Validation of security policies by the animation of Z specifications

Authors:
Yves Ledru;Nafees Qamar;Akram Idani;Jean-Luc Richier;Mohamed-Amine Labiadh
Affiliations:
UJF-Grenoble 1/Grenoble-INP/UPMF-Grenoble2/CNRS, Grenoble, France;INRIA Rhône Alpes & UJF-Grenoble 1/Grenoble-INP/UPMF-Grenoble2/CNRS, Grenoble, France;UJF-Grenoble 1/Grenoble-INP/UPMF-Grenoble2/CNRS, Grenoble, France;UJF-Grenoble 1/Grenoble-INP/UPMF-Grenoble2/CNRS, Grenoble, France;UJF-Grenoble 1/Grenoble-INP/UPMF-Grenoble2/CNRS, Grenoble, France
Venue:
Proceedings of the 16th ACM symposium on Access control models and technologies
Year:
2011

Citing 13
Cited 2

The object constraint language: precise modeling with UML

The object constraint language: precise modeling with UML
Proposed NIST standard for role-based access control

ACM Transactions on Information and System Security (TISSEC)
An Overview of RoZ: A Tool for Integrating UML and Z Specifications

CAiSE '00 Proceedings of the 12th International Conference on Advanced Information Systems Engineering
Role-Based Access Control

Role-Based Access Control
Model driven security: From UML models to access control infrastructures

ACM Transactions on Software Engineering and Methodology (TOSEM)
Software Abstractions: Logic, Language, and Analysis

Software Abstractions: Logic, Language, and Analysis
Using Jaza to Animate RoZ Specifications of UML Class Diagrams

SEW '06 Proceedings of the 30th Annual IEEE/NASA Software Engineering Workshop
USE: A UML-based specification environment for validating UML and OCL

Science of Computer Programming
ProB: an automated analysis toolset for the B method

International Journal on Software Tools for Technology Transfer (STTT)
Analyzing and Managing Role-Based Access Control Policies

IEEE Transactions on Knowledge and Data Engineering
Automated analysis of security-design models

Information and Software Technology
Ensuring spatio-temporal access control for real-world applications

Proceedings of the 14th ACM symposium on Access control models and technologies
Secure Systems Development with UML

Secure Systems Development with UML

Validation of security-design models using Z

ICFEM'11 Proceedings of the 13th international conference on Formal methods and software engineering
Towards a formal analysis of dynamic reconfiguration in WS-BPEL

Intelligent Decision Technologies

Quantified Score

Hi-index	0.00

Visualization

Abstract

Designing a security policy for an information system is a non-trivial task. In this paper, we consider the design of a security policy based on a variant of the RBAC model, close to SecureUML. This variant includes constraints for the separation of duty, as well as contextual constraints. Contextual constraints use information about the state of the functional model of the application to grant permissions to users. These constraints add flexibility to the security policy, but make its validation more difficult. In this paper, we first review two tools, USE and SecureMOVA, which can be used to analyse and validate a security policy. These tools focus on analyses of static aspects of the secured system. We then propose a new tool, based on the Z formal language, which uses animation of the specification to validate the static as well as dynamic aspects of the security policy, taking into account possible evolutions of the state of the functional model. We discuss how the security policy and the functional application are described to the tool, and what kind of queries and animations can be performed to analyse nominal and malicious behaviours of the system.