A Correct-by-Construction Model for Attribute-Based Access Control

In this paper, a formal specification approach of the Attribute-Based Access Control (ABAC) is proposed using the Event-B method. We apply an a-priori formal verification to build a correct model in a stepwise manner. Correctness of the specification model is insured during the construction steps. The model is composed of abstraction levels that are generated through refinement operations. A set of ABAC properties is defined in each level of refinement starting from the highest abstract level to the most concrete one. These properties are preserved by proofs with the behavior specification.

[1]  Jeffrey M. Voas,et al.  What Happened to Formal Methods for Security? , 2016, Computer.

[2]  Álvaro Enrique Arenas,et al.  Detecting Conflicts in ABAC Policies with Rule-Reduction and Binary-Search Techniques , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[3]  Michael J. Butler,et al.  ProB: A Model Checker for B , 2003, FME.

[4]  Martin C. Rinard,et al.  Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies , 2013, TSEC.

[5]  Thai Son Hoang,et al.  Rodin: an open toolset for modelling and reasoning in Event-B , 2010, International Journal on Software Tools for Technology Transfer.

[6]  Atif Mashkoor,et al.  Incremental Construction of Realizable Choreographies , 2018, NFM.

[7]  Farah Zoubeyr,et al.  A correct-by-construction model for asynchronously communicating systems , 2016, International Journal on Software Tools for Technology Transfer.

[8]  Tao Xie,et al.  ACPT: A Tool for Modeling and Verifying Access Control Policies , 2010, 2010 IEEE International Symposium on Policies for Distributed Systems and Networks.

[9]  Régine Laleau,et al.  A formal validation of the RBAC ANSI 2012 standard using B , 2016, Sci. Comput. Program..

[10]  Mouad Mammass,et al.  Access Control models: State of the art and comparative study , 2014, 2014 Second World Conference on Complex Systems (WCCS).

[11]  Patrick Schaumont,et al.  Report on the NSF Workshop on Formal Methods for Security , 2016, ArXiv.

[12]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[13]  Tao Xie,et al.  Assessing Quality of Policy Properties in Verification of Access Control Policies , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[14]  Thai Son Hoang Specifying Access Control in Event-B , 2009 .

[15]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[16]  Mark Ryan,et al.  Evaluating Access Control Policies Through Model Checking , 2005, ISC.

[17]  Chung Tong Hu,et al.  Attribute Based Access Control (ABAC) Definition and Considerations | NIST , 2014 .

[18]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[19]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[20]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[21]  Tom Mens,et al.  The Ecology of Software Ecosystems , 2015, Computer.

[22]  Yves Ledru,et al.  B for Modeling Secure Information Systems - The B4MSecure Platform , 2015, ICFEM.

[23]  Martyn Thomas,et al.  Industrial Deployment of System Engineering Methods , 2013, Springer Berlin Heidelberg.

[24]  Vincent C. Hu,et al.  Verification and Test Methods for Access Control Policies/Models , 2017 .

[25]  Elisa Bertino,et al.  Extended RBAC with Role Attributes , 2006, PACIS.

[26]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[27]  Martin Lange,et al.  Bounded Model Checking for Weak Alternating Büchi Automata , 2006, CAV.

[28]  Tevfik Bultan,et al.  Automated verification of access control policies using a SAT solver , 2008, International Journal on Software Tools for Technology Transfer.