Model-driven adaptive delegation

Model-Driven Security is a specialization of Model-Driven Engineering (MDE) that focuses on making security models productive, i.e., enforceable in the final deployment. Among the variety of models that have been studied in a MDE perspective, one can mention access control models that specify the access rights. So far, these models mainly focus on static definitions of access control policies, without taking into account the more complex, but essential, delegation of rights mechanism. User delegation is a meta-level mechanism for administrating access rights, which allows a user without any specific administrative privileges to delegate his/her access rights to another user. This paper analyses the main hard-points for introducing various delegation semantics in model-driven security and proposes a model-driven framework for 1) specifying access control, delegation and the business logic as separate concerns; 2) dynamically enforcing/weaving access control policies with various delegation features into security-critical systems; and 3) providing a flexibly dynamic adaptation strategy. We demonstrate the feasibility and effectiveness of our proposed solution through the proof-of-concept implementations of different systems.

[1]  Ravi S. Sandhu,et al.  Role-based delegation model/hierarchical roles (RBDM1) , 2004, 20th Annual Computer Security Applications Conference.

[2]  Elisa Bertino,et al.  A flexible authorization mechanism for relational data management systems , 1999, TOIS.

[3]  T. C. Ting,et al.  MAC and UML for secure software design , 2004, FMSE '04.

[4]  Seng-Phil Hong,et al.  Towards secure information sharing using role-based delegation , 2007, J. Netw. Comput. Appl..

[5]  QuémaVivien,et al.  The FRACTAL component model and its support in Java , 2006 .

[6]  Clara Bertolissi,et al.  Dynamic Event-Based Access Control as Term Rewriting , 2007, DBSec.

[7]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[8]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[9]  Brice Morin,et al.  Models@ Run.time to Support Dynamic Adaptation , 2009, Computer.

[10]  Brice Morin,et al.  Taming Dynamically Adaptive Systems using models and aspects , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[11]  Jason Crampton,et al.  Delegation in role-based access control , 2007, International Journal of Information Security.

[12]  Thierry Coupaye,et al.  The FRACTAL component model and its support in Java: Experiences with Auto-adaptive and Reconfigurable Systems , 2006 .

[13]  Maribel Fernández,et al.  Term Rewriting for Access Control , 2006, DBSec.

[14]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[15]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[16]  Jean-Marc Jézéquel,et al.  Weaving executability into object-oriented meta-languages , 2005, MoDELS'05.

[17]  Yves Le Traon,et al.  Transforming and Selecting Functional Test Cases for Security Policy Testing , 2009, 2009 International Conference on Software Testing Verification and Validation.

[18]  MorinBrice,et al.  Models@ Run.time to Support Dynamic Adaptation , 2009 .

[19]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[20]  Indrakshi Ray,et al.  Modeling Role-Based Access Control Using Parameterized UML Models , 2004, FASE.

[21]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[22]  Thierry Coupaye,et al.  The FRACTAL component model and its support in Java , 2006, Softw. Pract. Exp..

[23]  Jaehong Park,et al.  Usage Control: A Vision for Next Generation Access Control , 2003, MMM-ACNS.

[24]  SangYeob Na,et al.  Role delegation in role-based access control , 2000, RBAC '00.

[25]  Brice Morin,et al.  An Aspect-Oriented and Model-Driven Approach for Managing Dynamic Variability , 2008, MoDELS.

[26]  Nora Cuppens-Boulahia,et al.  A delegation model for extended RBAC , 2010, International Journal of Information Security.

[27]  Brice Morin,et al.  Security-driven model-based dynamic adaptation , 2010, ASE '10.

[28]  Wolfgang Meier,et al.  eXist: An Open Source Native XML Database , 2002, Web, Web-Services, and Database Systems.