Towards model-driven development of access control policies for web applications

We introduce a UML-based notation for graphically modeling systems' security aspects in a simple and intuitive way and a model-driven process that transforms graphical specifications of access control policies in XACML. These XACML policies are then translated in FACPL, a policy language with a formal semantics, and the resulting policies are evaluated by means of a Java-based software tool.

[1]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[2]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[3]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[4]  John S. Fitzgerald,et al.  Formal Engineering of XACML Access Control Policies in VDM++ , 2007, ICFEM.

[5]  David A. Basin,et al.  Automatic Generation of Smart, Security-Aware GUI Models , 2010, ESSoS.

[6]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[7]  James A. Hendler,et al.  Analyzing web access control policies , 2007, WWW '07.

[8]  Jos Warmer,et al.  The object constraint language , 1998 .

[9]  Jeremy Bryans,et al.  Reasoning about XACML policies using CSP , 2005, SWS '05.

[10]  Nora Koch,et al.  MagicUWE - A CASE Tool Plugin for Modeling Web Applications , 2009, ICWE.

[11]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[12]  Francesco Tiezzi,et al.  Formalisation and Implementation of the XACML Access Control Mechanism , 2012, ESSoS.

[13]  Stan Matwin,et al.  A Non-technical User-Oriented Display Notation for XACML Conditions , 2009, MCETECH.

[14]  Nora Koch,et al.  Modeling Secure Navigation in Web Information Systems , 2011, BIR.

[15]  Kamel Adi,et al.  UACML: Unified Access Control Modeling Language , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[16]  Francesca Lonetti,et al.  The X-CREATE Framework - A Comparison of XACML Policy Testing Strategies , 2012, WEBIST.

[17]  Sushil Jajodia,et al.  Policies, Models, and Languages for Access Control , 2005, DNIS.