Challenges in Model-Based Evolution and Merging of Access Control Properties L. Montrieux, M. Wermelinger, Y.Yu Computing ...
Model-Driven Engineering (MDE) <ul><li>Model-centric approach to software development </li></ul><ul><li>OMG's Model-Driven...
Modelling RBAC in UML <ul><li>Role Based Access Control: influential standard </li></ul><ul><li>Extension of the UML metam...
Modelling RBAC in Rational
Tool demo <ul><li>Tool Support for UML-based Specification and Verification of Role-Based Access Control Properties </li><...
Incremental consistency checking <ul><li>Verifying OCL rules only if potentially affected by a change [Egyed] </li></ul><u...
…  for Access Control <ul><li>Domain knowledge: importance of security context </li></ul><ul><li>Complex rules; could be b...
Inconsistency violations resolution <ul><li>Suggested fixes should be correct and complete </li></ul><ul><li>Correctness g...
…  for Access Control <ul><li>The security level cannot be lowered </li></ul><ul><li>Ordering of candidate solutions </li>...
Model Merging <ul><li>Merging approaches [Mens]: </li></ul><ul><ul><li>Two- or three-way (common ancestor) </li></ul></ul>...
… for Access Control  <ul><li>Two-way, structural merging needed </li></ul><ul><li>Differences and similarities in configu...
Challenges <ul><li>For violation detection:  Smart rule checking </li></ul><ul><li>For violation resolution: </li></ul><ul...
Conclusions <ul><li>Existing general MDE evolution approaches not enough </li></ul><ul><li>List of access control specific...
Upcoming SlideShare
Loading in …5
×

Challenges in Model-Based Evolution of Access Control Properties

454 views

Published on

Slides of talk at Int'l Workshop on Principles of Software Evolution (IWPSE) 2011. Paper at http://oro.open.ac.uk/29084

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Challenges in Model-Based Evolution of Access Control Properties

  1. 1. Challenges in Model-Based Evolution and Merging of Access Control Properties L. Montrieux, M. Wermelinger, Y.Yu Computing Department, The Open University, UK IWPSE 2011
  2. 2. Model-Driven Engineering (MDE) <ul><li>Model-centric approach to software development </li></ul><ul><li>OMG's Model-Driven Architecture: UML, OCL, … </li></ul><ul><li>Model-Driven Security Engineering (MDSE): </li></ul><ul><ul><li>integrates security in MDE </li></ul></ul><ul><ul><li>most approaches do not support evolution </li></ul></ul><ul><ul><li>UMLsech [Jurjens] restricts allowed changes </li></ul></ul>
  3. 3. Modelling RBAC in UML <ul><li>Role Based Access Control: influential standard </li></ul><ul><li>Extension of the UML metamodel </li></ul><ul><li>Using stereotypes and associations </li></ul><ul><li>OCL rules for consistency and verification </li></ul><ul><li>3 diagrams: Access Control, Class, Activity </li></ul><ul><li>Anti-scenarios </li></ul>
  4. 4. Modelling RBAC in Rational
  5. 5. Tool demo <ul><li>Tool Support for UML-based Specification and Verification of Role-Based Access Control Properties </li></ul><ul><li>Thu. Sept. 8, Congress Hall, 16:00 – 17:30 </li></ul><ul><li>Fri. Sept. 9, Exhibition Area, 14:30 – 15:30 </li></ul>
  6. 6. Incremental consistency checking <ul><li>Verifying OCL rules only if potentially affected by a change [Egyed] </li></ul><ul><li>Pairwise verification of XML documents [Nentwich] </li></ul><ul><ul><li>Including XMI representation of UML model </li></ul></ul><ul><li>Detecting which rules to check using Prolog [Blanc] </li></ul>
  7. 7. … for Access Control <ul><li>Domain knowledge: importance of security context </li></ul><ul><li>Complex rules; could be broken down in smaller ones </li></ul><ul><ul><li>access control involves several model elements </li></ul></ul><ul><li>Not all changes need re-verification (rule dependencies) </li></ul><ul><ul><li>e.g. adding a role won ’ t reduce user ’ s permissions </li></ul></ul><ul><ul><li>e.g. if user has no roles, don ’ t verify permissions </li></ul></ul>
  8. 8. Inconsistency violations resolution <ul><li>Suggested fixes should be correct and complete </li></ul><ul><li>Correctness guaranteed [Mens, Egyed, Nentwich] </li></ul><ul><li>Completeness restricted [Mens, Egyed, Nentwich]: </li></ul><ul><ul><li>Atomic changes </li></ul></ul><ul><ul><li>No introduction of new elements </li></ul></ul>
  9. 9. … for Access Control <ul><li>The security level cannot be lowered </li></ul><ul><li>Ordering of candidate solutions </li></ul><ul><ul><li>smallest change (e.g. delete role) not always best </li></ul></ul><ul><li>Addition of new elements </li></ul><ul><ul><li>e.g. protection of a method, creation of a new role </li></ul></ul><ul><li>Completeness: (bounded) transaction of changes </li></ul><ul><ul><li>e.g. create role, assign permissions & users </li></ul></ul>
  10. 10. Model Merging <ul><li>Merging approaches [Mens]: </li></ul><ul><ul><li>Two- or three-way (common ancestor) </li></ul></ul><ul><ul><li>Textual, syntactic, semantic, structural </li></ul></ul><ul><li>Structural (behaviour-preserving) may require user input </li></ul><ul><li>Most model merging approaches are three-way </li></ul>
  11. 11. … for Access Control <ul><li>Two-way, structural merging needed </li></ul><ul><li>Differences and similarities in configurations </li></ul><ul><ul><li>e.g. same role name, different permissions & vice-versa </li></ul></ul><ul><li>Conflicting security requirements </li></ul><ul><ul><li>e.g. taking union of permissions lowers security level </li></ul></ul><ul><li>Merging access control model before functional model? </li></ul>
  12. 12. Challenges <ul><li>For violation detection: Smart rule checking </li></ul><ul><li>For violation resolution: </li></ul><ul><ul><li>Security-aware correctness </li></ul></ul><ul><ul><li>Security-focused ordering </li></ul></ul><ul><ul><li>Security impact visualisation </li></ul></ul><ul><ul><li>Bounded completeness of transactional resolutions </li></ul></ul><ul><ul><li>Flexible strategies with element creation </li></ul></ul><ul><li>For merging: Role/permission similarities detection </li></ul>
  13. 13. Conclusions <ul><li>Existing general MDE evolution approaches not enough </li></ul><ul><li>List of access control specific evolution & merging challenges </li></ul><ul><li>Community agenda </li></ul><ul><li>Own next step: Smart rule checking </li></ul>

×