A Framework for Composable Security Definition, Assurance, and Enforcement

The objective of this research is to develop techniques that integrate alternative security concerns (e.g., mandatory access control, delegation, authentication, etc.) into the software process. A framework is proposed to achieve composable security definition, assurance, and enforcement via a model-driven framework that preserves separation of security concerns from modeling through implementation, and provides mechanisms to compose these concerns into the application, while maintaining consistency between design models and code. At modeling-time, separation of concerns (e.g., RBAC, MAC, delegation, authorization, etc.) is emphasized by defining concern-specific modeling languages. At the implementation-level, aspect-oriented programming (AOP) transitions security concerns into modularized code that enforces each concern. This research assumes the use of an underlying object-oriented language with aspect-oriented extensions, and infrastructure to implement the applications and support secure access to the public methods of classes, e.g., Java with AspectJ or C++ with AspectC++.

[1]  Duminda Wijesekera,et al.  Consistent and Complete Access Control Policies in Use Cases , 2003, UML.

[2]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[3]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[4]  Siobhán Clarke,et al.  Composition of Object-Oriented Software Design Models , 2001 .

[5]  Indrakshi Ray,et al.  Verifiable composition of access control and application features , 2005, SACMAT '05.

[6]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[7]  Bart De Decker,et al.  Security Through Aspect-Oriented Programming , 2001, Network Security.

[8]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[9]  T. C. Ting,et al.  Role Slices: A Notation for RBAC Permission Assignment and Enforcement , 2005, DBSec.

[10]  Dan Thomsen,et al.  Role based access control framework for network enterprises , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[11]  T. C. Ting,et al.  RBAC/MAC Security for UML , 2004 .

[12]  Gordon D. Plotkin,et al.  A structural approach to operational semantics , 2004, J. Log. Algebraic Methods Program..

[13]  Stanley M. Sutton,et al.  N degrees of separation: multi-dimensional separation of concerns , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[14]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[15]  Steven A. Demurjian,et al.  A formal enforcement framework for role-based access control using aspect-oriented programming , 2005, MoDELS'05.