skip to main content
10.1145/2593929.2593945acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
Article

Run-time generation, transformation, and verification of access control models for self-protection

Published: 02 June 2014 Publication History

Abstract

Self-adaptive access control, in which self-* properties are applied to protecting systems, is a promising solution for the handling of malicious user behaviour in complex infrastructures. A major challenge in self-adaptive access control is ensuring that chosen adaptations are valid, and produce a satisfiable model of access. The contribution of this paper is the generation, transformation and verification of Role Based Access Control (RBAC) models at run-time, as a means for providing assurances that the adaptations to be deployed are valid. The goal is to protect the system against insider threats by adapting at run-time the access control policies associated with system resources, and access rights assigned to users. Depending on the type of attack, and based on the models from the target system and its environment, the adapted access control models need to be evaluated against the RBAC metamodel, and the adaptation constraints related to the application. The feasibility of the proposed approach has been demonstrated in the context of a fully working prototype using malicious scenarios inspired by a well documented case of insider attack.

References

[1]
rbacDSML tool, 2009-2014. http://computing-research.open.ac.uk/rbac/ {accessed January 2014}.
[2]
G.-J. Ahn and M. E. Shin. Role-Based Authorization Constraints Specification Using Object Constraint Language. In Proceedings of the 10th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, WETICE ’01, pages 157–162. IEEE Computer Society, 2001.
[3]
C. Bailey, D. W. Chadwick, and R. de Lemos. Self-adaptive authorization framework for policy based rbac/abac models. In Proceedings of the 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, DASC ’11, pages 37–44, Washington, DC, USA, 2011. IEEE Computer Society.
[4]
C. Bailey, D. W. Chadwick, and R. de Lemos. Self-adaptive federated authorization infrastructures. Journal of Computer and System Sciences, 2014.
[5]
C. Bailey, D. W. Chadwick, R. de Lemos, and K. W. S. Siu. Enabling the autonomic management of federated identity providers. In Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security: Emerging Management Mechanisms for the Future Internet - Volume 7943, AIMS’13, pages 100–111, Berlin, Heidelberg, 2013. Springer-Verlag.
[6]
A. K. Bandara, E. C. Lupu, and A. Russo. Using event calculus to formalise policy specification and analysis. In Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, POLICY ’03, pages 26–. IEEE Computer Society, 2003.
[7]
D. Basin, M. Clavel, and M. Egea. A decade of model-driven security. In Proceedings of the 16th ACM symposium on Access control models and technologies, SACMAT ’11, pages 1–10. ACM, 2011.
[8]
D. Basin, J. Doser, and T. Lodderstedt. Model driven security: From UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol., 15(1):39–91, Jan. 2006.
[9]
BBC. Credit card details on 20 million south koreans stolen. BBC, January 2014. http://www.bbc.co.uk/news/technology-25808189 {accessed January 2014}.
[10]
E. Bertino, A. Kamra, E. Terzi, and A. Vakali. Intrusion detection in rbac-administered databases. In Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC ’05, pages 170–182, Washington, DC, USA, 2005. IEEE Computer Society.
[11]
J. Bézivin. Model driven engineering: An emerging technical space. In R. Laemmel, J. Saraiva, and J. Visser, editors, Generative and Transformational Techniques in Software Engineering, volume 4143 of Lecture Notes in Computer Science, pages 36–64. Springer Berlin Heidelberg, 2006.
[12]
R. Booth, H. Brooke, and S. Moriss. Wikileaks cables: Bradley manning faces 52 years in jail. The Guardian, 30 November 2010.
[13]
D. M. Cappelli, A. P. Moore, and R. F. Trzeciak. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes. Addison-Wesley Professional, 1st edition, 2012.
[14]
D. Chadwick, G. Zhao, S. Otenko, R. Laborde, L. Su, and T. A. Nguyen. Permis: A modular authorization infrastructure. Concurr. Comput. : Pract. Exper., 20(11):1341–1357, Aug. 2008.
[15]
¸ C. Cirit and F. Buzluca. A UML profile for role-based access control. In Proceedings of the 2nd international conference on Security of information and networks, SIN ’09, pages 83–92. ACM, 2009.
[16]
R. Craven, J. Lobo, E. Lupu, A. Russo, and M. Sloman. Policy refinement: Decomposition and operationalization for dynamic domains. In Proceedings of the 7th International Conference on Network and Services Management, CNSM ’11, pages 115–123, Laxenburg, Austria, Austria, 2011. International Federation for Information Processing.
[17]
K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In Proceedings of the 27th international conference on Software engineering, ICSE ’05, pages 196–205. ACM, 2005.
[18]
M. Gofman, R. Luo, A. Solomon, Y. Zhang, P. Yang, and S. Stoller. RBAC-PAT: A Policy Analysis Tool for Role Based Access Control. In Tools and Algorithms for the Construction and Analysis of Systems, volume 5505 of Lecture Notes in Computer Science, pages 46–49. Springer, 2009.
[19]
G. Hughes and T. Bultan. Automated verification of access control policies using a sat solver. Int. J. Softw. Tools Technol. Transf., 10(6):503–520, Oct. 2008.
[20]
IBM. Rational Software Architect 8.0.4, 2012.
[21]
F. Jouault, F. Allilaire, J. Bézivin, and I. Kurtev. Atl: A model transformation tool. Sci. Comput. Program., 72(1-2):31–39, June 2008.
[22]
J. Jürjens. Secure Systems Development with UML. Springer-Verlag, 2005.
[23]
J. O. Kephart and D. M. Chess. The vision of autonomic computing. Computer, 36(1):41–50, Jan. 2003.
[24]
D.-K. Kim, I. Ray, R. France, and N. Li. Modeling Role-Based Access Control Using Parameterized UML Models. In M. Wermelinger and T. Margaria-Steffen, editors, Fundamental Approaches to Software Engineering, volume 2984 of Lecture Notes in Computer Science, pages 180–193. Springer Berlin Heidelberg, 2004.
[25]
V. Koutsonikola and A. Vakali. Ldap: Framework, practices, and trends. IEEE Internet Computing, 8(5):66–72, Sept. 2004.
[26]
M. Kuhlmann, K. Sohr, and M. Gogolla. Comprehensive Two-Level Analysis of Static and Dynamic RBAC Constraints with UML and OCL. In Proceedings of the 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement, SSIRI ’11, pages 108–117. IEEE Computer Society, 2011.
[27]
L. Montrieux. Model-Based Analysis of Role-Based Access Control. PhD thesis, The Open University, 2013.
[28]
H. M. Moore. Andrew and M. David. A pattern for increased monitoring for intellectual property theft by departing insiders. Technical Report CMU/SEI-2012-TR-008, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, 2012.
[29]
R. L. Morgan, S. Cantor, S. Carmody, W. Hoehn, and K. Klingenstein. Federated security: The shibboleth approach. EDUCAUSE Quarterly, 27(4):12–17, 2004.
[30]
NIST. INCITS 359-2004 - Role Based Access Control, 03 2004.
[31]
OASIS. eXtensible Access Control Markup Language (XACML). https://www.oasis-open.org/committees/xacml (Last accessed May 2013).
[32]
OASIS. XACML v3.0 Core and Hierarchical Role Based Access Control (RBAC) Profile, 2010.
[33]
OMG. Meta Object Facility (MOF) 2.0.
[34]
M. Rohr, M. Boskovic, S. Giesecke, and W. Hasselbring. Model-driven development of selfmanaging software systems. In ACM/IEEE MoDELS Workshop on Models@Runtime, 2006.
[35]
R. Sandhu. The authorization leap from rights to attributes: maturation or chaos? In Proceedings of the 17th ACM symposium on Access Control Models and Technologies, SACMAT ’12, pages 69–70. ACM, 2012.
[36]
R. Sandhu, D. Ferraiolo, and R. Kuhn. The NIST model for role-based access control: towards a unified standard. In Proceedings of the fifth ACM workshop on Role-based access control, RBAC ’00, pages 47–63. ACM, 2000.
[37]
K. Sohr, G.-J. Ahn, and L. Migge. Articulating and enforcing authorisation policies with UML and OCL. ACM SIGSOFT Software Engineering Notes, 30(4):1–7, 2005.
[38]
E. Song, R. Reddy, R. France, I. Ray, G. Georg, and R. Alexander. Verifiable composition of access control and application features. In SACMAT ’05: Proceedings of the tenth ACM symposium on Access control models and technologies, pages 120–129. ACM, 2005.
[39]
W. Sun, R. France, and I. Ray. Rigorous Analysis of UML Access Control Policy Models. In Proceedings of the 2011 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY ’11, pages 9–16. IEEE Computer Society, 2011.
[40]
L. Wang, D. Wijesekera, and S. Jajodia. A logic-based framework for attribute based access control. In Proceedings of the 2004 ACM workshop on Formal methods in security engineering, FMSE ’04, pages 45–55. ACM, 2004.

Cited By

View all
  • (2025)Comparing effectiveness and efficiency of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools in a large java-based systemEmpirical Software Engineering10.1007/s10664-025-10621-530:3Online publication date: 1-Jun-2025
  • (2024)A Game-Theoretical Self-Adaptation Framework for Securing Software-Intensive SystemsACM Transactions on Autonomous and Adaptive Systems10.1145/365294919:2(1-49)Online publication date: 20-Apr-2024
  • (2024)Bio-inspired computing systems: handle with care, discard if need itProceedings of the 19th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1145/3643915.3644096(107-109)Online publication date: 15-Apr-2024
  • Show More Cited By

Index Terms

  1. Run-time generation, transformation, and verification of access control models for self-protection

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SEAMS 2014: Proceedings of the 9th International Symposium on Software Engineering for Adaptive and Self-Managing Systems
    June 2014
    174 pages
    ISBN:9781450328647
    DOI:10.1145/2593929
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    In-Cooperation

    • TCSE: IEEE Computer Society's Tech. Council on Software Engin.

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 02 June 2014

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. adaptive security
    2. model verification
    3. rbac
    4. self-adaptation

    Qualifiers

    • Article

    Conference

    ICSE '14
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 17 of 31 submissions, 55%

    Upcoming Conference

    ICSE 2025

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)5
    • Downloads (Last 6 weeks)2
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)Comparing effectiveness and efficiency of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools in a large java-based systemEmpirical Software Engineering10.1007/s10664-025-10621-530:3Online publication date: 1-Jun-2025
    • (2024)A Game-Theoretical Self-Adaptation Framework for Securing Software-Intensive SystemsACM Transactions on Autonomous and Adaptive Systems10.1145/365294919:2(1-49)Online publication date: 20-Apr-2024
    • (2024)Bio-inspired computing systems: handle with care, discard if need itProceedings of the 19th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1145/3643915.3644096(107-109)Online publication date: 15-Apr-2024
    • (2021)Engineering Secure Self-Adaptive Systems with Bayesian GamesFundamental Approaches to Software Engineering10.1007/978-3-030-71500-7_7(130-151)Online publication date: 20-Mar-2021
    • (2019)Template-based model generationSoftware and Systems Modeling (SoSyM)10.1007/s10270-017-0634-518:3(2051-2092)Online publication date: 18-Jul-2019
    • (2019)Challenges in Engineering Self-Adaptive Authorisation InfrastructuresEngineering Adaptive Software Systems10.1007/978-981-13-2185-6_3(57-94)Online publication date: 15-Jan-2019
    • (2018)Self-adaptive authorisation in OpenStack cloud platformJournal of Internet Services and Applications10.1186/s13174-018-0090-79:1Online publication date: 16-Sep-2018
    • (2018)Generating Cloud Monitors from Models to Secure Clouds2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN.2018.00060(526-533)Online publication date: Jun-2018
    • (2018)Evaluating Self-Adaptive Authorisation Infrastructures Through Gamification2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN.2018.00058(502-513)Online publication date: Jun-2018
    • (2017)A game-theoretic decision-making framework for engineering self-protecting software systemsProceedings of the 39th International Conference on Software Engineering Companion10.1109/ICSE-C.2017.43(449-452)Online publication date: 20-May-2017
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media