Abstract
Many of today’s software applications require a high-level of security, defined by a detailed policy and attained via mechanisms such as role-based access control (RBAC), mandatory access control, digital signatures, etc. The integration of the design/implementation processes of access-control policies with runtime enforcement mechanisms is crucial to achieve an acceptable level of security for a software application. Our prior research focused on formalizing the concept of a role slice, which is a unified modeling language (UML) artifact that captures RBAC security requirements by defining permissions in the form of allowable or prohibited methods, and by specifying roles as specialized class diagrams that contain those methods. This paper augments this effort by introducing a formal framework for the security of software applications that supports the automatic translation of a role-slice access-control policy (RBAC requirements) into aspect-oriented programming (AOP) enforcement code that is seamlessly integrated with the application. The formal framework provides the necessary underpinnings to automate the integration of security policies into software. A prototyping effort based on Borland’s UML tool Together Control Center for defining role-slice diagrams and the associated AOP code generator is under development.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bell, D., LaPadula, L.: Secure computer systems: Mathematical foundations model. Technical report, Mitre Corporation (1975)
Biba, K.: Integrity considerations for secure computer systems. Technical report, Mitre Corporation (1977)
DoD: Trusted Computer System Evaluation Criteria. 5200.28-STD. DoD (1985)
Ting, T.C.: A user-role based data security approach. In: Landwehr, C. (ed.) Database Security: Status and Prospects (1988)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29, 38–47 (1996)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4, 224–274 (2001)
Doan, T., Demurjian, S., Ting, T., Phillips, C.: RBAC/MAC security for UML. In: Farkas, C., Samarati, P. (eds.) Research Directions in Data and Applications Security XVIII (2004)
Doan, T., Demurjian, S., Ting, T., Ketterl, A.: MAC and UML for secure software design. In: Proc. of 2nd ACM Wksp. on Formal Methods in Security Engineering, Washington D.C. (2004)
Doan, T., Demurjian, S., Ammar, R., Ting, T.: UML design with security integration as a first class citizen. In: Proc. of 3rd Intl. Conf. on Computer Science, Software Engineering, Information Technology, e-Business, and Applications (CSITeA 2004), Cairo (2004)
Pavlich-Mariscal, J.A., Doan, T., Michel, L., Demurjian, S.A., Ting, T.C.: Role slices: A notation for rbac permission assignment and enforcement. In: Proceedings of 19th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (2005)
Clarke, S.: Composition of object-oriented software design models. PhD thesis, Dublin City University (2001)
Plotkin, G.: A Structural Approach to Operational Semantics. Technical Report DAIMI FN-19, CS Department, University of Aarhus (1981)
Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)
Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: Towards a unified standard, pp. 47–64 (2000)
Demurjian, S.A., Ting, T.C.: Towards a definitive paradigm for security in objectoriented systems and applications. Journal of Computer Security 5 (1997)
Phillips, C., Demurjian, S., Ting, T.: Security assurance for an rbac/mac security model. In: Proc. of 2003 IEEE Info. Assurance Workshop, West Point, NY (2003)
Phillips, C., Demurjian, S., Ting, T.C.: Safety and liveness for an rbac/mac security model. In: di Vimercati, S., Ray, I. (eds.) Database and Applications Security XVII: Status and Prospects (2004)
AspectJ-Team: The aspectj programming guide, http://dev.eclipse.org/viewcvs/indextech.cgi/checkout/aspectj-home/doc/progguide/index.html (2003)
Song, E., Reddy, R., France, R., Ray, I., Georg, G., Alexander, R.: Verifiable composition of access control features and applications. In: Proceedings of 10th ACM Symposium on Access Control Models and Technologies, SACMAT 2005 (2005)
Win, B.D., Vanhaute, B., Decker, B.D.: Security through aspect-oriented programming. In: Proceedings of the IFIP TC11 WG11.4 First Annual Working Conference on Network Security, pp. 125–138. Kluwer, Dordrecht (2001)
Wand, M., Kiczales, G., Dutchyn, C.: A semantics for advice and dynamic join points in aspect-oriented programming. In: Leavens, G.T., Cytron, R. (eds.) FOAL 2002 Proceedings (2002)
Epstein, P., Sandhu, R.: Towards a uml based approach to role engineering. In: Proceedings of the fourth ACM workshop on Role-based access control, pp. 135–143 (1999)
Basin, D., Doser, J., Lodderstedt, T.: Model driven security, Engineering Theories of Software Intensive Systems (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pavlich-Mariscal, J., Michel, L., Demurjian, S. (2005). A Formal Enforcement Framework for Role-Based Access Control Using Aspect-Oriented Programming. In: Briand, L., Williams, C. (eds) Model Driven Engineering Languages and Systems. MODELS 2005. Lecture Notes in Computer Science, vol 3713. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11557432_41
Download citation
DOI: https://doi.org/10.1007/11557432_41
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29010-0
Online ISBN: 978-3-540-32057-9
eBook Packages: Computer ScienceComputer Science (R0)