Modelling and Verification of Dynamic Role-Based Access Control

Controlling access to resources is essential for ensuring correctness of system functioning. Role-Based Access Control (RBAC) is a popular authorisation model that regulates the user’s rights to manage system resources based on the user’s role. In this paper, we extend the traditional static approach to defining RBAC and propose as well as formalise a dynamic RBAC model. It allows a designer to explicitly define the dependencies between the system states and permissions to access and modify system resources. To facilitate a systematic description and verification of the dynamic access rights, we propose a contract-based approach and then we demonstrate how to model and verify dynamic RBAC in Event-B. The approach is illustrated by a case study – a reporting management system.

[1]  Ravi S. Sandhu,et al.  Roles in information security - A survey and classification of the research area , 2011, Comput. Secur..

[2]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[3]  Elena Troubitsyna,et al.  Co-engineering Safety and Security in Industrial Control Systems: A Formal Outlook , 2017, SERENE.

[4]  Michael J. Butler,et al.  ProB: an automated analysis toolset for the B method , 2008, International Journal on Software Tools for Technology Transfer.

[5]  Elena Troubitsyna,et al.  Deriving and Formalising Safety and Security Requirements for Control Systems , 2018, SAFECOMP.

[6]  Elena Troubitsyna,et al.  Integrating stochastic reasoning into Event-B development , 2014, Formal Aspects of Computing.

[7]  Bertrand Meyer Design By Contract. The Eiffel Method , 1998, Proceedings. Technology of Object-Oriented Languages. TOOLS 26 (Cat. No.98EX176).

[8]  Elena Troubitsyna,et al.  Generating Cloud Monitors from Models to Secure Clouds , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[9]  Elena Troubitsyna,et al.  Towards Integrated Modelling of Dynamic Access Control with UML and Event-B , 2017, IMPEX/FM&MDD.

[10]  Indrakshi Ray,et al.  Rigorous Analysis of UML Access Control Policy Models , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[11]  Elena Troubitsyna,et al.  Towards Security-Explicit Formal Modelling of Safety-Critical Systems , 2016, SAFECOMP.

[12]  Jordi Cabot,et al.  Verifying UML/OCL Operation Contracts , 2009, IFM.

[13]  Elena Troubitsyna,et al.  A Contract-Based Approach to Ensuring Component Interoperability in Event-B , 2016, From Action Systems to Distributed Systems.

[14]  Elena Troubitsyna,et al.  Towards Creating a DSL Facilitating Modelling of Dynamic Access Control in Event-B , 2018, ABZ.

[15]  Marc Frappier,et al.  Combining UML, ASTD and B for the formal specification of an access control filter , 2011, Innovations in Systems and Software Engineering.

[16]  Ramadan Abdunabi,et al.  Specification, Validation, and Enforcement of a Generalized Spatio-Temporal Role-Based Access Control Model , 2013, IEEE Systems Journal.

[17]  Indrakshi Ray,et al.  LRBAC: A Location-Aware Role-Based Access Control Model , 2006, ICISS.

[18]  Elena Troubitsyna,et al.  Formal Verification of Stateful Services with REST APIs Using Event-B , 2018, 2018 IEEE International Conference on Web Services (ICWS).