Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modeling Dynamic Role- based Access Constraints using UML Khaled Alghathbar George Mason University, USA and King Saud University, Riyadh, Saudi Arabia.

Published byBritton Copeland Modified over 9 years ago

Similar presentations

Presentation on theme: "Modeling Dynamic Role- based Access Constraints using UML Khaled Alghathbar George Mason University, USA and King Saud University, Riyadh, Saudi Arabia."— Presentation transcript:

1 Modeling Dynamic Role- based Access Constraints using UML Khaled Alghathbar George Mason University, USA and King Saud University, Riyadh, Saudi Arabia Duminda Wijesekera Center for Secure Information Systems George Mason University, USA

2 © Khaled Alghathbar 2 How to achieve a good security? Security requirements of a software product need to receive attention throughout its development life cycle.

3 © Khaled Alghathbar 3 Why? Because the security requirements specified at early stages of the life cycle affect later stages and are likely to feature in the eventual product. Defects, if undetected, can propagate downstream*. Reduce cost + prevent faults * P. T. Devanbu and S. Stubblebine. Software engineering for security: A roadmap. In A. Finkelstein, editor, The Future of Software Engineering. ACM Press, 2000.

4 © Khaled Alghathbar 4 However! “Non functional requirements are generally more difficult to express in a measurable way, making them more difficult to analyze. In particular, NFRs tends to be properties of system as a whole.”*. lack of tools that model security software engineers lack security expertise * B. Nuseibeh and S. Easterbrook. Requirements engineering: A roadmap. In A. Finkelstein, editor, The Future of Software Engineering. ACM Press, 2000

5 © Khaled Alghathbar 5 Objective There is a need for unified representations of security features.

6 © Khaled Alghathbar 6 How to represent security UML extension Advantages: –Unified design of systems and security policies. –Modularity, and Reuse in policy representation. –Leverage of existing standards-based tools for design and analysis.

7 © Khaled Alghathbar 7 Security Policies Software Development Life cycle Modeling Security Policies Using UML UML Our Goal

8 © Khaled Alghathbar 8 Security Policies Software Development Life cycle Access control policies Design Phase Our Focus

9 © Khaled Alghathbar 9 Access control policies Discretionary Access Control (DAC). Mandatory Access Control (MAC). Role-based Access control (RBAC). Static policies: –Manager  Sign check. Dynamic policies: –Supervisor shall not write and sign the same check.

10 © Khaled Alghathbar 10 Our Proposal Modeling Dynamic Role-based Access Constraints using UML.

11 © Khaled Alghathbar 11 Related Work (1) 1. Lodderstedt et al.* propose a methodology to model access control policies and integrate them into a model- driven software development process. It is the most related work, but our metamodel allows the specification of more authorization policies. 2. Brose et al. ** extend UML to support the automatic generation of access control policies in order to configure a CORBA-based infrastructure However, It does not model dynamic access control policies. *T. Lodderstedt, D. Basin, J. Doser. “SecureUML: A UML-Based Modeling Language for Model-Driven Security”. In the proceedings of the 5th International Conference on the Unified Modeling Language, Dresden, Germany. ** G. Brose, M. Koch, K.-P. Löhr. “Integrating Access Control Design into the Software Development Process”. In the Proc. of the sixth biennial world conference on the Integrated Design and Process Technology (IDPT), Pasadena, CA. June 2002.

12 © Khaled Alghathbar 12 Related Work (2) 3. Fernandez-Medina et al.* propose an extension to the Use Case and Class models of UML. Also, they introduce a language Object Security constraint Language (OSCL). 4. Jurjens’s ** extends UML to integrate standard concepts from formal methods regarding multi-level secure system and security protocols. However, 3 and 4 focus on database and multilevel security. * E. Fernadez-Medina, M.G. Piattini, M.A Serrano. “Specification of Security Constraints in UML”. In the 35th International Carnahan Conference on Security Technology (ICCST), London, UK, October 2001. * E. Fernandez-Medina, A. Martinez, C. Medina, And M. Piattini. “Integrating Multilevel Security in the Database Design Process”. In the Proc. of the sixth biennial world conference on the Integrated Design and Process Technology (IDPT), Pasadena, CA. June 2002. ** J. Jurjens. “Towards development of secure systems using UMLsec”. In the Proceedings of Fundamental Approaches to Software Engineering, 4th Internacional Conference, LNCS, pages 187- 200. Springer, 2001.

13 © Khaled Alghathbar 13 Advantages over other works: Enforcing dynamic access control and flow control policies. Constraints are written on object constraints language (OCL).

14 © Khaled Alghathbar 14 Example

15 © Khaled Alghathbar 15 Examples of access and flow control policies Required Sequence of operations. Role Restriction. Dynamic Separation of Duty. Avoiding Conflicts.

16 © Khaled Alghathbar 16 The proposed extension Security Policy Constraints (SPC). History Log. Business Task. Conflict Sets.

17 © Khaled Alghathbar 17 Security Policy Constraints (SPC) The Core of UML

18 © Khaled Alghathbar 18 Security Policy Constraints (SPC) Example of SPC constraint

19 © Khaled Alghathbar 19 History Log History Log: It keeps in record all authorization requests.

20 © Khaled Alghathbar 20 Business Task A reference of related operations. An essentials element to enforce Separation of Duty and workflow policies. Example: BT={Record, verify, authorize}

21 © Khaled Alghathbar 21 Conflict Sets A reference of conflicting: Users. Roles. Operations. It is essential to avoid conflict. An example conflicting roles: {Purchasing Manager, Account Payable Manager } An example conflicting operations: {writing checks, signing checks}

22 © Khaled Alghathbar 22 The interactions between elements

23 © Khaled Alghathbar 23 An Example of a Constraint in the SPC Required sequence of operations (Workflow policies)

24 © Khaled Alghathbar 24 OCL Representation of the Required Sequence of Operations constraints Context Invoice::Authorize_Payment():Void Pre: Historty_Log-> select(Action=(Business_Task  select(Task="Purchasing”).Operation  Prior (Operation=CurrentOperation)) AND Object=CurrentObject)  notEmpty

25 © Khaled Alghathbar 25 RBAC Metamodel RBAC Policies: Dynamic separation of duty (DSOD) Static separation of duty (SSOD) Flow control and workflow: Conflicts of User, Role and Operation: Cardinality in Roles and User elements.

26 © Khaled Alghathbar 26 Conclusion We proposed a Metamodel that allow designers to: –Model access control policies (static and dynamic) –Model flow control policies. Future Work Integrating security policies on other phases of the software lifecycle. Providing a unified representations of security policies.

27 © Khaled Alghathbar 27 Questions Thank you

Download ppt "Modeling Dynamic Role- based Access Constraints using UML Khaled Alghathbar George Mason University, USA and King Saud University, Riyadh, Saudi Arabia."

Similar presentations

A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Institute for Cyber Security

Institute for Cyber Security
IEEE/FIPA WG Mobile Agents Ulrich Pinsdorf Fraunhofer-Institute IGD, Germany Dept. Security Technology

IEEE/FIPA WG Mobile Agents Ulrich Pinsdorf Fraunhofer-Institute IGD, Germany Dept. Security Technology
A UML Profile for Goal-Oriented and Use Case-Driven Representation of NFRs and FRs Sam Supakkul Titat Software LLC Lawrence Chung The.

A UML Profile for Goal-Oriented and Use Case-Driven Representation of NFRs and FRs Sam Supakkul Titat Software LLC Lawrence Chung The.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.
1 Prescriptive Process Models. 2 Prescriptive Models Prescriptive process models advocate an orderly approach to software engineering Prescriptive process.

1 Prescriptive Process Models. 2 Prescriptive Models Prescriptive process models advocate an orderly approach to software engineering Prescriptive process.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Object-Oriented Analysis and Design

Object-Oriented Analysis and Design
Modeling Process-Oriented Integration of Services Using Patterns and Pattern Primitives Uwe Zdun and Schahram Dustdar Distributed Systems Group Institute.

Modeling Process-Oriented Integration of Services Using Patterns and Pattern Primitives Uwe Zdun and Schahram Dustdar Distributed Systems Group Institute.
Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.

Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.
L4-1-S1 UML Overview © M.E. Fayad 2000 -- 2005 SJSU -- CmpE Software Architectures Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I.

L4-1-S1 UML Overview © M.E. Fayad SJSU -- CmpE Software Architectures Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I.
COST G9 - Work group 2 Cadastral science meeting Aalborg, Dk 25. 08. - 26. 08. 2005 Modeling methodology for real estate transactions Radoš Šumrada Faculty.

COST G9 - Work group 2 Cadastral science meeting Aalborg, Dk Modeling methodology for real estate transactions Radoš Šumrada Faculty.
Security by Design Thomas Zalonis Seth Gainey Neil C. Lee Thomas Zalonis Seth Gainey Neil.

Security by Design Thomas Zalonis Seth Gainey Neil C. Lee Thomas Zalonis Seth Gainey Neil.
UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.

UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.
Integrating Access Control Design into the Software Development Process G. Brose (Xtradyne AG) M. Koch, P.Löhr (FU Berlin) IDPT‘02, June 2002.

Integrating Access Control Design into the Software Development Process G. Brose (Xtradyne AG) M. Koch, P.Löhr (FU Berlin) IDPT‘02, June 2002.
“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004.

“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
NON-FUNCTIONAL PROPERTIES IN SOFTWARE PRODUCT LINES: A FRAMEWORK FOR DEVELOPING QUALITY-CENTRIC SOFTWARE PRODUCTS May 2014 1 Mahdi Noorian

NON-FUNCTIONAL PROPERTIES IN SOFTWARE PRODUCT LINES: A FRAMEWORK FOR DEVELOPING QUALITY-CENTRIC SOFTWARE PRODUCTS May Mahdi Noorian

Similar presentations

Ads by Google