skip to main content
article

Specification and verification of security requirements in a programming model for decentralized CSCW systems

Published: 01 May 2007 Publication History

Abstract

We present, in this paper, a role-based model for programming distributed CSCW systems. This model supports specification of dynamic security and coordination requirements in such systems. We also present here a model-checking methodology for verifying the security properties of a design expressed in this model. The verification methodology presented here is used to ensure correctness and consistency of a design specification. It is also used to ensure that sensitive security requirements cannot be violated when policy enforcement functions are distributed among the participants. Several aspect-specific verification models are developed to check security properties, such as task-flow constraints, information flow, confidentiality, and assignment of administrative privileges.

References

[1]
Ahmed, T. 2004. Policy-Based Design of Secure Distributed Collaboration Systems. Ph.D. thesis, University of Minnesota. Available at http://www.cs.umn.edu/Ajanta/publications.html.
[2]
Ahmed, T. and Tripathi, A. R. 2003. Static verification of security requirements in role based CSCW systems. In Proceedings of 8th ACM Symposium on Access Control Models and Technologies (SACMAT 2003). ACM, New York. 196--203.
[3]
Ahn, G.-J. and Sandhu, R. 2000. Role-based authorization constraints specification. ACM Transactions on Information and System Security 3, 4 (Nov.), 207--226.
[4]
Atluri, V. and Huang, W.-K. 1996. An authorization model for workflows. In Proceedings of the Fourth European Symposium on Research in Computer Security. Springer-Verlag LNCS Volume 1146, London, UK, 44--64.
[5]
Bacon, J., Moody, K., and Yao, W. 2002. A model of OASIS role-based access control and its support for active security. ACM Transactions on Information and System Security 5, 4 (Nov.), 492--540.
[6]
Bertino, E., Ferrari, E., and Atluri, V. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2, 1 (Feb.), 65--104.
[7]
Bertino, E., Bonatti, P. A., and Ferrari, E. 2001. TRBAC: A temporal role-based access control model. ACM Transactions on Information and System Security 4, 3 (Aug.), 191--223.
[8]
Bhatti, R., Ghafoor, A., Bertino, E., and Joshi, J. 2005. X-GTRBAC: An XML-based policy specification framework and architecture for enterprise-wide access control. ACM Transactions on Information and System Security 8, 2 (May), 187--227.
[9]
Campbell, R. H. and Habermann, A. N. 1974. The specification of process synchronization by path expressions. In Operating Systems, International Symposium, Rocquencourt. Lecture Notes in Computer Science vol.16, Springer Verlag, London, UK.
[10]
Corts, M. and Mishra, P. 1996. DCWPL: A programming language for describing collaborative work. In Proceedings of CSCW'96. ACM, New York. 21--29.
[11]
Crampton, J. 2003. Specifying and enforcing constraints in role-based access control. In Proceedings of 8th ACM Symposium on Access Control Models and Technologies (SACMAT 2003). ACM, New York. 43--50.
[12]
Crampton, J. 2004. An algebraic approach to the analysis of constrained workflow systems. In Proceedings of 3rd Workshop on Foundations of Computer Security. 61--74.
[13]
Crampton, J. and Loizou, G. 2003. Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security 6, 2 (May), 201--231.
[14]
Demurjian, S., Ting, T., and Thuraisingham, B. 1993. User-role based security for collaborative computing environments. Multimedia Review 4, 2 (Summer), 40--47.
[15]
Eshuis, R. and Wieringa, R. 2002. Verification support for workflow design with UML activity graphs. In Proceedings of International Conference on Software Engineering. ACM, New York. 166--176.
[16]
Giuri, L. and Iglio, P. 1997. Role templates for content-based access control. In Proceedings of the Second ACM Workshop on Role-Based Access Control. ACM, New York. 153--159.
[17]
Greif, I. and Sarin, S. 1987. Data sharing in group work. ACM Transactions on Information Systems 5, 2, 187--211.
[18]
Hansen, F. and Oleshchuk, V. A. 2005. Conformance checking of RBAC policy and its implementation. In First Information Security Practice and Experience Conference (ISPEC 2005). 144--155.
[19]
Holzmann, G. J. 2003. SPIN Model Checker, The: Primer and Reference Manual. Addison Wesley Professional, New York.
[20]
Huang, W.-K. and Atluri, V. 1999. SecureFlow: A secure web-enabled workflow management system. In ACM Workshop on Role-Based Access Control. ACM, New York. 83--94.
[21]
Jaeger, T. and Tidswell, J. E. 2001. Practical safety in flexible access control models. ACM Transactions on Information and System Security 4, 2 (May), 158--190.
[22]
Jajodia, S., Samarati, P., and Subrahmanian, V. S. 1997. A logical language for expressing authorizations. In IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA. 31--42.
[23]
Janssen, W., Mateescu, R., Mauw, S., and Springintveld, J. 1998. Verifying business processes using Spin. In Proceedings of 4th International SPIN Workshop.
[24]
Koch, M., Mancini, L. V., and Parisi-Presicce, F. 2002. A graph-based formalism for RBAC. ACM Transactions on Information and System Security 5, 3 (Aug.), 332--365.
[25]
Kotonya, G. and Sommerville, I. 1998. Requirements Engineering: Processes and Techniques. Wiley, New York.
[26]
Li, D. and Muntz, R. 1998. COCA: Collaborative objects coordination architecture. In Proceedings of CSCW'98. ACM, New York. 179--188.
[27]
Li, N., Mitchell, J. C., and Winsborough, W. H. 2002. Design of a role-based trust management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA. 114--130.
[28]
Li, N., Winsborough, W. H., and Mitchell, J. 2003. Beyond proof-of-compliance: Safety and availability analysis in trust management. In Proceedings of the 2003 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA. 123--139.
[29]
Lupu, E. C. and Sloman, M. 1997. Reconciling role-based management and role-based access control. In ACM Workshop on Role-based Access Control. ACM, New York. 135--141.
[30]
Maggi, P. and Sisto, R. 2002. Using SPIN to verify security protocols. In Proceedings of 9th Int. SPIN Workshop on Model Checking of Software, LNCS 2318. 187--204.
[31]
Myers, A. C. and Liskov, B. 2000. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology 9, 4, 410--442.
[32]
Nyanchama, M. and Osborn, S. 1999. The role graph model and conflict of interest. ACM Transaction on Information System Security 2, 1 (Feb.), 3--33.
[33]
Oh, S. and Sandhu, R. 2002. A model for role administration using organization structure. In ACM Symposium on Access Control Models and Technologies. ACM, New York. 155--162.
[34]
Osborn, S. L. 2002. Information flow analysis of an RBAC system. In ACM Symposium on Access Control Models and Technologies. ACM, New York. 163--168.
[35]
Reiter, M. and Gong, L. 1995. Securing causal relationships in distributed systems. The Computer Journal 38, 8, 633--642.
[36]
Roberts, P. and Verjus, J.-P. 1977. Towards autonomous descriptions of synchronization modules. In Proceedings of IFIP Congress. North-Holland, Amsterdam. 981--986.
[37]
Sampemane, G., Naldurg, P., and Campbell, R. H. 2002. Access control for active spaces. In Proceedings of the 18th Annual Computer Security Applications Conference. 343--352.
[38]
Sandhu, R. S. 1988. Transaction control expressions for separation of duties. In Fourth Annual Computer Security Application Conference. 282--286.
[39]
Sandhu, R., Bhamidipati, V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security 2, 1 (Feb.), 105--135.
[40]
Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-based access control models. IEEE Computer 29, 2 (Feb.), 38--47.
[41]
Sandhu, R., Ferraiolo, D., and Kuhn, R. 2000. The NIST model for role-based access control: towards a unified standard. In Proceedings of the Fifth ACM Workshop on Role-Based Access Control. ACM, New York. 47--63.
[42]
Simon, R. and Zurko, M. 1997. Separation of duty in role-based environments. In 10th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA. 183--194.
[43]
Thomas, R. K. 1997. Team-based access control (TMAC): A primitive for applying role-based access controls in collaborative environments. In ACM Workshop on Role-based Access Control. ACM, New York. 13--19.
[44]
Tripathi, A., Ahmed, T., Kumar, R., and Jaman, S. 2002. Design of a policy-driven middleware for secure distributed collaboration. In Proceedings of International Conference on Distributed Computing Systems 2002. IEEE Computer Society Press, Los Alamitos, CA. 393--400.
[45]
Tripathi, A., Ahmed, T., and Kumar, R. 2003. Specification of secure distributed collaboration systems. In IEEE International Symposium on Autonomous Distributed Systems. IEEE Computer Society Press, Los Alamitos, CA. 149--156.
[46]
Zakinthinos, A. and Lee, E. 1997. A general theory of security properties. In IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA. 94--102.

Cited By

View all
  • (2023)Access Control for Collaboration in Cloud Environment: A Comparative Analysis2023 10th International Conference on Wireless Networks and Mobile Communications (WINCOM)10.1109/WINCOM59760.2023.10322977(1-7)Online publication date: 26-Oct-2023
  • (2020)A Maturity Model for Secure Requirements EngineeringComputers & Security10.1016/j.cose.2020.101852(101852)Online publication date: May-2020
  • (2020)Software requirements testing approaches: a systematic literature reviewRequirements Engineering10.1007/s00766-019-00325-w25:3(317-337)Online publication date: 1-Sep-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security
ACM Transactions on Information and System Security  Volume 10, Issue 2
May 2007
144 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/1237500
Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 May 2007
Published in TISSEC Volume 10, Issue 2

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Security policy specification
  2. finite state-based model checking
  3. methodology for access-control policy design
  4. role-based access control

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)2
  • Downloads (Last 6 weeks)0
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Access Control for Collaboration in Cloud Environment: A Comparative Analysis2023 10th International Conference on Wireless Networks and Mobile Communications (WINCOM)10.1109/WINCOM59760.2023.10322977(1-7)Online publication date: 26-Oct-2023
  • (2020)A Maturity Model for Secure Requirements EngineeringComputers & Security10.1016/j.cose.2020.101852(101852)Online publication date: May-2020
  • (2020)Software requirements testing approaches: a systematic literature reviewRequirements Engineering10.1007/s00766-019-00325-w25:3(317-337)Online publication date: 1-Sep-2020
  • (2017)ABAC Based Online Collaborations in the CloudEmerging Technologies for Developing Countries10.1007/978-3-319-67837-5_7(67-76)Online publication date: 20-Oct-2017
  • (2015)Building a structured collaboration system from XML specification2015 IEEE/ACS 12th International Conference of Computer Systems and Applications (AICCSA)10.1109/AICCSA.2015.7507233(1-8)Online publication date: Nov-2015
  • (2012)A Generative Programming Framework for Context-Aware CSCW ApplicationsACM Transactions on Software Engineering and Methodology10.1145/2089116.208912121:2(1-35)Online publication date: 1-Mar-2012
  • (2011)Roles of users in interactive networked collaborative environmentProceedings of the 5th WSEAS international conference on Communications and information technology10.5555/2028497.2028529(164-170)Online publication date: 14-Jul-2011
  • (2011)Roles in information security - A survey and classification of the research areaComputers and Security10.1016/j.cose.2011.08.00230:8(748-769)Online publication date: 1-Nov-2011
  • (2010)Security policies in distributed CSCW and workflow systemsIEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans10.1109/TSMCA.2010.204672740:6(1220-1231)Online publication date: 1-Nov-2010
  • (2009)PalantirProceedings of the 8th Symposium on Identity and Trust on the Internet10.1145/1527017.1527023(38-51)Online publication date: 14-Apr-2009
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media