A correct-by-construction model for attribute-based access control

In this paper, a formal specification approach of the attribute-based access control (ABAC) is proposed using the Event-B method. We apply an a priori formal verification to build a correct model in a stepwise manner. Correctness of the specification model is insured during the construction steps. The model is composed of abstraction levels that are generated through refinement operations. A set of ABAC properties is defined in each level of refinement starting from the highest abstract level to the most concrete one. These properties are preserved by proofs with the behavior specification. The approach is illustrated in healthcare web services.

[1]  Atif Mashkoor,et al.  Incremental Construction of Realizable Choreographies , 2018, NFM.

[2]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[3]  Vincent C. Hu,et al.  Verification and Test Methods for Access Control Policies/Models , 2017 .

[4]  Tao Xie,et al.  ACPT: A Tool for Modeling and Verifying Access Control Policies , 2010, 2010 IEEE International Symposium on Policies for Distributed Systems and Networks.

[5]  Elisa Bertino,et al.  Extended RBAC with Role Attributes , 2006, PACIS.

[6]  Tevfik Bultan,et al.  Automated verification of access control policies using a SAT solver , 2008, International Journal on Software Tools for Technology Transfer.

[7]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[8]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[9]  Gary B. Wills,et al.  Formal Modelling of Data Integration Systems Security Policies , 2016, Data Science and Engineering.

[10]  Régine Laleau,et al.  A formal validation of the RBAC ANSI 2012 standard using B , 2016, Sci. Comput. Program..

[11]  Farah Zoubeyr,et al.  A correct-by-construction model for asynchronously communicating systems , 2016, International Journal on Software Tools for Technology Transfer.

[12]  Mouad Mammass,et al.  Access Control models: State of the art and comparative study , 2014, 2014 Second World Conference on Complex Systems (WCCS).

[13]  Álvaro Enrique Arenas,et al.  Detecting Conflicts in ABAC Policies with Rule-Reduction and Binary-Search Techniques , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[14]  Michael J. Butler,et al.  ProB: A Model Checker for B , 2003, FME.

[15]  Thai Son Hoang Specifying Access Control in Event-B , 2009 .

[16]  Mangal Sain,et al.  A design of security framework for data privacy in e-health system using web service , 2014, 16th International Conference on Advanced Communication Technology.

[17]  Tom Mens,et al.  The Ecology of Software Ecosystems , 2015, Computer.

[18]  Mark Ryan,et al.  Evaluating Access Control Policies Through Model Checking , 2005, ISC.

[19]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[20]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[21]  Martin Lange,et al.  Bounded Model Checking for Weak Alternating Büchi Automata , 2006, CAV.

[22]  Yves Ledru,et al.  B for Modeling Secure Information Systems - The B4MSecure Platform , 2015, ICFEM.

[23]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[24]  Tao Xie,et al.  Assessing Quality of Policy Properties in Verification of Access Control Policies , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[25]  Thai Son Hoang,et al.  Rodin: an open toolset for modelling and reasoning in Event-B , 2010, International Journal on Software Tools for Technology Transfer.

[26]  Doo-Kwon Baik,et al.  Privacy-Preserving Attribute-Based Access Control Model for XML-Based Electronic Health Record System , 2018, IEEE Access.

[27]  Martin C. Rinard,et al.  Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies , 2013, TSEC.

[28]  Dominique Méry,et al.  Formal Specification of Medical Systems by Proof-Based Refinement , 2013, TECS.