1. A framework for security assurance of access control enforcement code
- Author
-
Pavlich-Mariscal, Jaime A., Demurjian, Steven A., and Michel, Laurent D.
- Abstract
To link to full-text access for this article, visit this link: http://dx.doi.org/10.1016/j.cose.2010.03.004 Byline: Jaime A. Pavlich-Mariscal (a), Steven A. Demurjian (b), Laurent D. Michel (b) Abstract: Modeling of access control policies, along with their implementation in code, must be an integral part of the software development process, to ensure that the proper level of security in an application is attained. Previous work of the authors in this area yielded a framework that incorporates access control at the design and code levels, through a set of new extensions to UML and a set of approaches to enfoce access control in an application (). An essential property of the code that has not been addressed by that framework is security assurance, which, in the context of this research, is to insure that the application code behaves consistently with the access control policy. This paper proposes a security assurance mechanism that formalizes the application behavior using labeled transition systems and structural operational semantics (). Simulation relations () are used to demonstrate the correctness of the access control code with respect to the design. To validate the approach, this paper proves correctness of two access control enforcement mechanisms that are part of our case study: a basic approach to implement access control in code and an aspect-oriented approach. Author Affiliation: (a) Departamento de Ingenieria de Sistemas y Computacion, Universidad Catolica del Norte, Angamos 0610. Antofagasta, Chile (b) Department of Computer Science and Engineering, The University of Connecticut, Unit-2155, 371 Fairfield Road, Storrs, CT 06269-2155, USA Article History: Received 26 January 2010; Revised 3 March 2010; Accepted 26 March 2010
- Published
- 2010