Compilers: principles, techniques, and tools
Compilers: principles, techniques, and tools
Role-Based Access Control Models
Computer
Fast static analysis of C++ virtual function calls
Proceedings of the 11th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Alcoa: the alloy constraint analyzer
Proceedings of the 22nd international conference on Software engineering
XML document security based on provisional authorization
Proceedings of the 7th ACM conference on Computer and communications security
Analysis and testing of Web applications
ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Alloy: a lightweight object modelling notation
ACM Transactions on Software Engineering and Methodology (TOSEM)
A fine-grained access control system for XML documents
ACM Transactions on Information and System Security (TISSEC)
A framework for call graph construction algorithms
ACM Transactions on Programming Languages and Systems (TOPLAS)
A lightweight approach to specification and analysis of role-based access control extensions
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
Advanced Java 2 Platform How to Program
Advanced Java 2 Platform How to Program
Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis
ECOOP '95 Proceedings of the 9th European Conference on Object-Oriented Programming
Programming .NET Security
XML access control using static analysis
Proceedings of the 10th ACM conference on Computer and communications security
Saving the world from bad beans: deployment-time confinement checking
OOPSLA '03 Proceedings of the 18th annual ACM SIGPLAN conference on Object-oriented programing, systems, languages, and applications
Role-Based access control consistency validation
Proceedings of the 2006 international symposium on Software testing and analysis
Interprocedural analysis for privileged code placement and tainted variable detection
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
Rubacon: automated support for model-based compliance engineering
Proceedings of the 30th international conference on Software engineering
Validating Access Control Configurations in J2EE Applications
CBSE '08 Proceedings of the 11th International Symposium on Component-Based Software Engineering
Fine-Grained Access Control with Object-Sensitive Roles
Genoa Proceedings of the 23rd European Conference on ECOOP 2009 --- Object-Oriented Programming
Towards accuracy of role-based access control configurations in component-based systems
Journal of Systems Architecture: the EUROMICRO Journal
Security model oriented attestation on dynamically reconfigurable component-based systems
Journal of Network and Computer Applications
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
| Hi-index | 0.00 |
Modern multiuser software systems have adopted Role- Based Access Control (RBAC) for authorization management. This paper presents a formal model for RBAC policy validation and a static-analysis model for RBAC systems that can be used to (i) identify the roles required by users to execute an enterprise application, (ii) detect potential inconsistencies caused by principal-delegation policies, which are used to override a user's role assignment, (iii) report if the roles assigned to a user by a given policy are redundant or insufficient, and (iv) report vulnerabilities that can result from unchecked intra-component accesses. The algorithms described in this paper have been implemented as part of IBM's Enterprise Security Policy Evaluator (ESPE) tool. Experimental results show that the tool found numerous policy flaws, including ten previously unknown flaws from two production-level applications, with no false-positive reports.