Skip to main content
SpringerLink
Log in

Putting the Pieces Together: Model-Based Engineering Workflows for Attribute-Based Access Control Policies

  • Conference paper
  • First Online:
E-Business and Telecommunications (ICETE 2021)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1795))

Included in the following conference series:

Abstract

Although being well-adopted and in widespread use, attribute-based access control (ABAC) remains a hard-to-master security paradigm in application software development. Despite considerable research towards ABAC policy engineering and ABAC policy correctness, this mainly is because there is still no unified workflow to encompass both the versatility of application domains and the strong guarantees promised by formal modeling methods. This work contributes to improving this situation. By presenting a flexible, yet highly formalized modeling scheme for designing and analyzing ABAC policies (DABAC), a reference implementation in Rust (dabac-rs), and a reference architecture for its integration into applications (AppSPEAR) including developer support (appspear-rs), we put together loose pieces of a tool-supported model-based security engineering workflow. The effectiveness of our approach is demonstrated based on a real-world engineering scenario.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    \(\varPhi \) denotes the set of expressions in first-order logic.

  2. 2.

    For DABAC, we assume these might consist of predicate logic and attribute value enumerations, which might be further restricted by a policy specification language.

  3. 3.

    Ongoing work, available as a Rust crate: https://crates.io/crates/dabac-rs.

  4. 4.

    Due to semantic overloading with the Rust lifetime static, we refrain from using the automaton-related term static in this section.

  5. 5.

    At mild boilerplate costs, this last issue can be resolved through explicit type wrapping (newtype pattern) [25, pp. 437–438].

  6. 6.

    Since the TEP is typically only isolated lightly (cf. [36]), the explicit consideration of the TEP will not be discussed further in this paper.

  7. 7.

    “Command” is an equivalent term to “STS operation” and is used to not to have overload with other “operations” such as on TOM-controlled objects.

  8. 8.

    In practice, there might be devices such as ICU bedside monitors which allow both to monitor (“fetch”) real-time patient data and to store (“push”) history records from newly arrived patients. These could be modeled by a common identifier, both in \( Sen \) and in \( Act \). However, for the sake of simplicity, we assume \( Sen \cap Act = \emptyset \).

  9. 9.

    One might argue that a patient should be allowed to read her own EHR at any time. This could be easily achieved by just removing the \( auth _\textrm{read}\) authorization clause in PRE. Note that this relaxation cannot be made for appendToEHR.

References

  1. Dacquiri: An authorization framework with compile-time enforcement (2022). https://github.com/resyncgg/dacquiri

  2. Ahmed, T., Sandhu, R.: Safety of ABAC\(_\alpha \) Is decidable. In: NSS 2017 (2017)

    Google Scholar 

  3. Amthor, P.: Efficient heuristic safety analysis of core-based security policies. In: SECRYPT 2017 (2017)

    Google Scholar 

  4. Amthor, P.: Aspect-oriented Security Engineering. Cuvillier Verlag (2019). ISBN 978-3-7369-9980-0

    Google Scholar 

  5. Amthor, P., Kühnhauser, W.E., Pölck, A.: Heuristic safety analysis of access control models. In: SACMAT 2013 (2013)

    Google Scholar 

  6. Amthor, P., Kühnhauser, W.E., Pölck, A.: WorSE: a workbench for model-based security engineering. Elsevier COSE 42 (2014)

    Google Scholar 

  7. Amthor, P., Rabe, M.: Command dependencies in heuristic safety analysis of access control models. In: Benzekri, A., Barbeau, M., Gong, G., Laborde, R., Garcia-Alfaro, J. (eds.) FPS 2019. LNCS, vol. 12056, pp. 207–224. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45371-8_13

    Chapter  Google Scholar 

  8. Amthor, P., Schlegel, M.: Towards language support for model-based security policy engineering. In: SECRYPT 2020 (2020)

    Google Scholar 

  9. Anderson, J.P.: Computer security technology planning study. Tech. Rep. ESD-TR-73-51, vol. II (1972)

    Google Scholar 

  10. Apache Software Foundation: Apache Shiro (2022). https://shiro.apache.org

  11. Barker, S.: The next 700 access control models or a unifying meta-model? In: SACMAT 2009 (2009)

    Google Scholar 

  12. Basin, D., Clavel, M., Egea, M.: A decade of model-driven security. In: SACMAT 2011 (2011)

    Google Scholar 

  13. Bertolissi, C., Fernández, M., Thuraisingham, B.: Admin-CBAC: an administration model for category-based access control. In: CODASPY 2020 (2020)

    Google Scholar 

  14. Bhatt, S., Sandhu, R.: ABAC-CC: attribute-based access control and communication control for internet of things. In: SACMAT 2020 (2020)

    Google Scholar 

  15. Biswas, P., Sandhu, R., Krishnan, R.: Label-based access control: an ABAC model with enumerated authorization policy. In: ABAC 2016 (2016)

    Google Scholar 

  16. Casbin Organization: Casbin (2022). https://casbin.org

  17. Fernández, M., Mackie, I., Thuraisingham, B.: Specification and analysis of ABAC policies via the category-based metamodel. In: CODASPY 2019 (2019)

    Google Scholar 

  18. Ferraiolo, D., Chandramouli, R., Kuhn, R., et al.: Extensible access control markup language (XACML) and next generation access control (NGAC). In: ABAC 2016 (2016)

    Google Scholar 

  19. Gupta, M., M. Awaysheh, F., Benson, J., et al.: An attribute-based access control for cloud-enabled industrial smart vehicles. TII 17(6), 4288-4297 (2020)

    Google Scholar 

  20. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in Operating Systems. Comm. ACM 19(8) (1976)

    Google Scholar 

  21. Hu, V.C., Ferraiolo, D., Kuhn, R., et al.: Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication, pp. 800–162 (2014)

    Google Scholar 

  22. Intel Corp.: Intel®SGX. https://software.intel.com/en-us/sgx (2022)

  23. Jha, S., Sural, S., Atluri, V., et al.: Security analysis of ABAC under an administrative model. IET Inf. Secur. 13(2), 96–103 (2019)

    Google Scholar 

  24. Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31540-4_4

    Chapter  Google Scholar 

  25. Klabnik, S., Nichols, C.: The Rust Programming Language. No Starch Press (2018)

    Google Scholar 

  26. Lang, B., Foster, I.T., Siebenlist, F., et al.: A flexible attribute based access control method for grid computing. J. Grid Comput. 7(2), 169–180 (2009)

    Google Scholar 

  27. Matsakis, N.D., Klock, F.S.: The Rust language. In: HILT 2014 (2014)

    Google Scholar 

  28. Mukherjee, S., Ray, I., Ray, I., et al.: Attribute based access control for healthcare resources. In: ABAC 2017 (2017)

    Google Scholar 

  29. Narouei, M., Khanpour, H., Takabi, H., et al.: Towards a top-down policy engineering framework for attribute-based access control. In: SACMAT 2017 (2017)

    Google Scholar 

  30. Oso Security Inc: Oso (2022). https://www.osohq.com

  31. Oso Security Inc: Polar Language Reference (2022). https://docs.osohq.com/rust/reference/polar.html

  32. Ray, I., Alangot, B., Nair, S., et al.: Using attribute-based access control for remote healthcare monitoring. In: SDS 2017 (2017)

    Google Scholar 

  33. Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 Model for Role-based Administration of Roles. TISSEC 2(1) (1999)

    Google Scholar 

  34. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., et al.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)

    Google Scholar 

  35. Schlegel, M.: Poster: Shielding AppSPEAR - enhancing memory safety for trusted application-level security policy enforcement. In: SACMAT 2021 (2021)

    Google Scholar 

  36. Schlegel, M.: Trusted enforcement of application-specific security policies. In: SECRYPT 2021 (2021)

    Google Scholar 

  37. Schlegel, M., Amthor, P.: Beyond administration: a modeling scheme supporting the dynamic analysis of role-based access control policies. In: SECRYPT 2020 (2020)

    Google Scholar 

  38. Schlegel, M., Amthor, P.: The missing piece of the ABAC puzzle: a modeling scheme for dynamic analysis. In: SECRYPT 2021 (2021)

    Google Scholar 

  39. Schlegel, M., Kühnhauser, W.: Exploiting hot spots in heuristic safety analysis of dynamic access control models. In: SECRYPT 2020 (2020)

    Google Scholar 

  40. Singh, M.P., Sural, S., Atluri, V., et al.: Security analysis of unified access control policies. In: SKM 2019 (2020)

    Google Scholar 

  41. Stoller, S.D., Yang, P., Gofman, M., et al.: Symbolic reachability analysis for parameterized administrative role based access control. In: SACMAT 2009 (2009)

    Google Scholar 

  42. Tripunitara, M.V., Li, N.: A theory for comparing the expressive power of access control models. J. Comput. Secur. 15(2), 231–272 (2007)

    Google Scholar 

  43. Tripunitara, M.V., Li, N.: The Foundational Work of Harrison-Ruzzo-Ullman Revisited. TDSC 10(1), 28–39 (2013)

    Google Scholar 

  44. De Capitani di Vimercati, S., Samarati, P., Jajodia, S.: Policies, models, and languages for access control. In: Bhalla, S. (ed.) DNIS 2005. LNCS, vol. 3433, pp. 225–237. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31970-2_18

    Chapter  Google Scholar 

  45. VMware Inc: Spring Security (2022). https://spring.io/projects/spring-security

  46. Watson, R.N.M.: A decade of OS access-control extensibility. Queue 11(1) (2013)

    Google Scholar 

  47. Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. TDSC 12(5) (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. TU Ilmenau, Ilmenau, Germany

    Marius Schlegel & Peter Amthor

Authors
  1. Marius Schlegel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peter Amthor
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marius Schlegel .

Editor information

Editors and Affiliations

  1. Università degli Studi di Milano, Milan, Italy

    Pierangela Samarati

  2. University of Twente, Enschede, The Netherlands

    Marten van Sinderen

  3. Università degli Studi di Milano, Milan, Italy

    Sabrina De Capitani di Vimercati

  4. University of Twente, Enschede, The Netherlands

    Fons Wijnhoven

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Schlegel, M., Amthor, P. (2023). Putting the Pieces Together: Model-Based Engineering Workflows for Attribute-Based Access Control Policies. In: Samarati, P., van Sinderen, M., Vimercati, S.D.C.d., Wijnhoven, F. (eds) E-Business and Telecommunications. ICETE 2021. Communications in Computer and Information Science, vol 1795. Springer, Cham. https://doi.org/10.1007/978-3-031-36840-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-36840-0_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-36839-4

  • Online ISBN: 978-3-031-36840-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation