Modeling and Validating Role-Based Authorization Policies for a Port Communication System with UML and OCL

Modern sea or inland ports rely on digital communication and systems to boost rapid turnover of trade. Stakeholders like shippers, shipping lines, container terminals and port authorities collaborate and compete using their own legacy applications. Many sea ports operate Port Community Systems (PCS) to orchestrate processes between the players. These software systems are potential targets of security threats that may lead to payment fraud, espionage of competitors, smuggling, theft, export control violations, up to disasters involving dangerous goods possibly effecting public mains. In our approach we apply modeling to the field of information security. We combine and focus on Role-Based Access Control (RBAC) with constraints and Attribute-Based Access Control (ABAC) for finer grained authorization constraints. In a concrete case study we model authorization policies within port communities that partly utilize dedicated PCS. The purpose is to increase the integrity of exchanged data and thus reduce the risks of attacks or failures. We employ the UML-based Specification Environment (USE) and its OCL support to validate specified security properties for a typical container shipping scenario.

[1]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[2]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[3]  Karsten Sohr,et al.  Towards Effective Verification of Multi-Model Access Control Properties , 2019, SACMAT.

[4]  Mark Strembeck,et al.  Modeling process-related RBAC models with extended UML activity models , 2011, Inf. Softw. Technol..

[5]  Mario Piattini,et al.  Extending OCL for Secure Database Development , 2004, UML.

[6]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[7]  Martin Gogolla,et al.  USE: A UML-based specification environment for validating UML and OCL , 2007, Sci. Comput. Program..

[8]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[9]  American National Standard for Information Technology – Role Based Access Control , 2004 .

[10]  Martin Gogolla,et al.  Analyzing and Managing Role-Based Access Control Policies , 2008, IEEE Transactions on Knowledge and Data Engineering.

[11]  Martin Gogolla,et al.  Comprehensive Two-Level Analysis of Static and Dynamic RBAC Constraints with UML and OCL , 2011, 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement.

[12]  Aaron Elliott,et al.  Role Explosion: Acknowledging the Problem , 2010, Software Engineering Research and Practice.

[13]  Muhammad Awais Shibli,et al.  Towards Attribute-Centric Access Control: an ABAC versus RBAC argument , 2016, Secur. Commun. Networks.

[14]  Martin Gogolla,et al.  Monitoring Database Access Constraints with an RBAC Metamodel: A Feasibility Study , 2015, ESSoS.

[15]  David A. Basin,et al.  A decade of model-driven security , 2011, SACMAT '11.

[16]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[17]  Martin Gogolla,et al.  Employing UML and OCL for designing and analysing role-based access control , 2013, Math. Struct. Comput. Sci..

[18]  Nils Meyer-Larsen,et al.  Enhancing the Cybersecurity of Port Community Systems , 2018, LDIC.

[19]  David Brossard,et al.  A Systematic Approach to Implementing ABAC , 2017, ABAC '17.

[20]  David A. Basin,et al.  Automated analysis of security-design models , 2009, Inf. Softw. Technol..

[21]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[22]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[23]  Martin Gogolla,et al.  Modular Embedding of the Object Constraint Language into a Programming Language , 2011, SBMF.

[24]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[25]  Indrakshi Ray,et al.  Using uml to visualize role-based access control constraints , 2004, SACMAT '04.

[26]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[27]  Martin Gogolla,et al.  Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL , 2012, Inf. Softw. Technol..

[28]  Carlos E. Rubio-Medrano,et al.  Supporting secure collaborations with attribute-based access control , 2013, 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[29]  Ruth Breu,et al.  Constraint based role based access control in the SECTET-frameworkA model-driven approach , 2008, J. Comput. Secur..

[30]  Anneke Kleppe,et al.  The Object Constraint Language: Getting Your Models Ready for MDA , 2003 .

[31]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[32]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification using Object Constraint Language , 2001, Proceedings Tenth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. WET ICE 2001.

[33]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[34]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[35]  Achim D. Brucker,et al.  SecureBPMN: modeling and enforcing access control requirements in business processes , 2012, SACMAT '12.

[36]  Indrakshi Ray,et al.  Scenario-Based Static Analysis of UML Class Models , 2008, MoDELS.