research-article

Challenges in model-based evolution and merging of access control policies

Authors:

Lionel Montrieux,

Michel Wermelinger,

Yijun YuAuthors Info & Claims

IWPSE-EVOL '11: Proceedings of the 12th International Workshop on Principles of Software Evolution and the 7th annual ERCIM Workshop on Software Evolution

Pages 116 - 120

https://doi.org/10.1145/2024445.2024467

Published: 05 September 2011 Publication History

Abstract

Access Control plays a crucial part in software security, as it is responsible for making sure that users have access to the resources they need while being forbidden from accessing resources they do not need. Access control models such as Role-Based Access Control have been developed to help system administrators deal with the increasing complexity of the rules that determine whether or not a particular user should access a particular resource. These rules, as well as the users and their needs, are likely to evolve over time. In some cases, it may even be necessary to merge several access control configurations into a single one. In this position paper, we review existing research in model-based software evolution and merging, and argue the need for a specific approach for access control in order to take its specific requirements into account.

References

[1]

K. Alghathbar and D. Wijesekera. authUML: a three-phased framework to analyze access control specifications in use cases. In Proc. workshop on Formal methods in security engineering, pages 77--86. ACM, 2003.

Digital Library

[2]

D. Basin, J. Doser, and T. Lodderstedt. Model driven security for process-oriented systems. In Proc. symposium on Access control models and technologies, pages 100--109. ACM, 2003.

Digital Library

[3]

X. Blanc, A. Mougenot, I. Mounier, and T. Mens. Incremental detection of model inconsistencies based on model operations. In Proc. Int'l conf. on Advanced Information Systems Engineering, pages 32--46. Springer-Verlag, 2009.

Digital Library

[4]

A. Egyed. Instant consistency checking for the UML. In Proc. Int'l conf. on Software engineering, pages 381--390. ACM, 2006.

Digital Library

[5]

A. Egyed. Fixing Inconsistencies in UML Design Models. In Proc. Int'l conf. on Software Engineering, pages 292--301. IEEE, 2007.

Digital Library

[6]

A. Egyed, E. Letier, and A. Finkelstein. Generating and Evaluating Choices for Fixing Inconsistencies in UML Design Models. In Proc. Int'l conf. on Automated Software Engineering, pages 99--108. ACM, 2008.

Digital Library

[7]

E. Fernández-Medina, J. Jürjens, J. Trujillo, and S. Jajodia. Model-driven development for secure information systems. Information and Software Technology, 51(5):809--814, 2009.

Digital Library

[8]

S. Judson, R. France, and D. Carver. Supporting rigorous evolution of uml models. In Proc. Int'l conf. on Engineering Complex Computer Systems, pages 128--137. IEEE, 2004.

Digital Library

[9]

J. Jürjens. Secure Systems Development with UML. Springer-Verlag, 2005.

Digital Library

[10]

J. Jürjens, L. Marchal, M. Ochoa, and H. Schmidt. Incremental security verification for evolving umlsec models. In Proc. European Conf. on Modelling Foundations and Applications, pages 52--68. Springer, 2011.

Digital Library

[11]

A. Kalam, R. Baida, P. Balbiani, S. Benferhat, F. Cuppens, Y. Deswarte, A. Miege, C. Saurel, and G. Trouessin. Organization based access control. In Proc. int'l workshop on Policies for Distributed Systems and Networks, pages 120--131. IEEE, 2003.

Digital Library

[12]

T. Lodderstedt, D. A. Basin, and J. Doser. SecureUML: A UML-Based Modeling Language for Model-Driven Security. In Proc. Int'l conf. on The Unified Modeling Language, pages 426--441. Springer-Verlag, 2002.

Digital Library

[13]

T. Mens. A state-of-the-art survey on software merging. Software Engineering, IEEE Transactions on, 28(5):449--462, may 2002.

Digital Library

[14]

T. Mens and T. D'Hondt. Automating Support for Software Evolution in UML. Automated Software Engg., 7(1):39--59, 2000.

Digital Library

[15]

T. Mens and R. V. D. Straeten. Incremental resolution of model inconsistencies. In Proc. Int'l conf. on Recent trends in algebraic development techniques, pages 111--126. Springer-Verlag, 2007.

Digital Library

[16]

T. Mens and P. Van Gorp. A taxonomy of model transformation. Electron. Notes Theor. Comput. Sci., 152:125--142, 2006.

Digital Library

[17]

T. Mens, M. Wermelinger, S. Ducasse, S. Demeyer, R. Hirschfeld, and M. Jazayeri. Challenges in software evolution. In Proc. Int'l Workshop on Principles of Software Evolution, pages 13--22. IEEE, 2005.

Digital Library

[18]

L. Montrieux, M. Wermelinger, and Y. Yu. Tool Support for UML-Based Specification and Verification of Role-Based Access Control Properties. In Proc. joint meeting of the European Software Engineering Conference and ACM SIGSOFT International Symposium on Foundations of Software Engineering. ACM, 2011.

Digital Library

[19]

C. Nentwich, L. Capra, W. Emmerich, and A. Finkelstein. xlinkit: a consistency checking and smart link generation service. ACM Trans. Internet Technol., 2:151--185, May 2002.

Digital Library

[20]

Q. Ni, E. Bertino, J. Lobo, C. Brodie, C.-M. Karat, J. Karat, and A. Trombeta. Privacy-aware role-based access control. ACM Trans. Inf. Syst. Secur., 13(3):1--31, 2010.

Digital Library

[21]

R. S. Sandhu, D. F. Ferraiolo, and D. R. Kuhn. The NIST model for role-based access control: towards a unified standard. In Proc. Workshop on Role-Based Access Control, pages 47--63. ACM, 2000.

Digital Library

[22]

R. Van Der Straeten, T. Mens, and S. Van Baelen. Challenges in model-driven software engineering. In Models in Software Engineering, volume 5421 of LNCS, pages 35--47. Springer, 2009.

Cited By

Laverdière MJulien KMerlo E(2021)RBAC protection-impacting changes identificationInformation and Software Technology10.1016/j.infsof.2021.106630139:COnline publication date: 1-Nov-2021
https://dl.acm.org/doi/10.1016/j.infsof.2021.106630
Garg SMehrotra DBhartiya S(2021)Dynamic Access Control Solution for Cross-Tenancy in a Cloud EnvironmentSecurity Issues and Privacy Threats in Smart Ubiquitous Computing10.1007/978-981-33-4996-4_7(111-129)Online publication date: 9-Apr-2021
https://doi.org/10.1007/978-981-33-4996-4_7
Han ZLi XXu GXiong NMerlo EStroulia E(2020)An Effective Evolutionary Analysis Scheme for Industrial Software Access Control ModelsIEEE Transactions on Industrial Informatics10.1109/TII.2019.292542216:2(1024-1034)Online publication date: Feb-2020
https://doi.org/10.1109/TII.2019.2925422
Show More Cited By

Index Terms

Challenges in model-based evolution and merging of access control policies
1. Computing methodologies
  1. Modeling and simulation
    1. Model development and analysis
      1. Model verification and validation

Recommendations

Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL

Context: Role-based access control (RBAC) has become the de facto standard for access management in various large-scale organizations. Often role-based policies must implement organizational rules to satisfy compliance or authorization requirements, ...
Tool support for UML-based specification and verification of role-based access control properties
ESEC/FSE '11: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering

It has been argued that security perspectives, of which access control is one, should be taken into account as early as possible in the software development process. Towards that goal, we present in this paper a tool supporting our modelling approach to ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IWPSE-EVOL '11: Proceedings of the 12th International Workshop on Principles of Software Evolution and the 7th annual ERCIM Workshop on Software Evolution

September 2011

140 pages

ISBN:9781450308489

DOI:10.1145/2024445

Program Chairs:
Anthony Cleve
University of Namur, Belgium
,
Romain Robbes
University of Chile, Chile

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 September 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE'11

Sponsor:

SIGSOFT

ESEC/FSE'11: Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

September 5 - 6, 2011

Szeged, Hungary

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
120
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)1

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Laverdière MJulien KMerlo E(2021)RBAC protection-impacting changes identificationInformation and Software Technology10.1016/j.infsof.2021.106630139:COnline publication date: 1-Nov-2021
https://dl.acm.org/doi/10.1016/j.infsof.2021.106630
Garg SMehrotra DBhartiya S(2021)Dynamic Access Control Solution for Cross-Tenancy in a Cloud EnvironmentSecurity Issues and Privacy Threats in Smart Ubiquitous Computing10.1007/978-981-33-4996-4_7(111-129)Online publication date: 9-Apr-2021
https://doi.org/10.1007/978-981-33-4996-4_7
Han ZLi XXu GXiong NMerlo EStroulia E(2020)An Effective Evolutionary Analysis Scheme for Industrial Software Access Control ModelsIEEE Transactions on Industrial Informatics10.1109/TII.2019.292542216:2(1024-1034)Online publication date: Feb-2020
https://doi.org/10.1109/TII.2019.2925422
Laverdiere MMerlo E(2017)Computing counter-examples for privilege protection losses using security models2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER.2017.7884625(240-249)Online publication date: Feb-2017
https://doi.org/10.1109/SANER.2017.7884625
Brunner MSillaber CBreu R(2017)Towards Automation in Information Security Management Systems2017 IEEE International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS.2017.26(160-167)Online publication date: Jul-2017
https://doi.org/10.1109/QRS.2017.26
Laverdiere MMerlo E(2017)Classification and Distribution of RBAC Privilege Protection Changes in Wordpress Evolution (Short Paper)2017 15th Annual Conference on Privacy, Security and Trust (PST)10.1109/PST.2017.00048(349-3495)Online publication date: Aug-2017
https://doi.org/10.1109/PST.2017.00048
Han ZMérineau MGauthier FMerlo ELi XStroulia E(2015)Evolutionary analysis of access control modelsProceedings of the 25th Annual International Conference on Computer Science and Software Engineering10.5555/2886444.2886489(261-264)Online publication date: 2-Nov-2015
https://dl.acm.org/doi/10.5555/2886444.2886489
Felderer MKatt BKalb PJürjens JOchoa MPaci FTran LTun TYskout KScandariato RPiessens FVanoverberghe DFourneret EGander MSolhaug BBreu R(2015)Evolution of Security Engineering ArtifactsTransportation Systems and Engineering10.4018/978-1-4666-8473-7.ch074(1508-1562)Online publication date: 2015
https://doi.org/10.4018/978-1-4666-8473-7.ch074
Dao TTo VTruong NChu QNguyen V(2015)Integrating and checking access permissions in object oriented models2015 2nd National Foundation for Science and Technology Development Conference on Information and Computer Science (NICS)10.1109/NICS.2015.7302220(49-53)Online publication date: Sep-2015
https://doi.org/10.1109/NICS.2015.7302220
Felderer MKatt BKalb PJürjens JOchoa MPaci FTran LTun TYskout KScandariato RPiessens FVanoverberghe DFourneret EGander MSolhaug BBreu R(2014)Evolution of Security Engineering ArtifactsInternational Journal of Secure Software Engineering10.4018/ijsse.20141001035:4(48-98)Online publication date: Oct-2014
https://doi.org/10.4018/ijsse.2014100103

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents