesley, Reading, MA
26. Henderson-Sellers B. Object-oriented metrics: measures of complexity (1995), Prentice-Hall, Inc, Upper Saddle River, NJ, USA
27. Hibernate. Hibernate persistence library (2008). http://www.hibernate.org/
28. Huang M, Wang C, Zhang L. Toward a reusable and generic security aspect library. In: AOSD: AOSDSEC, vol. 4; 2004.
29. Juerjens J. Secure systems development with UML (2005), SpringerVerlag
30. Lamport L. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering 3 2 (1977) 125-143
31. Lochovsky F, Woo C. Role-based security in data base management systems. In: Database security: status and prospects; 1988.
32. Mouheb D., Talhi C., Azzam M., Lima V., and Debbabi M. An Aspect-Oriented approach for software security hardening: from design to implementation. The 8th International Conference on Software Methodologies, Tools and Techniques, SOMET'2009 (2009), Elsevier Science Publishers
33. Mourad A., Laverdière M.-A., and Debbabi M. A high-level aspect-oriented-based framework for software security hardening. Information Security Journal: A Global Perspective 17 2 (2008) 56
34. National Computer Security Center. A guide to understanding discretionary access control in trusted systems, September 1987.
35. Object Management Group. UML 2.0 infrastructure. Technical report (2005), Object Management Group
36. Object Management Group. UML 2.0 superstructure. Technical report (2005), Object Management Group
37. Object Management Group. Meta object facility (MOF) core specification. version 2.0. Technical report (2006), Object Management Group
38. OMG. UML 2.0 Object Constraint Language (OCL) Specification, 2003.
39. Pandey R., and Hashii B. Technical Report TR-98-08. Providing fine-grained access control for mobile programs through binary editing (1998)
40. Parnas D. On the criteria to be used in decomposing systems into modules. Communications ACM 15 (1972) 1053-1058
41. Pavlich-Mariscal J, Doan T, Michel L, Demurjian S, Ting TC. Role-slices: a notation for RBAC permission assignment and enforcement. In: Proceedings of 19th annual IFIP WG 11.3 working conference on data and applications security, vol. 3654 of Lecture notes in computer science; 2005a, pp 40-53.
42. Pavlich-Mariscal J, Michel L, Demurjian S. A formal enforcement framework for role-based access control using aspect-oriented programming. In: ACM/IEEE 8th international conference on model driven engineering languages and systems, vol. 3713 of Lecture Notes in computer science; 2005b, pp. 537-552.
43. Pavlich-Mariscal J, Michel L, Demurjian S. Enhancing UML to model custom security aspects. In: 11th international workshop on aspect-oriented modeling; 2007.
44. Pavlich-Mariscal J. A framework of composable security features: preserving separation of security concerns from models to code. PhD thesis, University of Connecticut; 2008.
45. Phillips Jr CE. Security assurance for a resource-based RBAC/DAC/MAC security model. PhD thesis, University of Connecticut, 2004.
46. Ray I, Li N, Kim D, France R. Using parameterized UML to specify and compose access control models. In: Proceedings of the 6th IFIP TC-11 WG 11.5 working conference on integrity and internal control in information systems; 2003.
47. Popp G., Jurjens J., Wimmel G., and Breu R. Security-critical system development with extended use cases. Asia-Pacific Software Engineering Conference vol 0 (2003), IEEE Computer Society, Los Alamitos, CA, USA 478
48. Sandhu R., Coyne E., Feinstein H., and Youman C. Role-based access control models. IEEE Computer 29 (1996) 38-47
49. Sandhu R., Bhamidipati V., and Munawer Q. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security (TISSEC) 2 (1999) 105-135
50. Sandhu R.S. Lattice-based access control models. IEEE Computer 26 11 (1993) 9-19
51. Sant'Anna C, Garcia A, Chavez C, Lucena C, von Staa A. On the reuse and maintenance of aspect-oriented software: an assessment framework. In: Proceedings of Brazilian symposium on software engineering; 2003, pp. 19-34.
52. Sewe A., Bockisch C., and Mezini M. Aspects and class-based security: a survey of interactions between advice weaving and the java 2 security model. VMIL '08: Proceedings of the 2nd workshop on virtual machines and intermediate languages for emerging modularization mechanisms (2008), ACM, New York, NY, USA 1-7
53. Shah V, Hill F. An aspect-oriented security framework. In Proceedings of DARPA information survivability conference and exposition (DISCEX'03), vol. 2, Washington, DC, USA; 2003, pp. 143-145.
54. ShyamChidamber R., and Kemerer C.F. A metrics suite for object oriented design. IEEE Transactions on Software Engineering 20 6 (1994) 476-493
55. Slowikowski P, Zielinski K. Comparison study of aspect-oriented and container managed security. In: AAOS2003: analysis of aspect oriented software. workshop held in conjunction with ECOOP,; 2003.
56. Song E, Reddy R, France R, Ray I, Georg G, Alexander R. Verifiable composition of access control features and applications. In: Proceedings of SACMAT 2005; 2005.
57. Song E. An aspect-based approach to modeling access control policies. PhD thesis, Colorado State University; 2007.
58. Spooner D. The impact of inheritance on security in object-oriented database systems. In: Database security II: status and prospects; 1989.
59. SUN. Java API specifications (2009). http://java.sun.com/reference/api/
60. Tarr P, Ossher H, Harrison W, Sutton S. N degrees of separation: multi-dimensional separation of concerns. In: Proceedings of the 21st international conference on software engineering; 1999.
61. Ting TC. A user-role based data security approach. In: Database security: status and prospects; 1988.
62. Ting TC. Application information security semantics: a case of mental health delivery. In: Database security III: status and prospects; 1990.
63. Viega J., Bloch J.T., and Chandra P. Applying aspect-oriented programming to security. Cutter IT Journal (2001)
64. Zisman A. A static verification framework for secure Peer-to-Peer applications. Internet and web applications and services, international conference on vol. 0 (2007), IEEE Computer Society, Los Alamitos, CA, USA 8