Model-Based Analysis of Role-Based Access Control

959 views
741 views

Published on

A talk I gave at University of Kent in Canterburry on the 30th of October 2013, as part of their security group seminars.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
959
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Model-Based Analysis of Role-Based Access Control

  1. 1. Model-Based Analysis of Role-Based Access Control Lionel Montrieux <lionel.Montrieux@open.ac.uk> The Open University, Milton Keynes, UK
  2. 2. Contents • Introduction • Access Control • Model-Driven Engineering • RBAC with MDE • Modelling, Verification • Fixing Incorrect Models • Performance • Case Study • Future Work
  3. 3. Introduction - About Me • PhD Dissertation: “Model-Based Analysis of Role-Based Access Control” • Supervisors: Charles B. Haley (retired), Yijun Yu, Michel Wermelinger • Examiners: Jon Whittle (Lancaster), Robin Laney (OU)
  4. 4. Access Control
  5. 5. Access Control in a Nutshell • Authentication • Authorisation • MAC • DAC • RBAC • ABAC • and many others
  6. 6. Role-Based Access Control (RBAC) [Sandhu00]
  7. 7. Model-Driven Engineering
  8. 8. Model-Driven Engineering • “[…] the consideration of models as first-class entities. A model is an artefact that conforms to a metamodel and that represents a given aspect of a system” [Bézivin06] • Model-Driven Security Engineering [FernandezMedina09]
  9. 9. RBAC Models
  10. 10. UMLsec [Jürjens05, Montrieux09, Montrieux10]
  11. 11. SecureUML [Basin09, Basin11]
  12. 12. SecureUML (2)
  13. 13. Our Solution(s)
  14. 14. rbacDSML, rbacUML and rbacMDE • one DSML • • • for RBAC only using a UML profile one DSL • • one extension of UML • • textual to integrate RBAC into the design from the same domain meta-model
  15. 15. rbacDSML, rbacUML and rbacMDE
  16. 16. Domain Meta-Model in MOF
  17. 17. 5 constraints • SSoD • DSoD • Activated roles have been assigned to the user • Granted scenarios • Forbidden scenarios
  18. 18. A Sample Model • Students marks system • Professors and TAs can add marks for the courses they teach • Students can read their own marks
  19. 19. rbacDSML Meta-Model, in MOF
  20. 20. Sample rbacDSML Model Everything on One Diagram
  21. 21. rbacMDE - Sample Model • user Doe {
 role Student;
 role TA;
 }
 user Wood {
 role TA;
 }
 user Smith {
 role Professor;
 }
 role Student {
 permission Access Marks;
 ssod Professor;
 }
 […]
  22. 22. rbacUML Meta-Model, in MOF
  23. 23. Sample rbacUML Model Access Control Diagram
  24. 24. Sample rbacUML Model (2) Class Diagram
  25. 25. Sample rbacUML Model (3) Sequence Diagram
  26. 26. Sample rbacUML Model (4) Activity Diagram
  27. 27. OCL Constraints Categories • Well-formedness • Verification • Satisfiability • Completeness • Coverage • Redundancy
  28. 28. OCL Evaluation Order Selective evaluation
  29. 29. Demo
  30. 30. Fixing rbacDSML Models When errors are found
  31. 31. Overview How it works
  32. 32. Classification of OCL Constraints • ∀A: ∃B • ∀A: ∄B • ∃A: ∄B
  33. 33. How are Solutions Generated • Fixing individual errors • • completeness, correctness Combining them to fix the whole model • “keep” profile • heuristics for building the graph • completeness, correctness
  34. 34. Demo
  35. 35. The Tool • Plugins for IBM Rational Software Architect 8.0 • EPL licence • Available on github (contributions are very welcome) • rbacUML and rbacDSML modelling and verification • rbacDSML fixing • rbacMDE in progress (using Xtext)
  36. 36. Performance
  37. 37. 250 sum full coverage completeness redundancy satis ability well-formedness veri cation time (seconds) 200 150 100 50 0 0 1000 2000 3000 4000 5000 6000 7000 8000 model size (elements + associations) rbacUML Evaluation Time Time vs. model size 9000
  38. 38. 220 200 180 160 140 120 100 80 60 40 20 0 Malformed time (seconds) time (seconds) Correct full lazy 2000 4000 6000 8000 model size (elements + associations) time (seconds) Incorrect 220 200 180 160 140 120 100 80 60 40 20 full lazy 2000 4000 6000 8000 model size (elements + associations) rbacUML - selective evaluation 250 200 150 100 50 0 full lazy 2000 4000 6000 8000 model size (elements + associations)
  39. 39. Chiselapp Github for the Fossil dvcs
  40. 40. Chiselapp • Created both rbacUML and rbacDSML models • PHP_UML to extract a class diagram, grep and manual inspection for the rest • We found a bug • … but the maintainer insists that it’s a feature
  41. 41. Chiselapp rbacDSML model
  42. 42. Future Work
  43. 43. Future Work • Nobody “really” uses UML [Petre13] • Adaptation • Performance improvements [Egyed07, Egyed11, Reder13] • ABAC • Bidirectional graph transformations [Hidaka10]
  44. 44. Thank you. Any questions? The tool: http://computing-research.open.ac.uk/rbac/ My dissertation: http://oro.open.ac.uk/28672/
  45. 45. References • [Basin09] Basin, D.; Clavel, M.; Doser, J. & Egea, M. Automated analysis of security-design models Information and Software Technology, 2009, 51, 815 - 831 • [Basin11] Basin, D.; Clavel, M. & Egea, M. A decade of model-driven security Proceedings of the 16th ACM symposium on Access control models and technologies, ACM, 2011, 1-10 • [Bézivin06] Bézivin, J. Model Driven Engineering: An Emerging Technical Space Generative and Transformational Techniques in Software Engineering, 2006, 36-64 • [Egyed07] Egyed, A. Fixing Inconsistencies in UML Design Models ICSE '07: Proceedings of the 29th international conference on Software Engineering, IEEE Computer Society, 2007, 292-301 • [Egyed11] Egyed, A. Automatically Detecting and Tracking Inconsistencies in Software Design Models Software Engineering, IEEE Transactions on, 2011, 37, 188 -204 • [Fernandez-Medina09] Fernández-Medina, E.; Jurjens, J.; Trujillo, J. & Jajodia, S. Model-Driven Development for secure information systems Information and Software Technology, 2009, 51, 809 - 814
  46. 46. References (2) • [Hidaka10] Hidaka, S.; Hu, Z.; Inaba, K.; Kato, H.; Matsuda, K. & Nakano, K. Bidirectionalizing graph transformations Proceedings of the 15th ACM SIGPLAN international conference on Functional programming, ACM, 2010, 205-216 • [Jürjens05] Jürjens, J.; Lehrhuber, M. & Wimmel, G. Model-Based Design and Analysis of Permission-Based Security Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems, IEEE Computer Society, 2005, 224-233 • [Montrieux09] Montrieux, L. Implementation of Access Control using AspectOriented Programming University of Namur, 2009 • [Montrieux10] Montrieux, L.; Jürjens, J.; Haley, C. B.; Yu, Y.; Schobbens, P.-Y. & Toussaint, H. Tool support for code generation from a UMLsec property Proceedings of the IEEE/ACM international conference on Automated software engineering, ACM, 2010, 357-358
  47. 47. References (3) • [Montrieux11] Montrieux, L.; Wermelinger, M. & Yu, Y. Tool support for UML-based specification and verification of role-based access control properties ESEC/FSE: Procs. SIGSOFT Symposium and European Conf. on Foundations of Software Engineering, ACM, 2011, 456-459 • [Petre13] Petre, M. UML in practice 35th International Conference on Software Engineering (ICSE 2013), 2013 • [Reder13] Reder, A. & Egyed, A. Determining the Cause of a Design Model Inconsistency Software Engineering, IEEE Transactions on, 2013, 1-1 • [Sandhu00] Sandhu, R.; Ferraiolo, D. & Kuhn, R. The NIST model for rolebased access control: towards a unified standard Proceedings of the fifth ACM workshop on Role-based access control, ACM, 2000, 47-63
  48. 48. Pictures Credits • LHC by UK dept. for Business, Innovation and Skills (by-nd) • Newton’s tree by Bob Franklin (by-nc-nd) • Robot by Yo Mostro (by-nc-nd) • Giant wrenches by Lars Hammar (by-nc-sa) • Speedometer by Don Melanson (by-nc-sa) • Case study by Binuri Ranashinghe (by-nc-nd) • Holy Grail drawings by Jessica Hardaway (with permission) • SecureUML models from [Basin09]

×