Conformance checking of RBAC policy and its implementation

Authors:
Frode Hansen;Vladimir Oleshchuk
Affiliations:
Department of Information and Communication Technology, Agder University College, Grimstad, Norway;Department of Information and Communication Technology, Agder University College, Grimstad, Norway
Venue:
ISPEC'05 Proceedings of the First international conference on Information Security Practice and Experience
Year:
2005

Citing 6
Cited 6

Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems

RBAC '97 Proceedings of the second ACM workshop on Role-based access control
The role graph model and conflict of interest

ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
TRBAC: A temporal role-based access control model

ACM Transactions on Information and System Security (TISSEC)
A Formal Model for Role-Based Access Control with Constraints

CSFW '96 Proceedings of the 9th IEEE workshop on Computer Security Foundations
Separation of Duty in Role-based Environments

CSFW '97 Proceedings of the 10th IEEE workshop on Computer Security Foundations
Role-Based Access Control

Role-Based Access Control

Specification and verification of security requirements in a programming model for decentralized CSCW systems

ACM Transactions on Information and System Security (TISSEC)
Validating Access Control Configurations in J2EE Applications

CBSE '08 Proceedings of the 11th International Symposium on Component-Based Software Engineering
Toward practical analysis for trust management policy

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Towards accuracy of role-based access control configurations in component-based systems

Journal of Systems Architecture: the EUROMICRO Journal
Model checking security policy model using both UML static and dynamic diagrams

Proceedings of the 4th international conference on Security of information and networks
Formal verification of security properties in trust management policy

Journal of Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

The purpose a security policy is to specify rules to govern access to system resources preferably without considering implementation details. Both policy and its implementation might be altered, and after introducing changes, it is not obvious that they are consistent. Therefore, we need to validate conformance between policy and its implementation. In this paper we describe an approach based on finite-model checking to verify that a RBAC implementation conforms to a security policy. We make use of the model-checking system SPIN, and show how to express RBAC policy constraints by means of LTL and how to model an RBAC implementation in SPIN's internal modeling language PROMELA.