Constructing authorization systems using assurance management framework

Authors:
Hongxin Hu;Gail-Joon Ahn
Affiliations:
Security Engineering for Future Computing Laboratory, School of Computing, Informatics, and Decision Systems Engineering, Ira A. Fulton Schools of Engineering, Arizona State University, Tempe, AZ;Security Engineering for Future Computing Laboratory, School of Computing, Informatics, and Decision Systems Engineering, Ira A. Fulton Schools of Engineering, Arizona State University, Tempe, AZ
Venue:
IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews
Year:
2010

Citing 31
Cited 0

Role-Based Access Control Models

Computer
Towards a UML based approach to role engineering

RBAC '99 Proceedings of the fourth ACM workshop on Role-based access control
Application of XML tools for enterprise-wide RBAC implementation tasks

RBAC '00 Proceedings of the fifth ACM workshop on Role-based access control
An access control model for simplifying constraint expression

Proceedings of the 7th ACM conference on Computer and communications security
Role-based authorization constraints specification

ACM Transactions on Information and System Security (TISSEC)
Proposed NIST standard for role-based access control

ACM Transactions on Information and System Security (TISSEC)
Alloy: a lightweight object modelling notation

ACM Transactions on Software Engineering and Methodology (TOSEM)
A lightweight approach to specification and analysis of role-based access control extensions

SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
A graph-based formalism for RBAC

ACM Transactions on Information and System Security (TISSEC)
A model of OASIS role-based access control and its support for active security

ACM Transactions on Information and System Security (TISSEC)
UML-Based Representation of Role-Based Access Control

WETICE '00 Proceedings of the 9th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
Role-Based Authorization Constraints Specification Using Object Constraint Language

WETICE '01 Proceedings of the 10th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
SecureUML: A UML-Based Modeling Language for Model-Driven Security

UML '02 Proceedings of the 5th International Conference on The Unified Modeling Language
UMLsec: Extending UML for Secure Systems Development

UML '02 Proceedings of the 5th International Conference on The Unified Modeling Language
The Object Constraint Language: Getting Your Models Ready for MDA

The Object Constraint Language: Getting Your Models Ready for MDA
A Logical Language for Expressing Authorizations

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
The Pragmatics of Model-Driven Development

IEEE Software
Using uml to visualize role-based access control constraints

Proceedings of the ninth ACM symposium on Access control models and technologies
MAC and UML for secure software design

Proceedings of the 2004 ACM workshop on Formal methods in security engineering
authUML: a three-phased framework to analyze access control specifications in use cases

Proceedings of the 2003 ACM workshop on Formal methods in security engineering
Verification and change-impact analysis of access-control policies

Proceedings of the 27th international conference on Software engineering
Articulating and enforcing authorisation policies with UML and OCL

SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
Model driven security: From UML models to access control infrastructures

ACM Transactions on Software Engineering and Methodology (TOSEM)
A fault model and mutation testing of access control policies

Proceedings of the 16th international conference on World Wide Web
Towards realizing a formal RBAC model in real systems

Proceedings of the 12th ACM symposium on Access control models and technologies
Testing Security Policies: Going Beyond Functional Testing

ISSRE '07 Proceedings of the The 18th IEEE International Symposium on Software Reliability
Enabling verification and conformance testing for access control model

Proceedings of the 13th ACM symposium on Access control models and technologies
Ensuring spatio-temporal access control for real-world applications

Proceedings of the 14th ACM symposium on Access control models and technologies
Security-enhanced OSGi service environments

IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews
Roles in Information Systems: A Survey

IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews
Secure knowledge management: confidentiality, trust, and privacy

IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans

Quantified Score

Hi-index	0.00

Visualization

Abstract

Model-driven approach has recently received much attention in developing secure software and systems. In addition, software developers have attempted to employ such an emerging approach in the early stage of software development life cycle. However, security concerns are rarely considered and practiced due to the lack of appropriate systematic mechanisms and tools. In this paper, we introduce a multilayered software development life cycle (SDLC), which is based on an assurance management framework (AMF), focusing on the development of authorization systems. AMF facilitates comprehensive realization of formal security model, security policy specification and verification, generation of security enforcement codes, and rigorous conformance testing. We also articulate our experience in analyzing role-based authorization requirements and realizing those requirements in constructing a role-based authorization system.