SlideShare a Scribd company logo

Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies

Lionel Briand, profile picture
Lionel Briand

This document describes a model-driven approach for enforcing complex role-based access control (RBAC) policies at runtime. It presents a GemRBAC+CTX model that formally specifies RBAC policies and contexts. An enforcement process is used to check access requests and update access control data based on constraints defined in the model. This approach provides an expressive and standardized way to enforce a wide range of RBAC policies through model-driven techniques.

Software
1 of 83
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
.lusoftware veriïŹcation & validation VVS Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies 05/09/2018 Ameni Ben Fadhel joint work with Domenico Bianculli, Lionel Briand
.lusoftware veriïŹcation & validation VVS Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies 05/09/2018 Ameni Ben Fadhel joint work with Domenico Bianculli, Lionel Briand
3 Access Control Application Resources resources AC users
4 Resources resources Role-based Access Control (RBAC) RBAC users Application
5 users Application Resources resources RBAC Role-based Access Control (RBAC) roles
Role-based Access Control Policies 6 Who? What? Which conditions?
7 A user can acquire either role participant or admin but not both. Example of an RBAC Policy Separation of duty policy
Complex RBAC Policies
‱ A user assigned to role agencyAdmin can delegate all the permissions associated with her role to another user who is assigned to role assistant. ‱ The delegation lasts for two weeks. ‱ The delegated role can be further delegated with a maximum delegation depth of 2. 9 Delegation policy
A user can activate role participant on September, from the second Monday to third Friday, from 16:00 to 19:00. 10 Temporal policy
Industrial Partner: HITEC Luxembourg 11 Development of situational-aware information management systems for emergency scenarios
SpeciïŹcation of RBAC Policies
GemRBAC+CTX: a Comprehensive Model for RBAC
GemRBAC+CTX: a Comprehensive Model for RBAC 14 ‱ An extension of the RBAC96 model, supporting various types of complex RBAC policies ‱ Formalization of RBAC policies as OCL constraints on the GemRBAC+CTX model, to operationalize their semantics
TimeExpression Location delegatedRoles 0..* user-role delegation users 1..* users 1..* roles 1..* user-role assignment delegatedDelegation 0..* 0..* delegator User 1 0..* delegate User 1 0..* revoking User 0..1 receivedDelegation 0..* 0..* 1 userLocation 0..* 1 +assignRole(Role) +accessHistory: Set(History) -idUser: String User role- permission assignment roles 1..* permissions 1..* roleHierarchy juniors 0..* seniors 0..* 1..* 1..* 1..* 1 +accessHistory: Set(History) -idObject: String Object +accessHistory: Set(History) -idOperation: String Operation logUser 1 0..* 0..* logPermission role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* +performOperation (Operation,Permission ,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) -idSession: String Session delegated Role 1 0..* delegate Role 1 +assignPermission() +logBOCurrentProcessInst ance():Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role 0..* roleContextEnabling 0..* roleContextAssignment 0..* PermissionContextEnabling 0..* PermissionContextAssignment RBACContext -idPermission: String Permission logLocation 0..* log Operation log Object 0..* 0..* delegated Permissions 1..* 0..* +assignPermission() +logBOCurrentProcessInstance():Se t(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: TimePoint -endDate: TimePoint -maxDepth: Integer Delegation 0..* -grant -strong -weakStatic -weakDynamic «enumeration» DelegationType +getCurrentDate(): TimePoint -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer RBACUtility -idLog: String History logTime 0..* TimeExpression Location delegatedRoles 0..* user-role delegation users 1..* users 1..* roles 1..* user-role assignment delegatedDelegation 0..* 0..* delegator User 1 0..* delegate User 1 0..* revoking User 0..1 receivedDelegation 0..* 0..* 1 userLocation 0..* 1 +assignRole(Role) +accessHistory: Set(History) -idUser: String User role- permission assignment roles 1..* permissions 1..* roleHierarchy juniors 0..* seniors 0..* 1..* 1..* 1..* 1 +accessHistory: Set(History) -idObject: String Object +accessHistory: Set(History) -idOperation: String Operation logUser 1 0..* 0..* logPermission role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* +performOperation (Operation,Permission ,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) -idSession: String Session delegated Role 1 0..* delegate Role 1 +assignPermission() +logBOCurrentProcessInst ance():Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role 0..* roleContextEnabling 0..* roleContextAssignment 0..* PermissionContextEnabling 0..* PermissionContextAssignment RBACContext -idPermission: String Permission logLocation 0..* log Operation log Object 0..* 0..* delegated Permissions 1..* 0..* +assignPermission() +logBOCurrentProcessInstance():Se t(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: TimePoint -endDate: TimePoint -maxDepth: Integer Delegation 0..* -grant -strong -weakStatic -weakDynamic «enumeration» DelegationType +getCurrentDate(): TimePoint -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer RBACUtility -idLog: String History logTime 0..* User Role Permission Operation Object Session
Policy SpeciïŹcation Language GemRBAC+CTX 16
GemRBAC-DSL 17 GemRBAC+CTX
PL: A user can acquire either role participant or admin but not both. PL: conflicting-roles-assignment participant, admin; 18 GemRBAC-DSL Policy
Problem How to enforce RBAC policies‹ at run time? 19
20 Enforcement: ‹ Making an Access Decision Application Resources resources AC users
Enforcement: Updating AC Data (Usage Control) 21 Enforcement Mechanism role 1 role 2 
 role n permission 1 permission 2 permission 3 permission 1 users AC data
22 Enforcement Mechanism role 1 role 2 
 role n permission 1 permission 2 permission 3 permission 1 users AC data Enforcement: Updating AC Data (Usage Control)
23 Existing Enforcement Mechanisms XACML(OASIS, 2005) Access Control Usage Control Kirkpatrick et al. (SACMAT, 2010) Bhatti et al. (Trans. Inf. Syst. Secur., 2005) Ben David et al. (MDSEC, 2012)Mourad et al. (PST, 2010) Kallel et al. (ESSoS, 2009) Mariscal et al. (DBSec, 2005) Mustafa et al. (SESS, 2010) Aspect generation Sohr et al. (ACSAC, 2008) Zhang et al. (Trans. Inf. Syst. Secur. , 2003) Model-driven Martinez et al. (SLE, 2016) Hummer et al. (Softw. Technol, 2013)
Existing Enforcement Mechanisms:‹ Limitations ‱ Lack in expressiveness ‱ each mechanism implements a limited set of policies captured by its underlying model/language ‱ Support for access control or usage control but not both 24
A model-driven approach for run-time enforcement of complex RBAC policies written in GemRBAC-DSL Our Proposal
Why a Model-driven Approach? ‱ provides high-level abstraction ‱ leverages standardized technology (OMG) ‱ beneïŹts from industry-strength tools 26
Enforcement Process Policies are enforced in case of: ‱ AC request (to make an access decision) ‱ AC event (to update the AC data) 27
Supported AC Request Types ‱ Access to a resource ‱ Role activation ‱ Administrative operations ‱ Role delegation ‱ Role revocation 28
29 Enforcement Process: AC Request GemRBAC- DSL policies Model-driven enforcement Snap (GemRBAC+CTX instance) -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> OCL constraints OCL constraints OCL constraints Snap Processor OCL constraints OCL constraints OCL constraints selected constraints based on the type and the parameters of the AC request OCL CheckerTargetSnap -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration>
Policy Selection 30 Prerequi- site Role Hierarchy Cardinality (assignment) Static SoD Dynamic SoD roles Dynamic SoD users 
 Delegation Role Activation ✓ ✓ ✓ Access to a resource Role delegation ✓ ✓ ✓ ✓ Role revocation ✓ ✓ Administrative operations ✓ ✓ ✓
Policy Selection 31 Prerequi- site Role Hierarchy Cardinality (assignment) Static SoD Dynamic SoD roles Dynamic SoD users 
 Delegation Role Activation ✓ ✓ ✓ Access to a resource Role delegation ✓ ✓ ✓ ✓ Role revocation ✓ ✓ Administrative operations ✓ ✓ ✓
32 Model-driven enforcement Enforcement Process: AC Request Snap (GemRBAC+CTX instance) -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> OCL constraints OCL constraints OCL constraints access decision Snap Processor OCL constraints OCL constraints OCL constraints selected constraints based on the type and the parameters of the AC request OCL CheckerTargetSnap -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> GemRBAC- DSL policies
33 Building TargetSnap AC request = {u1, s1, r1, p1, op1, o1} usersessionrolepermissionoperationobject
34 s:RBACUtility CT: TimePoint -second: 40 -minute:40 -hour: 14 -day: 14 -month: 09 -year: 2018 Wedneday: DayOfWeek -day: Thursday Legend RE: role enabling RA: role activation URA: user-role assignment URP: role-permission assignment u1: User URA ses1: Session RA scu1: RBACContext p1: Point o1:Object op1:Operationp1: Permission RPA r1: Role Building TargetSnap AC request = {u1, s1, r1, p1, op1, o1}
-day: Thursday Legend RE: role enabling RA: role activation URA: user-role assignment URP: role-permission assignment URA ses1: Session RA scu1: RBACContext op1:Operation RPA logPermission logLocation logTimelogUser logRole u1: User log1: History p1: Permission o1:Object r1: Role p1: Point CT: TimePoint -second: 00 -minute:41 -hour: 14 -day: 14 -month: 09 -year: 2018 s:RBACUtility Wedneday: DayOfWeek 35 Building TargetSnap AC request = {u1, s1, r1, p1, op1, o1} History User Role Permission Time Location
36 Enforcement Process: AC Event updated Snap -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> Model-driven enforcement Snap ProcessorSnap (GemRBAC+CTX instance) -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> Updated Snap -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> OCL constraints OCL constraints OCL constraints OCL constraints OCL constraints OCL constraints selected constraints based on the type and the parameters of the AC event OCL Checker GemRBAC- DSL policies
Supported AC Event Types ‱ User authentication ‱ User disconnection ‱ User change location 37
MORRO: MOdel-driven fRamework for Run-time enforcement of RBAC pOlicies
MORRO Architecture 39 proxy authorization server AC request access decision check request ‱ Inspired by the XACML standard architecture: ‱ policy enforcement point: proxy ‱ policy decision point: authorization server
MORRO Architecture 40 ‱ Inspired by the XACML standard architecture: ‱ policy enforcement point: proxy ‱ policy decision point: authorization server ‱ Can be integrated into many Web applications
Evaluation
Industrial Application 42 Mission critical information system for military and governmental applications Mobile Forces Mobile Forces Central Crisis Centres MU-02MU-01 CC-01 CC-02 GPS Camera Sensors Mobile Client MU-04
Industrial Application 1648 users 396 roles 53 permissions 43 Mission critical information system for military and governmental applications
EfïŹciency Evaluation ‱ Performance on a real industrial system ‱ Scalability ‱ Communication overhead between the authorization server and the proxy 44
RQ1: How long does the authorization server in MORRO take to process AC requests/events, when deployed on a real industrial system, under various AC conïŹgurations? 45 Performance on an Industrial System
Subjects for Evaluation Real system conïŹgurations from industrial partner: ‱ two types of AC requests: ‱ access to a resource ‱ role activation ‱ two types of AC events: ‱ user authentication ‱ user change location 46
47 Evaluation Methodology Access to a resource Role activation User authentication User change location
48 basic conïŹguration history-based DSoD policy subject-based BoD policy conïŹgurations Evaluation Methodology Access to a resource Role activation User authentication User change location
49 basic conïŹguration history-based DSoD policy subject-based BoD policy Evaluation Methodology # sessions in the system # active roles in the current session of the user who made the request # permissions assigned to the current role of the user who made the request parametersconïŹgurations Access to a resource Role activation User authentication User change location
Access to a Resource 50 AC request = {“Jim”, s1, MISSION_ADMIN, PSSU_ABOUT , read, user info} user session role permission operation object
Access to a Resource 51 AC request = {“Jim”, s1, MISSION_ADMIN, PSSU_ABOUT , read, user info} ‱ two scenarios: ‱ role MISSION_ADMIN is assigned to user Jim ‱ role MISSION_ADMIN has been delegated to user Jim
RQ1: How long does the authorization server in MORRO take to process AC requests/events, when deployed on a real industrial system, under various AC conïŹgurations? 52 Performance on an Industrial System The access decision time within the authorization server is less than 64 ms The execution time for processing a notiïŹcation of an AC event is less than 512 ms The access decision time within the authorization server and the execution time in our approach are quite affordable in practice
53 RQ2: how does the authorization server in MORRO scale when increasing the value of different parameters potentially affecting performance of an AC conïŹguration? ‱ same AC requests and AC events used to answer RQ1, and the corresponding scenarios and conïŹgurations ‱ we vary one parameter while keeping all the other constants Scalability Evaluation settings:
54 Scalability The access decision time for an AC request and the execution time for processing a notiïŹcation of an AC event are: ‱ linear, in the majority of the cases, with respect to the parameters of the various conïŹgurations; ‱ constant, in the remaining cases. These results imply that our solution is applicable for large systems
Overhead of the Communication between the Authorization Service and the Proxy 55 RQ3: what is the communication overhead between the authorization server and the proxy in case of an AC request?
Overhead of the Communication between the Authorization Service and the Proxy 56 proxy authorization server AC request access decision check request RQ3: what is the communication overhead between the authorization server and the proxy in case of an AC request?
Overhead of the Communication between the Authorization Service and the Proxy 57 proxy authorization server AC request access decision check request RQ3: what is the communication overhead between the authorization server and the proxy in case of an AC request?
Overhead of the Communication between the Authorization Service and the Proxy 58 proxy authorization server AC request access decision check request RQ3: what is the communication overhead between the authorization server and the proxy in case of an AC request?
Overhead of the Communication between the Authorization Service and the Proxy RQ3: what is the communication overhead between the authorization server and the proxy in case of an AC request? 59 Real system conïŹgurations from our industrial partner: ‱ the communication overhead < 60 ms ‱ the access decision time within the proxy < 107 ms (original requirement by our industrial partner < 200 ms)
Summing up
Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies
.lusoftware veriïŹcation & validation VVS Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies 05/09/2018 Ameni Ben Fadhel joint work with Domenico Bianculli, Lionel Briand
Delegation Policy
‱ A user assigned to role agencyAdmin can delegate all the permissions associated with her role to another user who is assigned to role assistant. ‱ The delegation lasts for two weeks. ‱ The delegated role can be further delegated with a maximum delegation depth of 2. role-to-role delegation delegation duration multi-step delegation 64
Checking OCL
66 Run-time system checking mechanism Formalization of RBAC policies RBAC conceptual model satisïŹed/ violated
67 Run-time system checking mechanism Formalization of RBAC policies -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> GemRBAC+CTX (model instance) satisïŹed/ violated template instantiation
68 OCL constraints template instantiation OCL checker -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> GemRBAC+CTX (model instance) Run-time system satisïŹed/ violated
Performance Evaluation
RQ: How long does the authorization server in MORRO take to process AC requests/events, when deployed on a real industrial system, under various AC conïŹgurations? 70 Performance on an Industrial System The access decision time within the authorization server is less than 64 ms
71 The access decision time within the authorization server is less than 64 ms average networking time=1880 ms (E. Cecchet el al., 2011) access decision time < 4% of networking time The access decision time in our approach is quite affordable in practice Performance on an Industrial System
72 RQ: How long does the authorization server in MORRO take to process AC requests/events, when deployed on a real industrial system, under various AC conïŹgurations? The execution time for processing a notiïŹcation of an AC event is less than 512 ms Performance on an Industrial System
73 The execution time for processing a notiïŹcation of an AC event is less than 512 ms average think time = 7000 ms (TCP-W, 2001) execution time << average think time Performance on an Industrial System The execution time in our approach is quite affordable in practice
Evaluation Settings
Evaluation Settings ‱ For each AC request, we measure the access decision time of the: ‱ authorization server ‱ proxy ‱ when varying the conïŹguration of the system 75
For each AC event, we measure the execution time of the authorization server, when varying the conïŹguration of the system 76 Evaluation Settings
Tool Chain
Tool Chain 78 Design time Deployment time Language Editor Model Transformation GemRBAC-DSL to UML+OCL OCL constraints list of model changes Model Transformation UML to UML -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> current instance -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> model instance Runtime MORRO
Evaluation Methodology: AC Event
Evaluation Methodology: AC Event 80 User authentication User change location
81 User authentication User change location conïŹgurations basic conïŹguration precedence policy time-based policy location-based policy Evaluation Methodology: AC Event
82 User authentication User change location conïŹgurations parameters # roles assigned to the authenticated user Evaluation Methodology: AC Event basic conïŹguration precedence policy time-based policy location-based policy
User Authentication AC event = {Jim, s1, locuser} ‱ two scenarios: ‱ Jim’s location is known ‱ Jim’s location is not known 83

More Related Content

PDF
Can we predict the quality of spectrum-based fault localization?
Lionel Briand
 
PDF
Testing Machine Learning-enabled Systems: A Personal Perspective
Lionel Briand
 
PDF
Keynote SBST 2014 - Search-Based Testing
Lionel Briand
 
PDF
Metamorphic Security Testing for Web Systems
Lionel Briand
 
PDF
Automated Inference of Access Control Policies for Web Applications
Lionel Briand
 
PDF
Research-Based Innovation with Industry: Project Experience and Lessons Learned
Lionel Briand
 
PDF
A practical guide for using Statistical Tests to assess Randomized Algorithms...
Lionel Briand
 
PDF
Automating System Test Case Classification and Prioritization for Use Case-Dr...
Lionel Briand
 
Can we predict the quality of spectrum-based fault localization?
Lionel Briand
 
Testing Machine Learning-enabled Systems: A Personal Perspective
Lionel Briand
 
Keynote SBST 2014 - Search-Based Testing
Lionel Briand
 
Metamorphic Security Testing for Web Systems
Lionel Briand
 
Automated Inference of Access Control Policies for Web Applications
Lionel Briand
 
Research-Based Innovation with Industry: Project Experience and Lessons Learned
Lionel Briand
 
A practical guide for using Statistical Tests to assess Randomized Algorithms...
Lionel Briand
 
Automating System Test Case Classification and Prioritization for Use Case-Dr...
Lionel Briand
 

What's hot (20)

PDF
Synthetic Data Generation for Statistical Testing
Lionel Briand
 
PDF
Supporting Change in Product Lines within the Context of Use Case-driven Deve...
Lionel Briand
 
PDF
AI in SE: A 25-year Journey
Lionel Briand
 
PDF
Functional Safety in ML-based Cyber-Physical Systems
Lionel Briand
 
PDF
Enabling Automated Software Testing with Artificial Intelligence
Lionel Briand
 
PPT
Experiments on Design Pattern Discovery
Tim Menzies
 
PDF
Mining Assumptions for Software Components using Machine Learning
Lionel Briand
 
PDF
Practical Constraint Solving for Generating System Test Data
Lionel Briand
 
PDF
An Empirical Comparison of Model Validation Techniques for Defect Prediction ...
Chakkrit (Kla) Tantithamthavorn
 
PPTX
Odin2018_Minh_ML_Risk_Prediction
Minh Nguyen
 
PPT
Complexity Measures for Secure Service-Orieted Software Architectures
Tim Menzies
 
PDF
Final Exam Questions Fall03
Radu_Negulescu
 
PDF
Towards a Better Understanding of the Impact of Experimental Components on De...
Chakkrit (Kla) Tantithamthavorn
 
PDF
Automatic Test Suite Generation for Key-Points Detection DNNs using Many-Obje...
Lionel Briand
 
PDF
Search-based testing of procedural programs:iterative single-target or multi-...
Vrije Universiteit Brussel
 
PDF
Instance Space Analysis for Search Based Software Engineering
Aldeida Aleti
 
PPT
Using Developer Information as a Prediction Factor
Tim Menzies
 
PDF
Speeding-up Software Testing With Computational Intelligence
Annibale Panichella
 
PDF
AI-Driven Software Quality Assurance in the Age of DevOps
Chakkrit (Kla) Tantithamthavorn
 
PDF
Automated parameter optimization should be included in future ‹defect predict...
Chakkrit (Kla) Tantithamthavorn
 
Synthetic Data Generation for Statistical Testing
Lionel Briand
 
Supporting Change in Product Lines within the Context of Use Case-driven Deve...
Lionel Briand
 
AI in SE: A 25-year Journey
Lionel Briand
 
Functional Safety in ML-based Cyber-Physical Systems
Lionel Briand
 
Enabling Automated Software Testing with Artificial Intelligence
Lionel Briand
 
Experiments on Design Pattern Discovery
Tim Menzies
 
Mining Assumptions for Software Components using Machine Learning
Lionel Briand
 
Practical Constraint Solving for Generating System Test Data
Lionel Briand
 
An Empirical Comparison of Model Validation Techniques for Defect Prediction ...
Chakkrit (Kla) Tantithamthavorn
 
Odin2018_Minh_ML_Risk_Prediction
Minh Nguyen
 
Complexity Measures for Secure Service-Orieted Software Architectures
Tim Menzies
 
Final Exam Questions Fall03
Radu_Negulescu
 
Towards a Better Understanding of the Impact of Experimental Components on De...
Chakkrit (Kla) Tantithamthavorn
 
Automatic Test Suite Generation for Key-Points Detection DNNs using Many-Obje...
Lionel Briand
 
Search-based testing of procedural programs:iterative single-target or multi-...
Vrije Universiteit Brussel
 
Instance Space Analysis for Search Based Software Engineering
Aldeida Aleti
 
Using Developer Information as a Prediction Factor
Tim Menzies
 
Speeding-up Software Testing With Computational Intelligence
Annibale Panichella
 
AI-Driven Software Quality Assurance in the Age of DevOps
Chakkrit (Kla) Tantithamthavorn
 
Automated parameter optimization should be included in future ‹defect predict...
Chakkrit (Kla) Tantithamthavorn
 
Ad

Similar to Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies (20)

DOCX
ROLE BASED ACCESS CONTROL (RBAC) AND ROLE BASED SECURITYOne of.docx
joellemurphey
 
PDF
Role-Based Access Control, Second Edition ( PDFDrive ).pdf
SusmitaMahato3
 
PPT
2004 10 21 Rbac At Mazda Horst Walther
CardinaleWay Mazda
 
PPTX
The day when role based access control disappears
Ulf Mattsson
 
PDF
rbacDSL - slides from Code Generation 2014
Lionel Montrieux
 
PDF
International Journal of Computer Science and Security Volume (2) Issue (2)
CSCJournals
 
PPTX
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
David Brossard
 
PDF
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET Journal
 
PDF
Model-Driven Adaptive Delegation
Phu H. Nguyen
 
PPTX
Authenticate 2024: We know who you are, now
 What can you do?
David Brossard
 
PDF
Enumerated authorization policy ABAC (EP-ABAC) model
UT, San Antonio
 
PPTX
Group 5 computer security and terms.pptx
GilbertMashawi1
 
PDF
Enhancement of business it alignment by including responsibility components i...
christophefeltus
 
PDF
Enhancement of business it alignment by including responsibility components i...
Luxembourg Institute of Science and Technology
 
PDF
Policy based access control
Elimity
 
PPT
Access control mechanism (DAC, MAC and RBAC).ppt
DAKSHATAPANCHAL2
 
PDF
Opa in the api management world
Red Hat
 
PPT
Attribute Based Access Control
Chandra Sharma
 
PDF
G45014345
IJERA Editor
 
PPTX
smu_abac_150410.pptx
HashStriker
 
ROLE BASED ACCESS CONTROL (RBAC) AND ROLE BASED SECURITYOne of.docx
joellemurphey
 
Role-Based Access Control, Second Edition ( PDFDrive ).pdf
SusmitaMahato3
 
2004 10 21 Rbac At Mazda Horst Walther
CardinaleWay Mazda
 
The day when role based access control disappears
Ulf Mattsson
 
rbacDSL - slides from Code Generation 2014
Lionel Montrieux
 
International Journal of Computer Science and Security Volume (2) Issue (2)
CSCJournals
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
David Brossard
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET Journal
 
Model-Driven Adaptive Delegation
Phu H. Nguyen
 
Authenticate 2024: We know who you are, now
 What can you do?
David Brossard
 
Enumerated authorization policy ABAC (EP-ABAC) model
UT, San Antonio
 
Group 5 computer security and terms.pptx
GilbertMashawi1
 
Enhancement of business it alignment by including responsibility components i...
christophefeltus
 
Enhancement of business it alignment by including responsibility components i...
Luxembourg Institute of Science and Technology
 
Policy based access control
Elimity
 
Access control mechanism (DAC, MAC and RBAC).ppt
DAKSHATAPANCHAL2
 
Opa in the api management world
Red Hat
 
Attribute Based Access Control
Chandra Sharma
 
G45014345
IJERA Editor
 
smu_abac_150410.pptx
HashStriker
 
Ad

More from Lionel Briand (20)

PDF
LTM: Scalable and Black-box Similarity-based Test Suite Minimization based on...
Lionel Briand
 
PDF
TEASMA: A Practical Methodology for Test Adequacy Assessment of Deep Neural N...
Lionel Briand
 
PDF
Automated Test Case Repair Using Language Models
Lionel Briand
 
PDF
Automated Testing and Safety Analysis of Deep Neural Networks
Lionel Briand
 
PDF
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
Lionel Briand
 
PDF
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
PDF
Precise and Complete Requirements? An Elusive Goal
Lionel Briand
 
PDF
Large Language Models for Test Case Evolution and Repair
Lionel Briand
 
PDF
Metamorphic Testing for Web System Security
Lionel Briand
 
PDF
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Lionel Briand
 
PDF
Fuzzing for CPS Mutation Testing
Lionel Briand
 
PDF
Data-driven Mutation Analysis for Cyber-Physical Systems
Lionel Briand
 
PDF
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Lionel Briand
 
PDF
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
Lionel Briand
 
PDF
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Lionel Briand
 
PDF
PRINS: Scalable Model Inference for Component-based System Logs
Lionel Briand
 
PDF
Revisiting the Notion of Diversity in Software Testing
Lionel Briand
 
PDF
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Lionel Briand
 
PDF
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Lionel Briand
 
PDF
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Lionel Briand
 
LTM: Scalable and Black-box Similarity-based Test Suite Minimization based on...
Lionel Briand
 
TEASMA: A Practical Methodology for Test Adequacy Assessment of Deep Neural N...
Lionel Briand
 
Automated Test Case Repair Using Language Models
Lionel Briand
 
Automated Testing and Safety Analysis of Deep Neural Networks
Lionel Briand
 
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
Lionel Briand
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Precise and Complete Requirements? An Elusive Goal
Lionel Briand
 
Large Language Models for Test Case Evolution and Repair
Lionel Briand
 
Metamorphic Testing for Web System Security
Lionel Briand
 
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Lionel Briand
 
Fuzzing for CPS Mutation Testing
Lionel Briand
 
Data-driven Mutation Analysis for Cyber-Physical Systems
Lionel Briand
 
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Lionel Briand
 
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
Lionel Briand
 
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Lionel Briand
 
PRINS: Scalable Model Inference for Component-based System Logs
Lionel Briand
 
Revisiting the Notion of Diversity in Software Testing
Lionel Briand
 
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Lionel Briand
 
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Lionel Briand
 
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Lionel Briand
 

Recently uploaded (20)

PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
AI in Product Development-omnex systems
omnex systems
 
System and Network Administraation Chapter 3
jaramharo
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
top salesforce developer skills in 2025.pdf
CloudMetic
 

Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies

  • 1. .lusoftware veriïŹcation & validation VVS Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies 05/09/2018 Ameni Ben Fadhel joint work with Domenico Bianculli, Lionel Briand
  • 2. .lusoftware veriïŹcation & validation VVS Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies 05/09/2018 Ameni Ben Fadhel joint work with Domenico Bianculli, Lionel Briand
  • 7. 7 A user can acquire either role participant or admin but not both. Example of an RBAC Policy Separation of duty policy
  • 9. ‱ A user assigned to role agencyAdmin can delegate all the permissions associated with her role to another user who is assigned to role assistant. ‱ The delegation lasts for two weeks. ‱ The delegated role can be further delegated with a maximum delegation depth of 2. 9 Delegation policy
  • 10. A user can activate role participant on September, from the second Monday to third Friday, from 16:00 to 19:00. 10 Temporal policy
  • 11. Industrial Partner: HITEC Luxembourg 11 Development of situational-aware information management systems for emergency scenarios
  • 14. GemRBAC+CTX: a Comprehensive Model for RBAC 14 ‱ An extension of the RBAC96 model, supporting various types of complex RBAC policies ‱ Formalization of RBAC policies as OCL constraints on the GemRBAC+CTX model, to operationalize their semantics
  • 15. TimeExpression Location delegatedRoles 0..* user-role delegation users 1..* users 1..* roles 1..* user-role assignment delegatedDelegation 0..* 0..* delegator User 1 0..* delegate User 1 0..* revoking User 0..1 receivedDelegation 0..* 0..* 1 userLocation 0..* 1 +assignRole(Role) +accessHistory: Set(History) -idUser: String User role- permission assignment roles 1..* permissions 1..* roleHierarchy juniors 0..* seniors 0..* 1..* 1..* 1..* 1 +accessHistory: Set(History) -idObject: String Object +accessHistory: Set(History) -idOperation: String Operation logUser 1 0..* 0..* logPermission role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* +performOperation (Operation,Permission ,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) -idSession: String Session delegated Role 1 0..* delegate Role 1 +assignPermission() +logBOCurrentProcessInst ance():Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role 0..* roleContextEnabling 0..* roleContextAssignment 0..* PermissionContextEnabling 0..* PermissionContextAssignment RBACContext -idPermission: String Permission logLocation 0..* log Operation log Object 0..* 0..* delegated Permissions 1..* 0..* +assignPermission() +logBOCurrentProcessInstance():Se t(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: TimePoint -endDate: TimePoint -maxDepth: Integer Delegation 0..* -grant -strong -weakStatic -weakDynamic «enumeration» DelegationType +getCurrentDate(): TimePoint -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer RBACUtility -idLog: String History logTime 0..* TimeExpression Location delegatedRoles 0..* user-role delegation users 1..* users 1..* roles 1..* user-role assignment delegatedDelegation 0..* 0..* delegator User 1 0..* delegate User 1 0..* revoking User 0..1 receivedDelegation 0..* 0..* 1 userLocation 0..* 1 +assignRole(Role) +accessHistory: Set(History) -idUser: String User role- permission assignment roles 1..* permissions 1..* roleHierarchy juniors 0..* seniors 0..* 1..* 1..* 1..* 1 +accessHistory: Set(History) -idObject: String Object +accessHistory: Set(History) -idOperation: String Operation logUser 1 0..* 0..* logPermission role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* +performOperation (Operation,Permission ,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) -idSession: String Session delegated Role 1 0..* delegate Role 1 +assignPermission() +logBOCurrentProcessInst ance():Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role 0..* roleContextEnabling 0..* roleContextAssignment 0..* PermissionContextEnabling 0..* PermissionContextAssignment RBACContext -idPermission: String Permission logLocation 0..* log Operation log Object 0..* 0..* delegated Permissions 1..* 0..* +assignPermission() +logBOCurrentProcessInstance():Se t(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: TimePoint -endDate: TimePoint -maxDepth: Integer Delegation 0..* -grant -strong -weakStatic -weakDynamic «enumeration» DelegationType +getCurrentDate(): TimePoint -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer RBACUtility -idLog: String History logTime 0..* User Role Permission Operation Object Session
  • 18. PL: A user can acquire either role participant or admin but not both. PL: conflicting-roles-assignment participant, admin; 18 GemRBAC-DSL Policy
  • 19. Problem How to enforce RBAC policies‹ at run time? 19
  • 20. 20 Enforcement: ‹ Making an Access Decision Application Resources resources AC users
  • 21. Enforcement: Updating AC Data (Usage Control) 21 Enforcement Mechanism role 1 role 2 
 role n permission 1 permission 2 permission 3 permission 1 users AC data
  • 22. 22 Enforcement Mechanism role 1 role 2 
 role n permission 1 permission 2 permission 3 permission 1 users AC data Enforcement: Updating AC Data (Usage Control)
  • 23. 23 Existing Enforcement Mechanisms XACML(OASIS, 2005) Access Control Usage Control Kirkpatrick et al. (SACMAT, 2010) Bhatti et al. (Trans. Inf. Syst. Secur., 2005) Ben David et al. (MDSEC, 2012)Mourad et al. (PST, 2010) Kallel et al. (ESSoS, 2009) Mariscal et al. (DBSec, 2005) Mustafa et al. (SESS, 2010) Aspect generation Sohr et al. (ACSAC, 2008) Zhang et al. (Trans. Inf. Syst. Secur. , 2003) Model-driven Martinez et al. (SLE, 2016) Hummer et al. (Softw. Technol, 2013)
  • 24. Existing Enforcement Mechanisms:‹ Limitations ‱ Lack in expressiveness ‱ each mechanism implements a limited set of policies captured by its underlying model/language ‱ Support for access control or usage control but not both 24
  • 25. A model-driven approach for run-time enforcement of complex RBAC policies written in GemRBAC-DSL Our Proposal
  • 26. Why a Model-driven Approach? ‱ provides high-level abstraction ‱ leverages standardized technology (OMG) ‱ beneïŹts from industry-strength tools 26
  • 27. Enforcement Process Policies are enforced in case of: ‱ AC request (to make an access decision) ‱ AC event (to update the AC data) 27
  • 28. Supported AC Request Types ‱ Access to a resource ‱ Role activation ‱ Administrative operations ‱ Role delegation ‱ Role revocation 28
  • 29. 29 Enforcement Process: AC Request GemRBAC- DSL policies Model-driven enforcement Snap (GemRBAC+CTX instance) -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> OCL constraints OCL constraints OCL constraints Snap Processor OCL constraints OCL constraints OCL constraints selected constraints based on the type and the parameters of the AC request OCL CheckerTargetSnap -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration>
  • 30. Policy Selection 30 Prerequi- site Role Hierarchy Cardinality (assignment) Static SoD Dynamic SoD roles Dynamic SoD users 
 Delegation Role Activation ✓ ✓ ✓ Access to a resource Role delegation ✓ ✓ ✓ ✓ Role revocation ✓ ✓ Administrative operations ✓ ✓ ✓
  • 31. Policy Selection 31 Prerequi- site Role Hierarchy Cardinality (assignment) Static SoD Dynamic SoD roles Dynamic SoD users 
 Delegation Role Activation ✓ ✓ ✓ Access to a resource Role delegation ✓ ✓ ✓ ✓ Role revocation ✓ ✓ Administrative operations ✓ ✓ ✓
  • 32. 32 Model-driven enforcement Enforcement Process: AC Request Snap (GemRBAC+CTX instance) -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> OCL constraints OCL constraints OCL constraints access decision Snap Processor OCL constraints OCL constraints OCL constraints selected constraints based on the type and the parameters of the AC request OCL CheckerTargetSnap -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> GemRBAC- DSL policies
  • 33. 33 Building TargetSnap AC request = {u1, s1, r1, p1, op1, o1} usersessionrolepermissionoperationobject
  • 34. 34 s:RBACUtility CT: TimePoint -second: 40 -minute:40 -hour: 14 -day: 14 -month: 09 -year: 2018 Wedneday: DayOfWeek -day: Thursday Legend RE: role enabling RA: role activation URA: user-role assignment URP: role-permission assignment u1: User URA ses1: Session RA scu1: RBACContext p1: Point o1:Object op1:Operationp1: Permission RPA r1: Role Building TargetSnap AC request = {u1, s1, r1, p1, op1, o1}
  • 35. -day: Thursday Legend RE: role enabling RA: role activation URA: user-role assignment URP: role-permission assignment URA ses1: Session RA scu1: RBACContext op1:Operation RPA logPermission logLocation logTimelogUser logRole u1: User log1: History p1: Permission o1:Object r1: Role p1: Point CT: TimePoint -second: 00 -minute:41 -hour: 14 -day: 14 -month: 09 -year: 2018 s:RBACUtility Wedneday: DayOfWeek 35 Building TargetSnap AC request = {u1, s1, r1, p1, op1, o1} History User Role Permission Time Location
  • 36. 36 Enforcement Process: AC Event updated Snap -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> Model-driven enforcement Snap ProcessorSnap (GemRBAC+CTX instance) -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> Updated Snap -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> OCL constraints OCL constraints OCL constraints OCL constraints OCL constraints OCL constraints selected constraints based on the type and the parameters of the AC event OCL Checker GemRBAC- DSL policies
  • 37. Supported AC Event Types ‱ User authentication ‱ User disconnection ‱ User change location 37
  • 38. MORRO: MOdel-driven fRamework for Run-time enforcement of RBAC pOlicies
  • 39. MORRO Architecture 39 proxy authorization server AC request access decision check request ‱ Inspired by the XACML standard architecture: ‱ policy enforcement point: proxy ‱ policy decision point: authorization server
  • 40. MORRO Architecture 40 ‱ Inspired by the XACML standard architecture: ‱ policy enforcement point: proxy ‱ policy decision point: authorization server ‱ Can be integrated into many Web applications
  • 42. Industrial Application 42 Mission critical information system for military and governmental applications Mobile Forces Mobile Forces Central Crisis Centres MU-02MU-01 CC-01 CC-02 GPS Camera Sensors Mobile Client MU-04
  • 43. Industrial Application 1648 users 396 roles 53 permissions 43 Mission critical information system for military and governmental applications
  • 44. EfïŹciency Evaluation ‱ Performance on a real industrial system ‱ Scalability ‱ Communication overhead between the authorization server and the proxy 44
  • 45. RQ1: How long does the authorization server in MORRO take to process AC requests/events, when deployed on a real industrial system, under various AC conïŹgurations? 45 Performance on an Industrial System
  • 46. Subjects for Evaluation Real system conïŹgurations from industrial partner: ‱ two types of AC requests: ‱ access to a resource ‱ role activation ‱ two types of AC events: ‱ user authentication ‱ user change location 46
  • 47. 47 Evaluation Methodology Access to a resource Role activation User authentication User change location
  • 48. 48 basic conïŹguration history-based DSoD policy subject-based BoD policy conïŹgurations Evaluation Methodology Access to a resource Role activation User authentication User change location
  • 49. 49 basic conïŹguration history-based DSoD policy subject-based BoD policy Evaluation Methodology # sessions in the system # active roles in the current session of the user who made the request # permissions assigned to the current role of the user who made the request parametersconïŹgurations Access to a resource Role activation User authentication User change location
  • 50. Access to a Resource 50 AC request = {“Jim”, s1, MISSION_ADMIN, PSSU_ABOUT , read, user info} user session role permission operation object
  • 51. Access to a Resource 51 AC request = {“Jim”, s1, MISSION_ADMIN, PSSU_ABOUT , read, user info} ‱ two scenarios: ‱ role MISSION_ADMIN is assigned to user Jim ‱ role MISSION_ADMIN has been delegated to user Jim
  • 52. RQ1: How long does the authorization server in MORRO take to process AC requests/events, when deployed on a real industrial system, under various AC conïŹgurations? 52 Performance on an Industrial System The access decision time within the authorization server is less than 64 ms The execution time for processing a notiïŹcation of an AC event is less than 512 ms The access decision time within the authorization server and the execution time in our approach are quite affordable in practice
  • 53. 53 RQ2: how does the authorization server in MORRO scale when increasing the value of different parameters potentially affecting performance of an AC conïŹguration? ‱ same AC requests and AC events used to answer RQ1, and the corresponding scenarios and conïŹgurations ‱ we vary one parameter while keeping all the other constants Scalability Evaluation settings:
  • 54. 54 Scalability The access decision time for an AC request and the execution time for processing a notiïŹcation of an AC event are: ‱ linear, in the majority of the cases, with respect to the parameters of the various conïŹgurations; ‱ constant, in the remaining cases. These results imply that our solution is applicable for large systems
  • 55. Overhead of the Communication between the Authorization Service and the Proxy 55 RQ3: what is the communication overhead between the authorization server and the proxy in case of an AC request?
  • 56. Overhead of the Communication between the Authorization Service and the Proxy 56 proxy authorization server AC request access decision check request RQ3: what is the communication overhead between the authorization server and the proxy in case of an AC request?
  • 57. Overhead of the Communication between the Authorization Service and the Proxy 57 proxy authorization server AC request access decision check request RQ3: what is the communication overhead between the authorization server and the proxy in case of an AC request?
  • 58. Overhead of the Communication between the Authorization Service and the Proxy 58 proxy authorization server AC request access decision check request RQ3: what is the communication overhead between the authorization server and the proxy in case of an AC request?
  • 59. Overhead of the Communication between the Authorization Service and the Proxy RQ3: what is the communication overhead between the authorization server and the proxy in case of an AC request? 59 Real system conïŹgurations from our industrial partner: ‱ the communication overhead < 60 ms ‱ the access decision time within the proxy < 107 ms (original requirement by our industrial partner < 200 ms)
  • 62. .lusoftware veriïŹcation & validation VVS Model-Driven Run-Time Enforcement of Complex Role-Based Access Control Policies 05/09/2018 Ameni Ben Fadhel joint work with Domenico Bianculli, Lionel Briand
  • 64. ‱ A user assigned to role agencyAdmin can delegate all the permissions associated with her role to another user who is assigned to role assistant. ‱ The delegation lasts for two weeks. ‱ The delegated role can be further delegated with a maximum delegation depth of 2. role-to-role delegation delegation duration multi-step delegation 64
  • 66. 66 Run-time system checking mechanism Formalization of RBAC policies RBAC conceptual model satisïŹed/ violated
  • 67. 67 Run-time system checking mechanism Formalization of RBAC policies -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> GemRBAC+CTX (model instance) satisïŹed/ violated template instantiation
  • 68. 68 OCL constraints template instantiation OCL checker -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> GemRBAC+CTX (model instance) Run-time system satisïŹed/ violated
  • 70. RQ: How long does the authorization server in MORRO take to process AC requests/events, when deployed on a real industrial system, under various AC conïŹgurations? 70 Performance on an Industrial System The access decision time within the authorization server is less than 64 ms
  • 71. 71 The access decision time within the authorization server is less than 64 ms average networking time=1880 ms (E. Cecchet el al., 2011) access decision time < 4% of networking time The access decision time in our approach is quite affordable in practice Performance on an Industrial System
  • 72. 72 RQ: How long does the authorization server in MORRO take to process AC requests/events, when deployed on a real industrial system, under various AC conïŹgurations? The execution time for processing a notiïŹcation of an AC event is less than 512 ms Performance on an Industrial System
  • 73. 73 The execution time for processing a notiïŹcation of an AC event is less than 512 ms average think time = 7000 ms (TCP-W, 2001) execution time << average think time Performance on an Industrial System The execution time in our approach is quite affordable in practice
  • 75. Evaluation Settings ‱ For each AC request, we measure the access decision time of the: ‱ authorization server ‱ proxy ‱ when varying the conïŹguration of the system 75
  • 76. For each AC event, we measure the execution time of the authorization server, when varying the conïŹguration of the system 76 Evaluation Settings
  • 78. Tool Chain 78 Design time Deployment time Language Editor Model Transformation GemRBAC-DSL to UML+OCL OCL constraints list of model changes Model Transformation UML to UML -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> current instance -idUser: String User -idRole: String -isStrong: Boolean -isCascading: Boolean -isDependent: Boolean Role -idPermission: String Permission -idObject: String Object -idOperation: String Operation -idDelegation: String -isRevoked: Boolean -isTransfer: DelegationType -isTotal: Boolean -startDate: Date -endDate: Date -maxDepth: Integer Delegation -idSession: String Session +checkAccess(RBACContext): Boolean RBACContext -time: RBACtime TemporalContext -idLog: String History -maxPermission: Integer -maxActiveRole: Integer -maxRole: Integer -location: RBAClocation SpatialContext +assignRole(Role) +accessHistory: Set(History) +assignPermission() +logBOCurrentProcessInstance(): Set(History) +accessHistory: Set(History) +getAllJuniors: Set(Role) +performOperation (Operation,Permission,Role) +enableRole(Role) +disableRole(Role) +activate(Role) +deactivate(Role) +delegateRole(Role) +accessHistory: Set(History) +accessHistory: Set(History) +getBoundedPermissions(): Set(Permission) +getBusinessTaskList(): Set(Operation) +getCurrentDate(): Date +revoke() +getAbsoluteDelegationPath() +accessHistory: Set(History) revoking User 0..1 delegate User 1 delegator User 1 delegated Permissions 1..* roleHierarchy juniors 0..* seniors 0..* delegatedDelegation 0..* delegated Role 1 RBACUtility delegatedRoles 0..* users 1..* receivedDelegation 0..* 0..* 0..* users 1..* roles 1..* user-role assignment user-role delegation role- permission assignment roles 1..* permissions 1..* 0..* role activation role enabling activeRoles 0..* enabled Roles 0..* 0..* 0..* 0..* 1 userContext * 1 roleContext * 0..* 0..* permissionContext * log Operation logUser logRole log Permission log Object logContext 1..* 1..* 1..* 1 0..* delegate Role 1 -grant -strong -weakStatic -weakDynamic DelegationType <enumeration> model instance Runtime MORRO
  • 80. Evaluation Methodology: AC Event 80 User authentication User change location
  • 81. 81 User authentication User change location conïŹgurations basic conïŹguration precedence policy time-based policy location-based policy Evaluation Methodology: AC Event
  • 82. 82 User authentication User change location conïŹgurations parameters # roles assigned to the authenticated user Evaluation Methodology: AC Event basic conïŹguration precedence policy time-based policy location-based policy
  • 83. User Authentication AC event = {Jim, s1, locuser} ‱ two scenarios: ‱ Jim’s location is known ‱ Jim’s location is not known 83