Abstract
Authorization is a key aspect in secure software development of multi-user applications. Authorization is often enforced in the program code with enforcement statements. Since authorization is present in numerous places, defects in the enforcement are difficult to discover. One approach to this challenge is to improve the developer usability with regard to authorization. We analyze how software development is affected by authorization in a real-world case study and particularly focus on the loose-coupling properties of authorization frameworks that separate authorization policy from enforcement. We show that authorization is a significant aspect in software development and that the effort can be reduced through appropriate authorization frameworks. Lastly, we formulate advice on the design of enforcement APIs.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ahn, G.J., Zhang, L., Shin, D., Chu, B.: Authorization management for role-based collaboration. In: IEEE International Conference on Systems, Man and Cybernetics, vol. 5, pp. 4128–4134 (October 2003)
Anderson, J.P.: Computer security technology planning study. Tech. Rep. ESD-TR-73-51, Deputy for Command and Management Systems, L.G. Hanscom Field, Bedford, MA (October 1972)
Bartsch, S.: Supporting authorization policy modification in agile development of Web applications. In: Fourth International Workshop on Secure Software Engineering (SecSE 2010). IEEE Computer Society, Los Alamitos (2010)
Bartsch, S., Sohr, K., Bormann, C.: Supporting Agile Development of Authorization Rules for SME Applications. In: 3rd International Workshop on Trusted Collaboration (TrustCol-2008). Springer, Heidelberg (2009)
Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)
Beznosov, K., Deng, Y., Blakley, B., Barkley, J.: A resource access decision service for corba-based distributed systems. In: Computer Security Applications Conference, Annual, p. 310 (1999)
Brostoff, S., Sasse, M.A., Chadwick, D.W., Cunningham, J., Mbanaso, U.M., Otenko, S.: ’R-What?’ development of a role-based access control policy-writing tool for e-scientists. Softw., Pract. Exper. 35(9), 835–856 (2005)
Cairns, P., Cox, A.L.: Research methods for human-computer interaction. Cambridge Univ. Press, Cambridge (2008)
Clarke, S.: Measuring API usability. Dr. Dobb’s Journal (May 2004)
Consel, C., Marlet, R.: Architecture software using: A methodology for language development. In: Palamidessi, C., Glaser, H., Meinke, K. (eds.) ALP 1998 and PLILP 1998. LNCS, vol. 1490, pp. 170–194. Springer, Heidelberg (1998)
De Win, B., Piessens, F., Joosen, W., Verhanneman, T.: On the importance of the separation-of-concerns principle in secure software engineering. In: ACSA Workshop on the Application of Engineering Principles to System Security Design (2003)
Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, p. 11 (1982)
Gong, L., Ellison, G.: Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation. Pearson Education, London (2003)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. ACM Commun. 19(8), 461–471 (1976)
Herzog, A., Shahmehri, N.: A usability study of security policy management. In: Security and Privacy in Dynamic Environments (SEC), vol. 201, pp. 296–306. Springer, Heidelberg (2006)
Inglesant, P., Sasse, M.A., Chadwick, D., Shi, L.L.: Expressions of expertness: the virtuous circle of natural language for access control policy specification. In: Proceedings of the 4th Symposium on Usable Privacy and Security, SOUPS 2008, pp. 77–88. ACM, New York (2008)
Jaeger, T., Edwards, A., Zhang, X.: Consistency analysis of authorization hook placement in the linux security modules framework. ACM Trans. Inf. Syst. Secur. 7(2), 175–205 (2004)
Johnson, M., Bellovin, S., Reeder, R., Schechter, S.: Laissez-faire file sharing. In: New Security Paradigms Workshop 2009 (2009)
Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C., Loingtier, J.M., Irwin, J.: Aspect-oriented programming. In: Liu, Y., Auletta, V. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)
Ko, A.J., DeLine, R., Venolia, G.: Information needs in collocated software development teams. In: Proceedings of the 29th International Conference on Software Engineering, ICSE 2007, pp. 344–353. IEEE Computer Society, Washington, DC (2007)
Lehman, M.M.: Programs, life cycles, and laws of software evolution. Proceedings of the IEEE 68(9), 1060–1076 (1980)
Pandey, R., Hashii, B.: Providing fine-grained access control for java programs. In: Guerraoui, R. (ed.) ECOOP 1999. LNCS, vol. 1628, pp. 449–473. Springer, Heidelberg (1999)
Pane, J.F., Ratanamahatana, C.A., Myers, B.A.: Studying the language and structure in non-programmers’ solutions to programming problems. International Journal of Human-Computer Studies 54(2), 237–264 (2001)
Reeder, R.W., Karat, C.M., Karat, J., Brodie, C.: Usability challenges in security and privacy policy-authoring interfaces. In: Baranauskas, M.C.C., Palanque, P.A., Abascal, J., Barbosa, S.D.J. (eds.) INTERACT 2007. LNCS, vol. 4663, pp. 141–155. Springer, Heidelberg (2007)
Rees, J., Bandyopadhyay, S., Spafford, E.H.: Pfires: a policy framework for information security. ACM Commun. 46(7), 101–106 (2003)
Samarati, P., de Capitani di Vimercati, S.: Access control: Policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)
Sohr, K., Berger, B.: Idea: Towards architecture-centric security analysis of software. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 70–78. Springer, Heidelberg (2010)
Stepien, B., Matwin, S., Felty, A.: Strategies for reducing risks of inconsistencies in access control policies. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES 2010). IEEE Computer Society, Los Alamitos (2010)
Stylos, J., Clarke, S., Myers, B.: Comparing API design choices with usability studies: A case study and future directions. In: Proceedings of the 18th Workshop of the Psychology of Programming Interest Group (2006)
von Mayrhauser, A., Vans, A.M.: Program comprehension during software maintenance and evolution. Computer 28(8), 44–55 (1995)
Whitten, A.: Making Security Usable. Ph.D. thesis, CMU, cMU-CS-04-135 (2004)
Zhang, X., Oh, S., Sandhu, R.: PBDM: a flexible delegation model in RBAC. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, SACMAT 2003, pp. 149–157. ACM, New York (2003)
Zurko, M.E., Simon, R., Sanfilippo, T.: A user-centered, modular authorization service built on an RBAC foundation. In: IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bartsch, S. (2011). Authorization Enforcement Usability Case Study. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2011. Lecture Notes in Computer Science, vol 6542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19125-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-19125-1_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19124-4
Online ISBN: 978-3-642-19125-1
eBook Packages: Computer ScienceComputer Science (R0)