A Verifiable Formal Specification for RBAC Model with Constraints of Separation of Duty

Formal method provides a way to achieve an exact and consistent definition of security for a given scenario. This paper presents a formal state-based verifiable RBAC model described with Z language, in which the state-transition functions are specified formally. Based on the separation of duty policy, the constraint rules and security theorems are constructed. Using a case study, we show how to specify and verify the consistency of formal RBAC system with theorem proving. By specifying RBAC model formally, it provides a precise description for the system security requirements. The internal consistency of this model can be validated by verification of the model.

[1]  William D. Young,et al.  Comparing Specification Paradigms: Gypsy and Z , 1989 .

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  Martin Wirsing,et al.  Theoretical Aspects of Computing - ICTAC 2005, Second International Colloquium, Hanoi, Vietnam, October 17-21, 2005, Proceedings , 2005, ICTAC.

[4]  Luigi V. Mancini,et al.  A graph-based formalism for RBAC , 2002, TSEC.

[5]  Karsten Sohr,et al.  A first step towards formal verification of security policy properties for RBAC , 2004, Fourth International Conference onQuality Software, 2004. QSIC 2004. Proceedings..

[6]  Edmund M. Clarke,et al.  Formal Methods: State of the Art and Future Directions Working Group Members , 1996 .

[7]  Etienne J. Khayat,et al.  A formal model for flat role-based access control , 2003 .

[8]  Chen Zhao,et al.  Representation and Reasoning on RBAC: A Description Logic Approach , 2005, ICTAC.

[9]  Achim D. Brucker,et al.  A Proof Environment for Z-Specifications , 2003 .

[10]  Computer Network Security , 2005 .

[11]  Felix C. Freiling,et al.  Revisiting Failure Detection and Consensus in Omission Failure Environments , 2005, ICTAC.

[12]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[13]  D. Richard Kuhn,et al.  Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems , 1997, RBAC '97.

[14]  Basit Shafiq,et al.  A role-based access control policy verification framework for real-time systems , 2005, 10th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems.

[15]  Bin Liang,et al.  A Formal Description of SECIMOS Operating System , 2005, MMM-ACNS.

[16]  John A. McDermid,et al.  Formal Methods: Use and Relevance for the Development of Safety-Critical Systems , 1992, Comput. J..