Comprehensive two-level analysis of static and dynamic RBAC constraints with UML and OCL

Proceedings - 2011 5th International Conference on Secure Software Integration and Reliability Improvement, SSIRI 2011

Volumn , Issue , 2011, Pages 108-117

  Kuhlmann, Mirco ^a   Sohr, Karsten ^a   Gogolla, Martin ^a  

^a UNIVERSITY OF BREMEN   (Germany)

Author keywords

Analysis; Modeling; RBAC; Reliability; Security; UML OCL

Indexed keywords

ACCESS RIGHTS; ANALYSIS; AUTHORIZATION CONSTRAINTS; CONFIGURABLE; DOMAIN SPECIFIC LANGUAGES; RBAC; RBAC POLICY; ROLE-BASED ACCESS CONTROL; SECURITY; SECURITY POLICY; SECURITY REQUIREMENTS; STATIC AND DYNAMIC; TIME-DEPENDENT; TOOL SUPPORT; UML/OCL; VALIDATION TOOLS; VISUAL REPRESENTATIONS;

ACCESS CONTROL; COMPUTER AIDED SOFTWARE ENGINEERING; MODELS; PROBLEM ORIENTED LANGUAGES; RELIABILITY;

RELIABILITY ANALYSIS;

EID: 80052926621     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SSIRI.2011.18     Document Type: Conference Paper

References (29)

1. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. IEEE Computer 29(2) (1996) 38-47.
2. Nash, M.J., Poland, K.R.: Some conundrums concerning separation of duty. In: Proc. IEEE Symposium on Research in Security and Privacy. (1990) 201-207.
3. Simon, R., Zurko, M.: Separation of duty in role-based environments. In: 10th IEEE Computer Security Foundations Workshop (CSFW'97). (1997) 183-194.
4. Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1) (1999) 65-104.
5. Schaad, A., Lotz, V., Sohr, K.: A model-checking approach to analysing organisational controls in a loan origination process. In: Proc. of the 11th ACM Symposium on Access Control Models and Technologies, New York, ACM Press (2006).
6. Yu, L., France, R.B., Ray, I.: Scenario-Based Static Analysis of UML Class Models. In: Model Driven Engineering Languages and Systems, 11th International Conference, MoDELS 2008. Volume 5301 of LNCS., Springer, Berlin (2008) 234-248.
7. Sohr, K., Drouineaud, M., Ahn, G.J., Gogolla, M.: Analyzing and Managing Role-Based Access Control Policies. IEEE Trans. Knowl. Data Eng 20(7) (2008) 924-939.
8. Abi Haidar, D., Cuppens-Boulahia, N., Cuppens, F., Debar, H.: An extended RBAC profile of XACML. In: Proceedings of the 3rd ACM workshop on Secure web services. SWS'06, New York, NY, USA, ACM (2006) 13-22.
9. Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and Contextual Integrity: Framework and Applications. In: IEEE Symposium on Security and Privacy, IEEE Computer Society (2006) 184-198.
10. Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and Reasoning About Dynamic Access-Control Policies. In Furbach, U., Shankar, N., eds.: IJCAR. Volume 4130 of Lecture Notes in Computer Science., Springer (2006) 632-646.
11. Hilty, M., Pretschner, A., Basin, D.A., Schaefer, C., Walter, T.: A Policy Language for Distributed Usage Control. In Biskup, J., Lopez, J., eds.: ESORICS. Volume 4734 of Lecture Notes in Computer Science., Springer (2007) 531-546.
12. Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Transactions on Information and System Security 8(4) (November 2005) 351-387.
13. Clark, D.C., Wilson, D.R.: A comparison of commercial and military security policies. In: Proc. IEEE Symp.on Security and Privacy, Washington DC. (1987).
14. Sandhu, R.: Transaction control expressions for separation of duties. In: Proc. of the Fourth Computer Security Applications Conference. (1988) 282-286.
15. Gogolla, M., Büttner, F., Richters, M.: USE: A UML-Based Specification Environment for Validating UML and OCL. Science of Computer Programming 69 (2007) 27-34.
16. Torlak, E., Jackson, D.: Kodkod: A Relational Model Finder. In: Tools and Algorithms for the Construction and Analysis of Systems - 13th International Conference, TACAS 2007. Volume 4424 of LNCS., Springer, Berlin (2007) 632-647.
17. American National Standards Institute Inc.: Role Based Access Control (2004) ANSI-INCITS 359-2004.
18. Gligor, V.D., Gavrila, S.I., Ferraiolo, D.: On the formal definition of separation-of-duty policies and their composition. In: 1998 IEEE Symposium on Security and Privacy (SSP'98), IEEE (1998) 172-185.
19. Kuhlmann, M., Gogolla, M.: Modeling and Validating Mondex Scenarios Described in UML and OCL with USE. Formal Aspects of Computing 20(1) (2008) 79-100.
20. Kuhlmann, M., Sohr, K., Gogolla, M.: RBAC Metamodel: Sources and Validation Results (2010) http://www.db.informatik.uni-bremen.de/publications/ Kuhlmann-2010-RBAC-sources.pdf.
21. Anastasakis, K., Bordbar, B., Georg, G., Ray, I.: UML2Alloy: A Challenging Model Transformation. In: Model Driven Engineering Languages and Systems, 10th International Conference, MoDELS 2007. Volume 4735 of LNCS., Springer, Berlin (2007) 436-450.
22. Gogolla, M., Kuhlmann, M., Hamann, L.: Consistency, Independence and Consequences in UML and OCL Models. In: Proc. 3rd Int. Conf. Test and Proof (TAP'2009), Springer, Berlin, LNCS 5668 (2009) 90-104.
23. Jürjens, J.: UMLsec: Extending UML for secure systems development. Lecture Notes in Computer Science 2460 (2002) 412-425.
24. Ray, I., Li, N., France, R.B., Kim, D.K.: Using UML to visualize rolebased access control constraints. In: Proc. of the 9th ACM symposium on Access control models and technologies, ACM Press New York, USA (2004) 115-124.
25. Ahn, G.J., Shin, M.E.: Role-Based Authorization Constraints Specification Using Object Constraint Language. In: Proc. of the 10th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, IEEE (2001) 157-162.
26. Fernández-Medina, E., Piattini, M.: Extending OCL for secure database development. In: Proc. of UML 2004 - The Unified Modeling Language: Modeling Languages and Applications. Volume 3273 of LNCS., Springer (2004) 380-394.
27. Basin, D.A., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol 15(1) (2006) 39-91.
28. Basin, D.A., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information & Software Technology 51(5) (2009) 815-831.
29. Höhn, S., Jürjens, J.: Automated checking of SAP security permissions. In: 6th Working Conference on Integrity and Internal Control in Information Systems (IICIS), Lausanne, Switzerland, Kluwer (2003).