From Access Control Policies to an Aspect-Based Infrastructure: A Metamodel-Based Approach

Security is among the most successful applications of aspect-oriented concepts. In particular, in role-based access control, aspects capture access conditions in a quite modular way. The question we address in this paper is how can aspects be generated from access control policies under a validated process? We present a metamodel-based transformation from SecureUML, a role-based access control language, to an abstract aspect language. Within this model-driven engineering context, a security policy is represented as an instance of SecureUML's metamodel and the generated aspect is represented as an instance of the abstract aspect language metamodel. Invariants specified on the merged metamodel of SecureUML and the abstract aspect language are checked to validate the generated aspect with respect to the given security policy. We have prototyped our approach as a Java application on top of ITP/OCL, a rewriting-based OCL evaluator. It outputs validated AspectJ code from a SecureUML policy.

[1]  Bart De Decker,et al.  Advances in Network and Distributed Systems Security, IFIP TC11 WG11.4 First Annual Working Conference on Network Security, November 26-27, 2001, Leuven, Belgium , 2001, Network Security.

[2]  Manuel Clavel,et al.  ITP/OCL: A Rewriting-Based Validation Tool for UML+OCL Static Class Diagrams , 2006, AMAST.

[3]  Indrakshi Ray,et al.  An aspect-based approach to modeling access control concerns , 2004, Inf. Softw. Technol..

[4]  Martin Gogolla,et al.  Model transformations? transformation models! , 2006, MoDELS'06.

[5]  Jan Jürjens,et al.  Dynamic secure aspect modeling with UML: from models to code , 2005, MoDELS'05.

[6]  Yi Deng,et al.  Applying Aspect-Orientation in Designing Security Systems: A Case Study , 2004, SEKE.

[7]  Kevin Lano,et al.  Slicing of UML models using model transformations , 2010, MODELS'10.

[8]  Bart De Decker,et al.  Security Through Aspect-Oriented Programming , 2001, Network Security.

[9]  Achim D. Brucker,et al.  A model transformation semantics and analysis methodology for SecureUML , 2006, MoDELS'06.

[10]  José Meseguer,et al.  Order-Sorted Algebra I: Equational Deduction for Multiple Inheritance, Overloading, Exceptions and Partial Operations , 1992, Theor. Comput. Sci..

[11]  簡聰富,et al.  物件導向軟體之架構(Object-Oriented Software Construction)探討 , 1989 .

[12]  Jørgen Lindskov Knudsen ECOOP 2001 — Object-Oriented Programming , 2001, Lecture Notes in Computer Science.

[13]  Viviane Torres da Silva,et al.  Model-Driven Security in Practice: An Industrial Experience , 2008, ECMDA-FA.

[14]  Ramaswamy Chandramouli,et al.  Role-Based Access Control (2nd ed.) , 2007 .

[15]  Arend Rensink Model Driven Architecture - Foundations and Applications, 5th European Conference, ECMDA-FA 2009, Enschede, The Netherlands, June 23-26, 2009. Proceedings , 2009, ECMDA-FA.

[16]  David A. Basin,et al.  Automated analysis of security-design models , 2009, Inf. Softw. Technol..

[17]  José Meseguer,et al.  Specification and proof in membership equational logic , 2000, Theor. Comput. Sci..

[18]  Steven A. Demurjian,et al.  A formal enforcement framework for role-based access control using aspect-oriented programming , 2005, MoDELS'05.

[19]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[20]  Manuel Clavel,et al.  Equational Specification of UML + OCL Static Class Diagrams ? , 2006 .

[21]  Bertrand Meyer,et al.  Object-Oriented Software Construction, 2nd Edition , 1997 .

[22]  Narciso Martí-Oliet,et al.  All About Maude - A High-Performance Logical Framework, How to Specify, Program and Verify Systems in Rewriting Logic , 2007, All About Maude.

[23]  Kung Chen,et al.  An Aspect-Oriented Approach to Declarative Access Control for Web Applications , 2006, APWeb.

[24]  Joaquin Miller,et al.  MDA Guide Version 1.0.1 , 2003 .

[25]  Yanchun Zhang,et al.  Frontiers of WWW Research and Development - APWeb 2006, 8th Asia-Pacific Web Conference, Harbin, China, January 16-18, 2006, Proceedings , 2006, APWeb.

[26]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[27]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.