article

Enforcing spatio-temporal access control in mobile applications

Authors:

Ramadan Abdunabi,

Indrakshi RayAuthors Info & Claims

Computing, Volume 96, Issue 4

Pages 313 - 353

https://doi.org/10.1007/s00607-013-0340-2

Published: 01 April 2014 Publication History

Abstract

Mobile application technology is quickly evolving and being progressively utilized in the commercial and public sectors. Such applications make use of spatio-temporal information to provide better services and functionalities. Authorization to such services often depends on the credentials of the user and also on the location and time. Although researchers have proposed spatio-temporal access control models for such applications, not much has been done with respect to enforcement of spatio-temporal access control. Towards this end, we provide a practical framework that allows one to enforce spatio-temporal policies in mobile applications. Our policy enforcement mechanism illustrates the practical viability of spatio-temporal authorization models and discusses potential challenges with possible solutions. Specifically, we propose an architecture for enforcing spatio-temporal access control and demonstrate its feasibility by developing a prototype. We also provide a number of protocols for granting and revoking access and formally analyze these protocols using the Alloy constraint solver to provide assurance that our proposed approach is indeed secure.

References

[1]

Schaad A, Moffett J (2002) A lightweight approach to specification and analysis of role-based access control extensions. In: Proceedings of the symposium on access control models and technologies (SACMAT), pp 13---22

[2]

Anne A (2004) XACML profile for role-based access control (RBAC). OASIS Access Control TC Comm Draft 1:13

[3]

Samuel A, Ghafoor A, Bertino E (2007) A framework for specification and verification of generalized spatio-temporal role based access control model. Technical report CERIAS TR 2007---08, Purdue University, West Lafayette

[4]

Chaudhuri A (2009) Language-based security on Android. In: Proceedings of the ACM workshop on programming languages and analysis for security (PLAS), pp 1---7

[5]

Shafiq B, Masood A, Joshi J, Ghafoor A (2005) A role-based access control policy verification framework for real-time systems. In: Proceedings of the workshop on object-oriented real-time dependable systems (WORDS), pp 13---20

[6]

Bose B, Sane S (2010) DTCOT: distributed timeout based transaction commit protocol for mobile database systems. In: Proceedings of the international conference and workshop on emerging trends in technology (ICWET), Mumbai, India, pp 518---523

[7]

Kim D-K, Ray I, France RB, Li N (2004) Modeling role-based access control using parameterized UML models. In: Proceedings of the 7th international conference FASE'2004, pp 180---193

[8]

Daniel J (2002) Alloy: a lightweight object modelling notation. ACM Trans Softw Eng Methodol 11(2):256---290

[9]

Daniel M, Gerald P, Richard M (1980) A locking protocol for resource coordination in distributed databases. ACM Trans Database Syst 5(2):103---138

[10]

Technische Universität Darmstadt. FlexiProvider. http://www.flexiprovider.de/overview.html/. Accessed on 30 Nov 2012

[11]

Bertino E, Catania B, Damiani ML, Perlasca P (2005) GEO-RBAC: a spatially aware RBAC. In: Proceedings of the ACM symposium on access control models and technologies (SACMAT), pp 29---37

[12]

Bertino E, Piero B, Elena F (2001) TRBAC: a temporal role-based access control model. ACM Trans Inf Syst Secur 4(3):191---233

Digital Library

[13]

Sposaro F, Tyson G (2009) iFall: an Android application for fall monitoring and response. In: Proceedings of the annual international conference of the IEEE at Engineering in Medicine and Biology Society (EMBC), 3---6 Sept 2009, pp 6119---6122

[14]

Frank S, Window S (2004) Threat modeling (Microsoft professional). Microsoft Press, Redmond (ISBN: 0735619913)

[15]

Hansen F, Oleshchuk V (2003) SRBAC: a spatial role-based access control model for mobile systems. In: Proceedings of the 8th Nordic workshop secure IT systems (NORDSEC), pp 129---141

[16]

Ahn G, Shin M (2001) Role-based authorization constraints specification using object constraint language. In: Proceedings of the IEEE international workshops on enabling technologies: infrastructure for collaborative enterprises (WETICE), pp 157---162

[17]

Gail-Joon A, Ravi S (2000) Role-based authorization constraints specification. ACM Trans Inf Syst Secur 3(4):207---226

[18]

US Government (2012) Global positioning system. http://www.gps.gov/. Accessed on 30 Nov 2012

[19]

Booch G, James R, Ivar J (2005) The unified modeling language user guide, 2nd edn. Addison-Wesley Professional, Boston

[20]

Grisham P, Chen C, Khurshid S, Perry D (2006) Design and validation of a security model with the Alloy analyzer. In: Proceedings of the workshop at ACM SIGSOFT first Alloy, 6th Nov 2006, Portland, OR, USA

[21]

Google Inc. (2012) Android SDK. http://developer.android.com/sdk/index.html. Accessed on 30 Nov 2012

[22]

Google Inc. (2012) The Android mobile (OS). http://www.android.com/. Accessed on 30 Nov 2012

[23]

Ray I, Kumar M, Yu L (2006) LRBAC: a location-aware role-based access control model. In: Proceedins of the 2nd international conference on information systems security (ICISS 2006), 17---21 Dec 2006, Indian Statistical institute, Kolkata, India, pp 147---161

[24]

Ray I, Toahchoodee M (2007) A spatio-temporal role-based access control model. In: Proceedings of the DBSec, pp 211---226

[25]

Jaehong P, Ravi S (2004) The $$\text{ UCON }_{\text{ ABC }}$$UCONABC usage control model. ACM Trans Inf Syst Secur 7(1):128---174

[26]

James J, Elisa B, Usman L, Arif G (2005) A generalized temporal role-based access control model. IEEE Trans Knowl Data Eng 17(1):4---23

[27]

James J, Elisa B, Usman L, Arif G (2005) A generalized temporal role-based access control model. IEEE Trans Knowl Data Eng 17(1):4---23

[28]

Larman C (2004) Applying UML and patterns: an introduction to object-oriented analysis and design and iterative development, 3rd edn. Prentice Hall, Englewood Cliffs

[29]

Chen L, Crampton J (2008) On spatio-temporal constraints and inheritance in role-based access control. In: Proceedings of the ACM symposium on information, computer and communications security (ASIACCS), Mar 2008, pp 205---216

[30]

Lin A, Bond M, Clulow J (2007) Modeling partial attacks with Alloy. In: Proceedings of the workshop on security protocols, pp 20---33

[31]

Lockhart H, Parducci B, Levinson R (2012) OASIS eXtensible access control markup language (XACML) TC. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml/. Accessed on 30 Nov 2012

[32]

Tamer Özsu M, Valduriez P (1999) Principles of distributed database systems, 2nd edn. Prentice-Hall, Englewood cliffs (ISBN-10: 1441988335)

[33]

Toahchoodee M, Ray I (2011) On the formalization and analysis of a spatio-temporal role-based access control model. J Comput Secur 19(3):399---452

Digital Library

[34]

Toahchoodee M, Ray I, Anastasakis K, Georg G, Bordbar B (2009) Ensuring spatio-temporal access control for real-world applications. In: Proceedings of the 13th ACM symposium on access control models and technologies (SACMAT), Estes Park, CO, USA, 11---13 June 2008 pp 13---22

[35]

Manuel K, Francesco P-P (2006) UML specification of access control policies and their formal verification. Softw Syst Modell 5(4):429---447

[36]

Michael H, David L (2002) Writing secure code, 2nd edn. Microsoft Press, Redmond (ISBN: 0735617228)

[37]

Kirkpatrick M, Bertino E (2010) Enforcing spatial constraints for mobile RBAC systems. In: Proceedings of the 15th ACM symposium on access control models and technologies (SACMAT), Pittsburgh, pp 99---108

[38]

Xu M, Wijesekera D (2009) A role-based XACML administration and delegation profile and its enforcement architecture. In: Proceedings of the 6th ACM workshop on secure web services (SWS), 13 Nov 2009, Chicago, IL, USA, pp 53---60

[39]

MySQL (2012) The world's most popular open source database. http://www.mysql.com/. Accessed on 30 Nov 2012

[40]

Abdunabi R, Al-Lail M, Ray I, Robert B (2013) Specification, validation, and enforcement of a generalized spatio-temporal role-based access control model. IEEE Syst J (to be appear)

[41]

Ravi S, Edward C, Hal F, Charles Y (1996) Role-based access control models. IEEE Comput 29(2):38---47

Digital Library

[42]

Ravi S, Kumar R, Xinwen Z (2006) Secure information sharing enabled by trusted computing and PEI models. In: Proceedings of the ACM symposium on information, computer and communications security (ASIACCS'06), 21---24 Mar 2006, Taipei, Taiwan

[43]

Mondal S, Sural S (2008) Security analysis of temporal-RBAC using timed automata. In: Proceedings of the 4th international symposium on information assurance and security (IAS), 8---10 Sept 2008, pp 37---40

[44]

Ravi S (1995) Rationale for the RBAC96 family of access control models. In: Proceedings of the 1st ACM workshop on role-based access control

[45]

Subhendu A, Samrat M, Shamik S, Arun M (2009) Role based access control with spatiotemporal context for mobile applications. Trans Comput Sci 4:177---199

[46]

Subhendu A, Shamik S, Arun M (2007) STARBAC: spatio temporal role based access control. In: Proceedings of the OTM, pp 1567---1582

[47]

Syed A, Mohammad I (2011) Location-based services handbook: applications, technologies, and security. CRC Press, Boca Raton (ISBN: 1420071963)

[48]

Taghdiri M, Jackson D (2003) A lightweight formal analysis of a multicast key management scheme. In: Proceedings of the FORTE, pp 240---256

[49]

Arensman W, Whipple J, Boler M (2009) A public safety application of GPS-enabled smartphones and the Android operating system. In: Proceedings of the systems, man and cybernetics (SMC), pp 2059---2061

[50]

Sun W, France R, Ray I (2011) Rigorous analysis of UML access control policy models. In: Proceedings of the POLICY, pp 9---16

[51]

Yu L, France RB, Ray I (2008) Scenario-based static analysis of UML class models. In: Proceedings of the ACM/IEEE 11th international conference on model driven engineering languages and systems (MoDELS), Toulouse, France, pp 234---248

[52]

Yu L, France RB, Ray I, Sun W (2012) Systematic scenario-based analysis of UML design class models. In: Proceedings of a ICECCS meeting held 18---20 July 2012, Paris, France, pp 86---95

Cited By

Kossak FMashkoor A(2016)How to Select the Suitable Formal Method forźan Industrial ApplicationProceedings of the 5th International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z - Volume 967510.1007/978-3-319-33600-8_13(213-228)Online publication date: 23-May-2016
https://dl.acm.org/doi/10.1007/978-3-319-33600-8_13
Marcus PLinnhoff-Popien C(2014)Quality Estimation for Zone-based LBS under Realistic Positioning SystemsProceedings of the 3rd International Conference on Context-Aware Systems and Applications10.5555/2762722.2762731(42-47)Online publication date: 7-Oct-2014
https://dl.acm.org/doi/10.5555/2762722.2762731

Enforcing spatio-temporal access control in mobile applications
1. Security and privacy
  1. Security services
  2. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

An Administrative Model for Spatio-Temporal Role Based Access Control
ICISS 2013: Proceedings of the 9th International Conference on Information Systems Security - Volume 8303

In the present computing environment, access control decisions are often based on contextual information like the location of users and objects as well as the time of making an access request. Several variants of Role based Access Control RBAC have ...
Specification and analysis of access control policies for mobile applications
SACMAT '13: Proceedings of the 18th ACM symposium on Access control models and technologies

Mobile applications allow individuals on-the-move access to resources "anytime, anywhere" using hand-held mobile devices. We argue that for critical and sensitive resources this is often times not desirable -- a lost or stolen mobile device can be ...
Spatio-temporal Role Based Access Control for Physical Access Control Systems
EST '13: Proceedings of the 2013 Fourth International Conference on Emerging Security Technologies

Due to the large size of the global enterprise and the complexity of job's functions within organisations, managing Physical Access Control (PAC) policies has become a challenging problem. It is therefore, very important to develop Access Control ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computing

Computing Volume 96, Issue 4

April 2014

92 pages

ISSN:0010-485X

Issue’s Table of Contents

Copyright © Copyright © 2014 Springer-Verlag Wien.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 01 April 2014

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kossak FMashkoor A(2016)How to Select the Suitable Formal Method forźan Industrial ApplicationProceedings of the 5th International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z - Volume 967510.1007/978-3-319-33600-8_13(213-228)Online publication date: 23-May-2016
https://dl.acm.org/doi/10.1007/978-3-319-33600-8_13
Marcus PLinnhoff-Popien C(2014)Quality Estimation for Zone-based LBS under Realistic Positioning SystemsProceedings of the 3rd International Conference on Context-Aware Systems and Applications10.5555/2762722.2762731(42-47)Online publication date: 7-Oct-2014
https://dl.acm.org/doi/10.5555/2762722.2762731

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents