Towards formal specification and verification of a role-based authorization engine using JML

  • Authors:

  • Tanveer Mustafa;Michael Drouineaud;Karsten Sohr

  • Affiliations:

  • Universität Bremen, Germany;Universität Bremen, Germany;Universität Bremen, Germany

  • Venue:
  • Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems
  • Year:
  • 2010

Quantified Score

Hi-index 0.00

Visualization

Abstract

Employing flexible access control mechanisms, formally specifying and correctly implementing relevant security properties, and ensuring that the implementation satisfies its formal specification, are some of the important aspects towards achieving higher-level organization-wide access control that maintains the characteristics of software quality. In the access control arena, the role-based access control (RBAC) has emerged as a powerful model for laying out and developing higher-level organizational rules such as separation of duty, and for simplifying the access management process. One of the important aspects of RBAC is authorization constraints that allow one to express such organizational rules. On the other hand, the Java Modeling Language (JML) has evolved as a flexible formal behavioral interface specification language that can be used as a Design by Contract (DBC) approach for developing software written in Java. In this paper, we adopt JML as a DBC approach to implement a prototype of a role-based authorization engine. We specifically focus on how JML can effectively be used in precisely specifying the functional behavior of the authorization engine, including various constraints such as authorization constraints and integrity constraints. We employ few JML tools towards verifying the correctness of the implementation of the authorization engine against its JML specification.