Abstract
The advance of web services technologies promises to have far-reaching effects on the Internet and enterprise networks allowing for greater accessibility of data. The security challenges presented by the web services approach are formidable. In particular, access control solutions should be revised to address new challenges, such as the need of using certificates for the identification of users and their attributes, human intervention in the creation or selection of the certificates, and (chains of) certificates for trust management. With all these features, it is not surprising that analyzing policies to guarantee that a sensitive resource can be accessed only by authorized users becomes very difficult. In this paper, we present an automated technique to analyze scenario-based specifications of access control policies in open and distributed systems. We illustrate our ideas on a case study arising in the e-government area.
The work presented in this paper was supported by the FP7-ICT-2009-5 Project no. 257876, “SPaCIoS: Secure Provision and Consumption in the Internet of Services”, and by the “Automated Security Analysis of Identity and Access Management Systems (SIAM)” project funded by Provincia Autonoma di Trento in the context of the “Team 2009 - Incoming” COFUND action of the European Commission (FP7).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Accorsi, R.: A security-aware simulation method for generating business process event logs. In: Symp. on Data-Driven Process Discovery and Analysis (2012)
Alberti, F., Armando, A., Ranise, S.: Efficient Symbolic Automated Analysis of Administrative Role Based Access Control Policies. In: 6th ASIACCS. ACM (2011)
Barletta, M., Calvi, A., Ranise, S., Viganò, L., Zanetti, L.: WSSMT: Towards the Automated Analysis of Security-Sensitive Services and Applications. In: Proc. 12th SYNASC, pp. 417–424. IEEE Computer Society (2010)
Barletta, M., Ranise, S., Viganò, L.: Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented Architectures. In: Proc. SecureCom 2009, pp. 289–299. IEEE CS (2009), full version at http://arxiv.org/abs/0906.4570
Barletta, M., Ranise, S., Viganò, L.: Automated Analysis of Scenario-based Specifications of Distributed Access Control Policies with Non-Mechanizable Activities, Extended Version (2012), http://arxiv.org/abs/1206.3180
Becker, M.Y., Nanz, S.: The role of abduction in declarative authorization policies. In: Hudak, P., Warren, D.S. (eds.) PADL 2008. LNCS, vol. 4902, pp. 84–99. Springer, Heidelberg (2008)
Becker, M.Y., Nanz, S.: A logic for state-modifying authorization policies. ACM Trans. Inf. Syst. Secur. 13(3) (2010)
Bertino, E., Crampton, J., Paci, F.: Access Control and Authorization Constraints for WS-BPEL. In: Proc. ICWS 2006, pp. 275–284. IEEE CS (2006)
Brightwell, G., Winkler, P.: Counting linear extensions is #P-complete. In: Proc. STOC, pp. 175–181. ACM (1991)
Diaper, D.: Task analysis for human-computer interaction. Prentice-Hall (1990)
Enderton, H.B.: A Mathematical Introduction to Logic. Academic Press (1972)
Gunter, E., Yasmeen, A., Gunter, C., Nguyen, A.: Specifying and analyzing workflows for automated identification and data capture. In: Proc. HICSS 2009, pp. 1–11. IEEE CS (2009)
Gurevich, Y., Neeman, I.: Dkal: Distributed-knowledge authorization language. In: Proceedings of CSF, pp. 149–162. IEEE CS (2008)
Gurevich, Y., Roy, A.: Operational Semantics for DKAL: Application and Analysis. In: Fischer-Hübner, S., Lambrinoudakis, C., Pernul, G. (eds.) TrustBus 2009. LNCS, vol. 5695, pp. 149–158. Springer, Heidelberg (2009)
Hurlin, C., Kirchner, H.: Semi-automatic synthesis of security policies by invariant-guided abduction. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 157–175. Springer, Heidelberg (2011)
Lamport, L., Schneider, F.B.: Pretending atomicity. Technical report. In: Research Report 44, Digital Equipment Corporation Systems Research (1989)
Li, N., Mitchell, J.C.: DATALOG with constraints: A foundation for trust management languages. In: Dahl, V. (ed.) PADL 2003. LNCS, vol. 2562, pp. 58–73. Springer, Heidelberg (2002)
Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9, 391–420 (2006)
Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management. Journal of Computer Security 11(1), 35–86 (2003)
Pruesse, G., Ruskey, F.: Generating Linear Extensions Fast. SIAM J. Comp. 23(2), 373–386 (1994)
Ranise, S.: On the Verification of Security-Aware E-services. Journal of Symbolic Computation 47, 1066–1088 (2012)
Rudolph, E., Graubmann, P., Grabowski, J.: Tutorial on message sequence charts. Computer Networks and ISDN Systems 28(12), 1629–1641 (1996)
Shin, D., Wysk, R., Rothrock, L.: Formal model of human material-handling tasks for control of manufacturing systems. IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans 36(4), 685–696 (2006)
Tan, K., Crampton, J., Gunter, C.: The consistency of task-based authorization constraints in workflow. In: Proc. CSF, pp. 155–169. IEEE CS (2004)
Yasmeen, A., Gunter, E.: Automated framework for formal operator task analysis. In: Proc. ISSTA 2011 (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Barletta, M., Ranise, S., Viganò, L. (2013). Automated Analysis of Scenario-Based Specifications of Distributed Access Control Policies with Non-mechanizable Activities. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds) Security and Trust Management. STM 2012. Lecture Notes in Computer Science, vol 7783. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38004-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-38004-4_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38003-7
Online ISBN: 978-3-642-38004-4
eBook Packages: Computer ScienceComputer Science (R0)