Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Engineering Secure Software and Systems

ESSoS 2012: Engineering Secure Software and Systems pp 60–74Cite as

Formalisation and Implementation of the XACML Access Control Mechanism

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7159))

Abstract

We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specification and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development.

This work has been partially sponsored by the EU project ASCENS (257414).

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ferraiolo, D., Kuhn, R.: Role-based access control. In: NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)

    Google Scholar 

  2. NIST: A survey of access control models (2009), http://csrc.nist.gov/news_events/privilege-management-workshop/PvM-Model-Survey-Aug26-2009.pdf

  3. OASIS XACML TC: eXtensible Access Control Markup Language (XACML) version 2.0 (2005), http://docs.oasis-open.org/xacml/2.0/XACML-2.0-OS-NORMATIVE.zip

  4. The epSOS project: A european ehealth project, http://www.epsos.eu

  5. The Nationwide Health Information Network (NHIN): an American eHealth Project (2009), http://healthit.hhs.gov/portal/server.pt

  6. OASIS: Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare v1.0 (2009), http://www.oasis-open.org

  7. OASIS Security Services TC: Assertions and protocols for the OASIS security assertion markup language (SAML) v2.02 (2005), http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

  8. Namli, T., Dogac, A.: Implementation Experiences On IHE XUA and BPPC. Technical report, Software Research and Development Center, Middle East Technical University Ankara (December 2006)

    Google Scholar 

  9. Universidad de Murcia: UMU-XACML-Editor (2008), http://sourceforge.net/projects/umu-xacmleditor/

  10. Bradner, S.: Key words for use in rfcs to indicate requirement levels (1997)

    Google Scholar 

  11. Kolovski, V., Hendler, J.A., Parsia, B.: Analyzing web access control policies. In: WWW, pp. 677–686. ACM (2007)

    Google Scholar 

  12. Bryans, J.: Reasoning about XACML policies using CSP. In: SWS, pp. 28–35. ACM (2005)

    Google Scholar 

  13. Hoare, C.: Commmunicating Sequential Processes. Prentice-Hall (1985)

    Google Scholar 

  14. Bryans, J., Fitzgerald, J.S.: Formal Engineering of XACML Access Control Policies in VDM++. In: Butler, M., Hinchey, M.G., Larrondo-Petrie, M.M. (eds.) ICFEM 2007. LNCS, vol. 4789, pp. 37–56. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  15. Fitzgerald, J., Larsen, P., Mukherjee, P., Plat, N., Verhoef, M.: Validated Designs for Object-oriented Systems. Springer, Heidelberg (2005)

    MATH  Google Scholar 

  16. Zhang, N., Ryan, M., Guelev, D.P.: Evaluating Access Control Policies through Model Checking. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 446–460. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  17. Zhang, N., Ryan, M., Guelev, D.P.: Synthesising verified access control systems in XACML. In: FMSE, pp. 56–65. ACM (2004)

    Google Scholar 

  18. Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE, pp. 196–205. ACM (2005)

    Google Scholar 

  19. Tschantz, M.C., Krishnamurthi, S.: Towards reasonability properties for access-control policy languages. In: SACMAT, pp. 160–169. ACM (2006)

    Google Scholar 

  20. OASIS XACML TC: Available XACML Implementations (2011), http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#other (last visited September 21, 2011)

  21. Proctor, S.: SUN XACML (2011), http://sunxacml.sf.net (last visited September 21, 2011)

  22. The Herasaf consortium: HERASAF, http://www.herasaf.org

  23. Liu, A.X., Chen, F., Hwang, J., Xie, T.: Xengine: a fast and scalable XACML policy evaluation engine. In: SIGMETRICS, pp. 265–276. ACM (2008)

    Google Scholar 

  24. ISSRG: The Modular PERMIS Project, http://sec.cs.kent.ac.uk/permis/

  25. Foster, I.T.: Globus toolkit version 4: Software for service-oriented systems. J. Comput. Sci. Technol. 21(4), 513–520 (2006)

    Article  Google Scholar 

  26. Barton, T., et al.: Identity federation and attribute-based authorization through the globus toolkit, shibboleth, gridshib, and myproxy. Technical report, National Center for Supercomputing Applications, University of Illinois (2006)

    Google Scholar 

  27. Chadwick, D.W., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: Permis: a modular authorization infrastructure. Concurrency and Computation: Practice and Experience 20(11), 1341–1357 (2008)

    Article  Google Scholar 

  28. Masi, M., Pugliese, R., Tiezzi, F.: Formalisation and Implementation of the XACML Access Control Mechanism (full version). Technical report, Dipartimento di Sistemi e Informatica, Univ. Firenze (2011), http://rap.dsi.unifi.it/xacml_tools

  29. Clark, J., DeRose, S.: XML Path Language (XPath) version 1.0 (1999), http://www.w3.org/TR/xpath

  30. The IHE Initiative: IT Infrastructure Technical Framework (2009), http://www.ihe.net

  31. Health Level Seven organization: Hl7 standards (2009), http://www.hl7.org

  32. The Regenstrief Institute: Logical observation identifiers names and codes (LOINC), http://www.loinc.org

  33. IEEE Computer Society: IEEE Standard for Binary Floating-Point Arithmetic IEEE Product No. SH10116-TBR (1985)

    Google Scholar 

  34. Parr, T.J., Quong, R.W.: ANTLR: A Predicated-LL(k) Parser Generator. Software Practice and Experience 25, 789–810 (1994)

    Article  Google Scholar 

  35. Saltzer, J.H.: Protection and the Control of Information Sharing in Multics. Commun. ACM 17, 388–402 (1974)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Tiani “Spirit” GmbH, Guglgasse, 6, 1110, Vienna, Austria

    Massimiliano Masi

  2. Università degli Studi di Firenze, Viale Morgagni, 65, 50134, Firenze, Italy

    Massimiliano Masi & Rosario Pugliese

  3. IMT Advanced Studies Lucca, Piazza S. Ponziano, 6, 55100, Lucca, Italy

    Francesco Tiezzi

Authors
  1. Massimiliano Masi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rosario Pugliese
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Francesco Tiezzi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Gilles Barthe Benjamin Livshits Riccardo Scandariato

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Masi, M., Pugliese, R., Tiezzi, F. (2012). Formalisation and Implementation of the XACML Access Control Mechanism. In: Barthe, G., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2012. Lecture Notes in Computer Science, vol 7159. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28166-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-28166-2_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-28165-5

  • Online ISBN: 978-3-642-28166-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation