Abstract
During the past decade, there has been an explosion in the complexity of software applications, with an increasing emphasis on software design via model-driven architectures, patterns, and models such as the unified modeling language (UML). Despite this, the integration of security concerns throughout the product life cycle has lagged, resulting in software infrastructures that are untrustworthy in terms of their ability to authenticate users and to limit them to their authorized application privileges. To address this issue, we present an approach to integrate role-based access control (RBAC) into UML at design-time for permission assignment and enforcement. Specifically, we introduce a new UML artifact, the role slice, supported via a new UML role-slice diagram, to capture RBAC privileges at design time within UML. Once captured, we demonstrate the utilization of aspect-oriented programming (AOP) techniques for the automatic generation of security enforcement code. Overall, we believe that our approach is an important step to upgrading security to be an indispensable part of the software process.
Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Alghathbar, K., Wijesekera, D.: authUML: a three-phased framework to analyze access control specifications in use cases. In: FMSE 2003: Proceedings of the 2003 ACM workshop on Formal methods in security engineering, pp. 77–86. ACM Press, New York (2003)
Alghathbar, K., Wijeskera, D.: Consistent and complete access control policies in use cases. In: Stevens, P., Whittle, J., Booch, G. (eds.) UML 2003. LNCS, vol. 2863, pp. 373–387. Springer, Heidelberg (2003)
Basin, D., Doser, J., Lodderstedt, T.: Model driven security, Engineering Theories of Software Intensive Systems (2004)
Bell, D., LaPadula, L.: Secure computer systems: Mathematical foundations model. Technical report, Mitre Corporation (1975)
Clarke, S.: Composition of object-oriented software design models. PhD thesis, Dublin City University (January 2001)
De Win, B., Vanhaute, B., De Decker, B.: Security through aspect-oriented programming. In: Proceedings of the IFIP TC11 WG11.4 First Annual Working Conference on Network Security, pp. 125–138. Kluwer, Dordrecht (2001)
Doan, T., Demurjian, S., Ammar, R., Ting, T.C.: UML design with security integration as a first class citizen. In: Proc. of 3rd Intl. Conf. on Computer Science, Software Engineering, Information Technology, e-Business, and Applications (CSITeA 2004), Cairo (December 2004)
Doan, T., Demurjian, S., Ting, T.C., Ketterl, A.: MAC and UML for secure software design. In: Proc. of 2nd ACM Wksp. on Formal Methods in Security Engineering, Washington D.C. (October 2004)
Doan, T., Demurjian, S., Ting, T.C., Phillips, C.: RBAC/MAC security for UML. In: Farkas, C., Samarati, P. (eds.) Research Directions in Data and Applications Security XVIII (July 2004)
Epstein, P., Sandhu, R.: Towards a UML based approach to role engineering. In: Proceedings of the fourth ACM workshop on Role-based access control, pp. 135–143 (1999)
Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)
Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
Harrison, W., Ossher, H.: Subject-oriented programming: a critique of pure objects. In: Proceedings of the eighth annual conference on Object-oriented programming systems, languages, and applications, pp. 411–428 (1993)
Jürjens, J.: UMLsec: Extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)
Kiczales, G.: Aspect-oriented programming. ACM Comput. Surv. 28(4es), 154 (1996)
Lodderstedt, T., Basin, D.A., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
OMG. OMG-unified modeling language, v.1.5. UML Resource Page (March 2003), http://www.omg.org/uml
Song, E., Reddy, R., France, R., Ray, I., Georg, G., Alexander, R.: Verifiable composition of access control features and applications. In: Proceedings of 10th ACM Symposium on Access Control Models and Technologies, SACMAT 2005 (2005)
Tarr, P., Ossher, H., Harrison, W., Sutton Jr., S.M.: N degrees of separation: multi-dimensional separation of concerns. In: Proceedings of the 21st international conference on Software engineering, pp. 107–119. IEEE Computer Society Press, Los Alamitos (1999)
Thomsen, D., O’Brien, D., Bogle, J.: Role based access control framework for network enterprises. In: Proceedings of 14th Annual Computer Security Application Conference, Phoenix, AZ, December 7-11, pp. 50–58 (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 IFIP International Federation for Information Processing
About this paper
Cite this paper
Pavlich-Mariscal, J.A., Doan, T., Michel, L., Demurjian, S.A., Ting, T.C. (2005). Role Slices: A Notation for RBAC Permission Assignment and Enforcement. In: Jajodia, S., Wijesekera, D. (eds) Data and Applications Security XIX. DBSec 2005. Lecture Notes in Computer Science, vol 3654. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11535706_4
Download citation
DOI: https://doi.org/10.1007/11535706_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28138-2
Online ISBN: 978-3-540-31937-5
eBook Packages: Computer ScienceComputer Science (R0)