An Approach Based on Model-Driven Engineering to Define Security Policies Using OrBAC

In the field of access control, many security breaches occur because of a lack of early means to evaluate if access control policies are adequate to satisfy privileges requested by subjects which try to perform actions on objects. This paper proposes an approach based on UMLsec, to tackle this problem. We propose to extend UMLsec, and to add OrBAC elements. In particular, we add the notions of context, inheritance and separation. We also propose a methodology for modeling a security policy and assessing the security policy modeled, based on the use of MotOrBAC. This assessment is proposed in order to guarantee security policies are well-formed, to analyse potential conflicts, and to simulate a real situation.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Denisse Muñante Arzapalo,et al.  A proposal for handling non-functional aspects with a model-driven engineering approach , 2012, Rev. Avances en Sistemas Informática.

[3]  Nora Cuppens-Boulahia,et al.  High Level Conflict Management Strategies in Advanced Access Control Models , 2007, ICS@SYNASC.

[4]  F. Autrel,et al.  MotOrBAC 2 : a security policy tool , 2008 .

[5]  Kamel Adi,et al.  UACML: Unified Access Control Modeling Language , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[6]  Nora Cuppens-Boulahia,et al.  An extended RBAC profile of XACML , 2006, SWS '06.

[7]  Frédéric Cuppens,et al.  Modelling contexts in the Or-BAC model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[8]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[9]  Amel Mammar,et al.  Using Requirements Engineering in an Automatic Security Policy Derivation Process , 2011, DPM/SETOP.

[10]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[11]  Nora Cuppens-Boulahia,et al.  Managing Delegation in Access Control Models , 2007 .

[12]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[13]  F. Cuppens,et al.  Inheritance hierarchies in the Or-BAC model and application in a network environment , 2022 .

[14]  Yves Le Traon,et al.  A Model-Based Framework for Security Policy Specification, Deployment and Testing , 2008, MoDELS.

[15]  Alexandre Miège,et al.  Definition of a formal framework for specifying security policies. The Or-BAC model and extensions. , 2005 .