Modeling Dynamic Role- based Access Constraints using UML Khaled Alghathbar George Mason University, USA and King Saud University, Riyadh, Saudi Arabia.

Slides:

Advertisements

Similar presentations

A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Advertisements

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

Institute for Cyber Security

IEEE/FIPA WG Mobile Agents Ulrich Pinsdorf Fraunhofer-Institute IGD, Germany Dept. Security Technology

A UML Profile for Goal-Oriented and Use Case-Driven Representation of NFRs and FRs Sam Supakkul Titat Software LLC Lawrence Chung The.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.

1 Prescriptive Process Models. 2 Prescriptive Models Prescriptive process models advocate an orderly approach to software engineering Prescriptive process.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

Object-Oriented Analysis and Design

Modeling Process-Oriented Integration of Services Using Patterns and Pattern Primitives Uwe Zdun and Schahram Dustdar Distributed Systems Group Institute.

Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.

L4-1-S1 UML Overview © M.E. Fayad SJSU -- CmpE Software Architectures Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I.

COST G9 - Work group 2 Cadastral science meeting Aalborg, Dk Modeling methodology for real estate transactions Radoš Šumrada Faculty.

Security by Design Thomas Zalonis Seth Gainey Neil C. Lee Thomas Zalonis Seth Gainey Neil.

UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.

Integrating Access Control Design into the Software Development Process G. Brose (Xtradyne AG) M. Koch, P.Löhr (FU Berlin) IDPT‘02, June 2002.

“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

NON-FUNCTIONAL PROPERTIES IN SOFTWARE PRODUCT LINES: A FRAMEWORK FOR DEVELOPING QUALITY-CENTRIC SOFTWARE PRODUCTS May Mahdi Noorian

Complex Security Policies Dave Andersen Advanced Operating Systems Georgia State University.

Basic Concepts The Unified Modeling Language (UML) SYSC System Analysis and Design.

CMPT 275 Software Engineering

Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR.

Model-Driven User Requirements Specification using SysML Authors: Michel dos Santos Soares, Jos Vrancken Source: Journal of Software(JSW), Vol. 3, No.

Friday October 28, 2005 SoBeNeT workshop The role of Security in software processes (UP, XP) and software architecture.

CSCE 548 Secure Software Development Security Use Cases.

Software Processes Sumber dari : cc.ee.ntu.edu.tw/~farn/courses/SE/ch4.ppt.

CatBAC: A Generic Framework for Designing and Validating Hybrid Access Control Models Bernard Stepien, University of Ottawa Hemanth Khambhammettu Kamel.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.

Architecture-Based Runtime Software Evolution Peyman Oreizy, Nenad Medvidovic & Richard N. Taylor.

Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany U = R I.

©Ian Sommerville 2000, Mejia-Alvarez 2009 Slide 1 Software Processes l Coherent sets of activities for specifying, designing, implementing and testing.

Software Engineering for Business Information Systems (sebis) Department of Informatics Technische Universität München, Germany wwwmatthes.in.tum.de Master’s.

Software Processes lecture 8. Topics covered Software process models Process iteration Process activities The Rational Unified Process Computer-aided.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.

Introduction to MDA (Model Driven Architecture) CYT.

Aspect Oriented Programming Razieh Asadi University of Science & Technology Mazandran Babol Aspect Component Based Software Engineering (ACBSE)

Copyright 2002 Prentice-Hall, Inc. Chapter 2 Object-Oriented Analysis and Design Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer Joey.

Model-Driven Analysis Frameworks for Embedded Systems George Edwards USC Center for Systems and Software Engineering

1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,

1 OCL Tools Supervised by Prof. Daniel Amyot May Khalil Nadia Spido Submitted to Professor Daniel Amyot in partial fulfillment of the requirements for.

Li Xiong CS573 Data Privacy and Security Access Control.

Unified Modeling Language* Keng Siau University of Nebraska-Lincoln *Adapted from “Software Architecture and the UML” by Grady Booch.

Modeling Component-based Software Systems with UML 2.0 George T. Edwards Jaiganesh Balasubramanian Arvind S. Krishna Vanderbilt University Nashville, TN.

1 Software Development Software Engineering is the study of the techniques and theory that support the development of high-quality software The focus is.

1 Context-dependent Product Line Practice for Constructing Reliable Embedded Systems Naoyasu UbayashiKyushu University, Japan Shin NakajimaNational Institute.

L6-S1 UML Overview 2003 SJSU -- CmpE Advanced Object-Oriented Analysis & Design Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I College.

Dr. Darius Silingas | No Magic, Inc. Domain-Specific Profiles for Your UML Tool Building DSL Environments with MagicDraw UML.

CIM LAB MEETING Presentation on UML Rakesh Mopidevi Kwangyeol Ryu.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

ROLE BASED ACCESS CONTROL 1 Group 4 : Lê Qu ố c Thanh Tr ầ n Vi ệ t Tu ấ n Anh.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 4 Slide 1 Software Processes.

Software Engineering, 8th edition. Chapter 4 1 Courtesy: ©Ian Sommerville 2006 FEB 13 th, 2009 Lecture # 5 Software Processes.

Yu, et al.’s “A Model-Driven Development Framework for Enterprise Web Services” In proceedings of the 10 th IEEE Intl Enterprise Distributed Object Computing.

© Duminda Wijesekera, 2003 Consistent and Complete Access Control Policies in Use Cases Khaled Alghathbar George Mason University, USA and King Saud University,

Discussing “Developing Secure Systems with UMLSec” 15 FEB Joe Combs.

Modeling Uncertain and Imprecise Information in Process Modeling with UML Jing XIAO LATTIS, INSA-Toulouse, France 14th International.

George Edwards Computer Science Department Center for Systems and Software Engineering University of Southern California

Configuration Control (Aliases: change control, change management )

SECURE TROPOS Michalis Pavlidis 8 May Seminar Agenda  Secure Tropos  History and Foundation  Tropos  Basics  Secure Tropos  Concepts / Modelling.

1 Role-Based Access Control (RBAC) Prof. Ravi Sandhu Executive Director and Endowed Chair January 29, © Ravi.

Building Enterprise Applications Using Visual Studio®

Model-Driven Analysis Frameworks for Embedded Systems

Role-Based Access Control (RBAC)

Chapter 2 – Software Processes

Automated Analysis and Code Generation for Domain-Specific Models

PASSI (Process for Agent Societies Specification and Implementation)

Presentation transcript:

Modeling Dynamic Role- based Access Constraints using UML Khaled Alghathbar George Mason University, USA and King Saud University, Riyadh, Saudi Arabia Duminda Wijesekera Center for Secure Information Systems George Mason University, USA

© Khaled Alghathbar 2 How to achieve a good security? Security requirements of a software product need to receive attention throughout its development life cycle.

© Khaled Alghathbar 3 Why? Because the security requirements specified at early stages of the life cycle affect later stages and are likely to feature in the eventual product. Defects, if undetected, can propagate downstream*. Reduce cost + prevent faults * P. T. Devanbu and S. Stubblebine. Software engineering for security: A roadmap. In A. Finkelstein, editor, The Future of Software Engineering. ACM Press, 2000.

© Khaled Alghathbar 4 However! “Non functional requirements are generally more difficult to express in a measurable way, making them more difficult to analyze. In particular, NFRs tends to be properties of system as a whole.”*. lack of tools that model security software engineers lack security expertise * B. Nuseibeh and S. Easterbrook. Requirements engineering: A roadmap. In A. Finkelstein, editor, The Future of Software Engineering. ACM Press, 2000

© Khaled Alghathbar 5 Objective There is a need for unified representations of security features.

© Khaled Alghathbar 6 How to represent security UML extension Advantages: –Unified design of systems and security policies. –Modularity, and Reuse in policy representation. –Leverage of existing standards-based tools for design and analysis.

© Khaled Alghathbar 7 Security Policies Software Development Life cycle Modeling Security Policies Using UML UML Our Goal

© Khaled Alghathbar 8 Security Policies Software Development Life cycle Access control policies Design Phase Our Focus

© Khaled Alghathbar 9 Access control policies Discretionary Access Control (DAC). Mandatory Access Control (MAC). Role-based Access control (RBAC). Static policies: –Manager  Sign check. Dynamic policies: –Supervisor shall not write and sign the same check.

© Khaled Alghathbar 10 Our Proposal Modeling Dynamic Role-based Access Constraints using UML.

© Khaled Alghathbar 11 Related Work (1) 1. Lodderstedt et al.* propose a methodology to model access control policies and integrate them into a model- driven software development process. It is the most related work, but our metamodel allows the specification of more authorization policies. 2. Brose et al. ** extend UML to support the automatic generation of access control policies in order to configure a CORBA-based infrastructure However, It does not model dynamic access control policies. *T. Lodderstedt, D. Basin, J. Doser. “SecureUML: A UML-Based Modeling Language for Model-Driven Security”. In the proceedings of the 5th International Conference on the Unified Modeling Language, Dresden, Germany. ** G. Brose, M. Koch, K.-P. Löhr. “Integrating Access Control Design into the Software Development Process”. In the Proc. of the sixth biennial world conference on the Integrated Design and Process Technology (IDPT), Pasadena, CA. June 2002.

© Khaled Alghathbar 12 Related Work (2) 3. Fernandez-Medina et al.* propose an extension to the Use Case and Class models of UML. Also, they introduce a language Object Security constraint Language (OSCL). 4. Jurjens’s ** extends UML to integrate standard concepts from formal methods regarding multi-level secure system and security protocols. However, 3 and 4 focus on database and multilevel security. * E. Fernadez-Medina, M.G. Piattini, M.A Serrano. “Specification of Security Constraints in UML”. In the 35th International Carnahan Conference on Security Technology (ICCST), London, UK, October * E. Fernandez-Medina, A. Martinez, C. Medina, And M. Piattini. “Integrating Multilevel Security in the Database Design Process”. In the Proc. of the sixth biennial world conference on the Integrated Design and Process Technology (IDPT), Pasadena, CA. June ** J. Jurjens. “Towards development of secure systems using UMLsec”. In the Proceedings of Fundamental Approaches to Software Engineering, 4th Internacional Conference, LNCS, pages Springer, 2001.

© Khaled Alghathbar 13 Advantages over other works: Enforcing dynamic access control and flow control policies. Constraints are written on object constraints language (OCL).

© Khaled Alghathbar 14 Example

© Khaled Alghathbar 15 Examples of access and flow control policies Required Sequence of operations. Role Restriction. Dynamic Separation of Duty. Avoiding Conflicts.

© Khaled Alghathbar 16 The proposed extension Security Policy Constraints (SPC). History Log. Business Task. Conflict Sets.

© Khaled Alghathbar 17 Security Policy Constraints (SPC) The Core of UML

© Khaled Alghathbar 18 Security Policy Constraints (SPC) Example of SPC constraint

© Khaled Alghathbar 19 History Log History Log: It keeps in record all authorization requests.

© Khaled Alghathbar 20 Business Task A reference of related operations. An essentials element to enforce Separation of Duty and workflow policies. Example: BT={Record, verify, authorize}

© Khaled Alghathbar 21 Conflict Sets A reference of conflicting: Users. Roles. Operations. It is essential to avoid conflict. An example conflicting roles: {Purchasing Manager, Account Payable Manager } An example conflicting operations: {writing checks, signing checks}

© Khaled Alghathbar 22 The interactions between elements

© Khaled Alghathbar 23 An Example of a Constraint in the SPC Required sequence of operations (Workflow policies)

© Khaled Alghathbar 24 OCL Representation of the Required Sequence of Operations constraints Context Invoice::Authorize_Payment():Void Pre: Historty_Log-> select(Action=(Business_Task  select(Task="Purchasing”).Operation  Prior (Operation=CurrentOperation)) AND Object=CurrentObject)  notEmpty

© Khaled Alghathbar 25 RBAC Metamodel RBAC Policies: Dynamic separation of duty (DSOD) Static separation of duty (SSOD) Flow control and workflow: Conflicts of User, Role and Operation: Cardinality in Roles and User elements.

© Khaled Alghathbar 26 Conclusion We proposed a Metamodel that allow designers to: –Model access control policies (static and dynamic) –Model flow control policies. Future Work Integrating security policies on other phases of the software lifecycle. Providing a unified representations of security policies.

© Khaled Alghathbar 27 Questions Thank you