Hybrid Enforcement of Category-Based Access Control

Access control policies are often partly static, i.e. no dependence on any run-time information, and partly dynamic. However, they are usually enforced dynamically - even the static parts. We propose a new hybrid approach to policy enforcement using the Category-Based Access Control (CBAC) meta-model. We build on previous work, which established a static system for the enforcement of (static) hierarchical Role-Based Access Control (RBAC) policies. We modify the previous policy language, JPol, to specify static and dynamic categories. We establish an equivalence between static categories and static roles (in RBAC), therefore we are able to use the previous design patterns and static verification algorithm, with some changes, to enforce static categories. For dynamic categories, we propose a new design methodology and generate code in the target program to do the necessary run-time checks.

[1]  Gul A. Agha,et al.  Concurrent object-oriented programming , 1993, CACM.

[2]  Úlfar Erlingsson,et al.  Engineering Secure Software and Systems , 2011, Lecture Notes in Computer Science.

[3]  Clara Bertolissi,et al.  A rewriting framework for the composition of access control policies , 2008, PPDP.

[4]  Eduardo B. Fernandez,et al.  Even more patterns for secure operating systems , 2006, PLoP '06.

[5]  Anderson Santana de Oliveira,et al.  Réécriture et Modularité pour les Politiques de Sécurité. (Term Rewriting and Modularity for Security Policies) , 2008 .

[6]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[7]  B. J. Ferro Castro,et al.  Pattern-Oriented Software Architecture: A System of Patterns , 2009 .

[8]  Steve Barker The next 700 access control models or a unifying meta-model? , 2009, SACMAT '09.

[9]  Guy L. Steele,et al.  Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley)) , 2005 .

[10]  Martin Gogolla,et al.  Analyzing and Managing Role-Based Access Control Policies , 2008, IEEE Transactions on Knowledge and Data Engineering.

[11]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[12]  Claude Kirchner,et al.  Weaving rewrite-based access control policies , 2007, FMSE '07.

[13]  Clara Bertolissi,et al.  Category-Based Authorisation Models: Operational Semantics and Expressive Power , 2010, ESSoS.

[14]  Maribel Fernández,et al.  Static Enforcement of Role-Based Access Control , 2014, WWV.

[15]  Stephen Travis Pope,et al.  A cookbook for using the model-view controller user interface paradigm in Smalltalk-80 , 1988 .

[16]  Pierangela Samarati,et al.  Logics for Authorizations and Security , 2004 .

[17]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[18]  Eric Bodden,et al.  Partially Evaluating Finite-State Runtime Monitors Ahead of Time , 2012, TOPL.