A generalized temporal role-based access control model

Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. In many practical scenarios, users may be restricted to assume roles only at predefined time periods. Furthermore, roles may only be invoked on prespecified intervals of time depending upon when certain actions are permitted. To capture such dynamic aspects of a role, a temporal RBAC (TRBAC) model has been recently proposed. However, the TRBAC model addresses the role enabling constraints only. In This work, we propose a generalized temporal role-based access control (GTRBAC) model capable of expressing a wider range of temporal constraints. In particular, the model allows expressing periodic as well as duration constraints on roles, user-role assignments, and role-permission assignments. In an interval, activation of a role can further be restricted as a result of numerous activation constraints including cardinality constraints and maximum active duration constraints. The GTRBAC model extends the syntactic structure of the TRBAC model and its event and trigger expressions subsume those of TRBAC. Furthermore, GTRBAC allows expressing role hierarchies and separation of duty (SoD) constraints for specifying fine-grained temporal semantics.     

An analysis of expressiveness and design issues for the generalized temporal role-based access control model

The generalized temporal role-based access control (GTRBAC) model provides a comprehensive set of temporal constraint expressions which can facilitate the specification of fine-grained time-based access control policies. However, the issue of the expressiveness and usability of this model has not been previously investigated. In this paper, we present an analysis of the expressiveness of the constructs provided by this model and illustrate that its constraints-set is not minimal. We show that there is a subset of GTRBAC constraints that is sufficient to express all the access constraints that can be expressed using the full set. We also illustrate that a nonminimal GTRBAC constraint set can provide better flexibility and lower complexity of constraint representation. Based on our analysis, a set of design guidelines for the development of GTRBAC-based security administration is presented.     

A formal modeling and analysis approach for access control rules,policies, and their combinations

Approaches to access control (AC) policy languages, such as eXtensible access control markup language, do not provide a formal representation for specifying rule- and policy-combining algorithms or for verifying properties of AC policies. Some authors propose formal representations for these combining algorithms. However, the proposed models are not expressive enough to represent formally history-based classes of these algorithms, such as ordered-permit-overrides. In addition, some other authors propose a formal representation but do not present automated support for formal verification of properties of AC policies that use these algorithms. This paper demonstrates a new representation that can express all existing AC rule and policy combinations of which the authors are aware. This representation can also be used to automate the formal verification of properties of AC policies related to these algorithms. A new modeling representation for rule- and policy-combining algorithms based on state machines is used to specify rule- and policy-combining algorithms. Examples of these algorithms are programmed in the language of the SPIN model checker, and the programs are then used to support the automated formal verification of properties of AC policies. We present our approach and then use the AC policies and properties of CONTINUE, a conference management system, to compare it with prior work. Our first contribution is a new modeling representation for combining algorithms based on state machines. The second contribution is the formal verification of AC properties under certain combining algorithms that are beyond the capability of other approaches.     

基于Petri网的RBAC策略验证的研究

本文为RBAC模型提出了一个基于着色Petri网的策略规格说明和分析的架构．Petri网能够捕获基数、责任分离等约束，而且能对优先和依赖约束进行说明、使用Petri网的可达到性分析技术对RBAC策略进行正确性验证．     

Modeling process-related RBAC models with extended UML activity models

Context

Business processes are an important source for the engineering of customized software systems and are constantly gaining attention in the area of software engineering as well as in the area of information and system security. While the need to integrate processes and role-based access control (RBAC) models has been repeatedly identified in research and practice, standard process modeling languages do not provide corresponding language elements.

Objective

In this paper, we are concerned with the definition of an integrated approach for modeling processes and process-related RBAC models - including roles, role hierarchies, statically and dynamically mutual exclusive tasks, as well as binding of duty constraints on tasks.

Method

We specify a formal metamodel for process-related RBAC models. Based on this formal model, we define a domain-specific extension for a standard modeling language.

Results

Our formal metamodel is generic and can be used to extend arbitrary process modeling languages. To demonstrate our approach, we present a corresponding extension for UML2 activity models. The name of our extension is Business Activities. Moreover, we implemented a library and runtime engine that can manage Business Activity runtime models and enforce the different policies and constraints in a software system.

Conclusion

The definition of process-related RBAC models at the modeling-level is an important prerequisite for the thorough implementation and enforcement of corresponding policies and constraints in a software system. We identified the need for modeling support of process-related RBAC models from our experience in real-world role engineering projects and case studies. The Business Activities approach presented in this paper is successfully applied in role engineering projects.     

Model-driven specification and enforcement of RBAC break-glass policies for process-aware information systems

ContextIn many organizational environments critical tasks exist which – in exceptional cases such as an emergency – must be performed by a subject although he/she is usually not authorized to perform these tasks. Break-glass policies have been introduced as a sophisticated exception handling mechanism to resolve such situations. They enable certain subjects to break or override the standard access control policies of an information system in a controlled manner.ObjectiveIn the context of business process modeling a number of approaches exist that allow for the formal specification and modeling of process-related access control concepts. However, corresponding support for break-glass policies is still missing. In this paper, we aim at specifying a break-glass extension for process-related role-based access control (RBAC) models.MethodWe use model-driven development (MDD) techniques to provide an integrated, tool-supported approach for the definition and enforcement of break-glass policies in process-aware information systems. In particular, we provide modeling support on the computation independent model (CIM) layer as well as on the platform independent model (PIM) and platform specific model (PSM) layers.ResultsOur approach is generic in the sense that it can be used to extend process-aware information systems or process modeling languages with support for process-related RBAC and corresponding break-glass policies. Based on the formal CIM layer metamodel, we present a UML extension on the PIM layer that allows for the integrated modeling of processes and process-related break-glass policies via extended UML Activity diagrams. We evaluated our approach in a case study on real-world processes. Moreover, we implemented our approach at the PSM layer as an extension to the BusinessActivity library and runtime engine.ConclusionOur integrated modeling approach for process-related break-glass policies allows for specifying break-glass rules in process-aware information systems.     

Verification of reactive systems using temporal logic with clocks

This paper presents a framework for the specification and verification of timing properties of reactive systems using Temporal Logic with Clocks (TLC). Reactive systems usually contain a number of parallel processes, therefore, it is essential to study and analyse each process based on its own local time. TLC is a temporal logic extended with multiple clocks, and it is in particular suitable for the specification of reactive systems. In our framework, the behavior of a reactive system is described through a formal specification; its timing properties, including safety and liveness properties, are expressed by TLC formulas. We also propose several demonstration techniques, such as an application of local reasoning and deriving fixed-time rules from the proof system of TLC, for proving that a reactive system meets its temporal specification. Under the proposed framework, the timing properties of a reactive system can therefore be directly reasoned about from the formal specification of the system.     

Reconstructing a formal security model

Role-based access control (RBAC) is a flexible approach to access control, which has generated great interest in the security community. The principal motivation behind RBAC is to simplify the complexity of administrative tasks. Several formal models of RBAC have been introduced. However, there are a few works specifying RBAC in a way which system developers or software engineers can easily understand and adopt to develop role-based systems. And there still exists a demand to have a practical representation of well-known access control models for system developers who work on secure system development. In this paper we represent a well-known RBAC model with software engineering tools such as Unified Modeling Language (UML) and Object Constraints Language (OCL) to reduce a gap between security models and system developments. The UML is a general-purpose visual modeling language in which we can specify, visualize, and document the components of a software system. And OCL is part of the UML and has been used for object-oriented analysis and design as a de facto constraints specification language in software engineering arena. Our representation is based on a standard model for RBAC proposed by the National Institute of Standards and Technology. We specify this RBAC model with UML including three views: static view, functional view, and dynamic view. We also describe how OCL can specify RBAC constraints that is one of important aspects to constrain what components in RBAC are allowed to do. In addition, we briefly discuss future directions of this work.     

并发系统的安全性与活性的验证方法

网络环境下的分布式系统是典型的并发系统。安全性和活性是并发系统最为关注和需要保证的两个主要性质。然而在并发系统建模和形式化验证时,面临着描述繁琐、复杂和难以理解的问题,特别是当并发系统的规模（并发进程数目）较大时其性质验证时的效率问题更是严重阻碍了并发系统模型检测与验证技术的应用。将组合可达性分析和标号迁移系统的模块化思想与模型验证技术相结合,提出了一套有效的性质验证方法。论证、分析了三个并发系统安全性和活性验证定理,据此导出了并发系统的安全性与活性验证的有效算法。并通过一个简单实例,对算法有效性进行了初步验证。     

基于角色访问控制模型约束的OCL描述

基于角色的访问控制模型(RBAC)凭借其灵活的授权机制、强大的管理功能和完善的安全策略越来越引起人们的研究兴趣,随着研究的不断深入,面向对象的研究方法也逐渐应用到这个模型中,促进了它的迅速发展。UML作为一种强大的建模语言,不只是局限于支持面向对象的分析与设计,还支持从需求分析开始的软件开发的全过程,通过UML的描述可以使理论模型更加直观地应用到实际系统开发。该文使用UML的对象约束语言(OCL)来描述RBAC中的相关约束,使约束描述更加标准化,更有利于系统开发人员对模型的理解和促进RBAC模型的系统开发。     

Role updating in information systems using model checking

The role-based access control (RBAC) has significantly simplified the management of users and permissions in information systems. In dynamic environments, systems are constantly undergoing changes, and accordingly, the associated configurations need to be updated in order to reflect the systems’ security evolutions. However, such updating process is generally complicated as the resulting system state is expected to meet necessary constraints. This paper presents an approach for assisting administrators to make a desirable update, in light of changes in RBAC systems. We propose a formalization of the update approach, investigate its properties, and develop an updating algorithm based on model checking techniques. Our experimental results demonstrate the effectiveness of the proposed approach.     

基于限界约束的安全相关性质的推理证明

安全相关的性质如访问控制等在复杂环境下有十分重要的作用。从程序验证方面来说,不仅考虑安全性和活性的验证,还要考虑一些安全策略的性质,如非干涉性,这些不能用一般的性质来描述的安全策略可以被看作"超安全性质"。限界约束可通用地表示不同程度的访问频次限制,是安全相关性质验证中有效的辅助方法之一,在无线传感器网络协议、嵌入式系统等重要领域的性质验证方面具有广泛的应用价值。主要研究网络安全策略中的安全相关性质的限界表达及基于该限界约束的验证规则。     

Automatic symbolic verification of embedded systems

Presents a model-checking procedure and its implementation for the automatic verification of embedded systems. The system components are described as hybrid automata-communicating machines with finite control and real-valued variables that represent continuous environment parameters such as time, pressure and temperature. The system requirements are specified in a temporal logic with stop-watches, and verified by symbolic fixpoint computation. The verification procedure-implemented in the Cornell Hybrid Technology tool, HyTech-applies to hybrid automata whose continuous dynamics is governed by linear constraints on the variables and their derivatives. We illustrate the method and the tool by checking safety, liveness, time-bounded and duration requirements of digital controllers, schedulers and distributed algorithms     

模糊安全性和活性

形式规约使用形式语言构建所开发的软硬件系统的规约,刻画系统的模型和性质。其中,性质规约中的分支时间规约对于系统验证有着非常重要的作用。在经典情形下,系统性质规约是基于二值逻辑的,不能描述不一致或不确定的信息。因此,将其推广到模糊逻辑背景下,有助于对模糊系统进行形式验证。文中首先给出了性质规约中分支时间属性在模糊背景下的形式化定义,重点研究了其中的安全性和活性;然后,定义了两种闭包操作,从而产生了4种类型的属性,即泛安全性、泛活性、存在安全性和存在活性;最后,证明了每个分支时间属性,或是存在安全性和存在活性的交,或是泛安全性和泛活性的交,或是存在安全性和泛活性的交。     

Modellierungsunterstützung für die rollenbasierte Delegation in prozessgestützten Informationssystemen

In the paper, an integrated approach for the modeling and enforcement of delegation policies in process-aware information systems is presented. In particular, a delegation extension for process-related role-based access control (RBAC) models is specified. The extension is generic in the sense that it can be used to extend process-aware information systems or process modeling languages with support for process-related RBAC delegation models. Moreover, the detection of delegation-related conflicts is discussed and a set of pre-defined resolution strategies for each potential conflict is provided. Thereby, the design-time and runtime consistency of corresponding RBAC delegation models can be ensured. Based on a formal metamodel, UML2 modeling support for the delegation of roles, tasks, and duties is provided. A corresponding case study evaluates the practical applicability of the approach with real-world business processes. Moreover, the approach is implemented as an extension to the BusinessActivity library and runtime engine.     

Safety,liveness and real-time in embedded system design

Modelling of complex systems should be based on mathematical notions rather than being bound tightly to any programming language. Therefore, it is useful to be able to distinguish the different constituents of a distributed and concurrent system. In this paper, we focus on the formal properties known as safety—characterisations of the kind ‘nothing bad ever happens’—and liveness—characterisations of the kind ‘something good eventually happens’. Since embedded system specifications consist of timing as well as functional constraints, we also discuss real-time properties and their relation to safety and liveness. We represent specifications graphically using the Temporal Logic of Actions, a logic that models system behaviour by sequences of states. The main part of this paper is a case study where we model an access cycle in the Industry Standard Architecture (ISA) bus, based on an abstract channel specification.     

CRBAC: Imposing multi-grained constraints on the RBAC model in the multi-application environment

Interactions between resources as well as services are one of the fundamental characteristics in the distributed multi-application environments. In such environments, attribute-based access control (ABAC) mechanisms are gaining in popularity while the role-based access control (RBAC) mechanism is widely accepted as a general mechanism for authorization management. This paper proposes a new access control model, CRBAC, which aims to combine the advantages of RBAC and ABAC, and integrates all kinds of constraints into the RBAC model. Unlike other work in this area, which only incorporates one or a few particular attribute constraints into RBAC, this paper analyses and abstracts the generic properties of the attribute constraints imposed on authorization systems. Based on these analyses and generalization, two constraints templates are presented, called authorization mapping constraint template and behaviour constraint template. The former template is able to automate the user-role and role-permission mapping, while the latter is used to restrict the behaviours of the authorization entities. The attribute constraints are classified into these two templates. Moreover, the state mechanism is introduced to build up the constraints among the statuses of the entities, and reflect the outcomes of the authorization control as well. Based on the presented templates and the state mechanism, the execution model is developed. A use case is proposed to show the authorization process of our proposed model. The extensive analyses are conducted to show its multi-grained constraints by comparing with other models.     

Semantic specification and verification of data flow diagrams

Data Flow Diagram (DFD) has been widely used in Software Engineering as means of requirement analysis and system specification.However,one defect of DFD approach remains untackled:the lack of formal semantics has brought about a lot of problems.In this paper,we model Data Flow Diagram as networks of concurrent processes.With the use of temporal logic language XYZ/E,the formal basis of the semantic specification of DFD can be ensured,and the system properties such as safety and liveness can be easily characterized.The main part of this paper is devoted to the study of the hierarchical decomposition of semantic specification and its correctness.A verification methodology is proposed and several examples are analyzed.The implementation of the tools which can support the formal specification,verification and simulation of DFD are also briefly described.     

The formalization and analysis of a communications protocol

The MSMIE protocol [SBC89] allows processors in a distributed system to communicate via shared memory. It was designed to meet the reliability and efficiency needs of applications such as nuclear safety systems. We present a formal model of the MSMIE protocol expressed in the notation CCS. Desirable properties of the protocol are expressed in the modal mu-calculus, an expressive modal logic. We show that the protocol lacks an important liveness property. In actual operation, additional operating constraints are checked to avoid potential problems. We present a modified protocol and show that it possesses the liveness property even without checking operating constraints. We also show how parts of the analysis were automated with the Concurrency Workbench.     

Visual modeling and formal specification of constraints of RBAC using semantic web technology

The role-based access control (RBAC) model has garnered great interest in the security community due to the flexible and secure nature of its applicability to the complex and sophisticated information system. One import aspect of RBAC is the enforcing of security policy, called constraint, which controls the behavior of components in RBAC. Much research has been conducted to specify constraints. However, more work is needed on the aspect of sharing information resources for providing better interoperability in the widely dispersed ubiquitous information system environment. This paper provides visual modeling of RBAC policy and specifies constraints of RBAC by employing a semantic web ontology language (OWL) to enhance understanding of constraints for machines and people in a ubiquitous computing environment. Using OWL, constraints were precisely formalized according to the constraint patterns and the effectiveness of OWL specification was demonstrated by showing the reasoning process.