A rigorous framework for specification, analysis and enforcement of access control policies
A rigorous framework for specification, analysis and enforcement of access control policies
Access control systems are widely used means for the protection of computing systems. They are defined in terms of access control policies regulating the access to system resources. In this paper, we introduce a formally-defined, fully-implemented framework for specification, analysis and enforcement of attribute-based access control policies. The framework rests on FACPL, a language with a compact, yet expressive, syntax for specification of real-world access control policies and with a rigorously defined denotational semantics. The framework enables the automated verification of properties regarding both the authorisations enforced by single policies and the relationships among multiple policies. Effectiveness and performance of the analysis rely on a semantic-preserving representation of FACPL policies in terms of SMT formulae and on the use of efficient SMT solvers. Our analysis approach explicitly addresses some crucial aspects of policy evaluation, such as missing attributes, erroneous values and obligations, which are instead overlooked in other proposals. The framework is supported by Java-based tools, among which an Eclipse-based IDE offering a tailored development and analysis environment for FACPL policies and a Java library for policy enforcement. We illustrate the framework and its formal ingredients by means of an e-Health case study, while its effectiveness is assessed by means of performance stress tests and experiments on a well-established benchmark.
2-33
Margheri, Andrea
4b87c32d-3eaf-445e-8ac0-8207daace2e1
Masi, Massimiliano
907af659-20a2-49be-8561-27247cd073e8
Pugliese, Rosario
9de75828-b242-47ac-910f-50b83d101d3f
Tiezzi, Francesco
8b0781ff-17bc-46f5-8908-00dce441770e
January 2019
Margheri, Andrea
4b87c32d-3eaf-445e-8ac0-8207daace2e1
Masi, Massimiliano
907af659-20a2-49be-8561-27247cd073e8
Pugliese, Rosario
9de75828-b242-47ac-910f-50b83d101d3f
Tiezzi, Francesco
8b0781ff-17bc-46f5-8908-00dce441770e
Margheri, Andrea, Masi, Massimiliano, Pugliese, Rosario and Tiezzi, Francesco
(2019)
A rigorous framework for specification, analysis and enforcement of access control policies.
IEEE Transactions on Software Engineering, 45 (1), .
(doi:10.1109/TSE.2017.2765640).
Abstract
Access control systems are widely used means for the protection of computing systems. They are defined in terms of access control policies regulating the access to system resources. In this paper, we introduce a formally-defined, fully-implemented framework for specification, analysis and enforcement of attribute-based access control policies. The framework rests on FACPL, a language with a compact, yet expressive, syntax for specification of real-world access control policies and with a rigorously defined denotational semantics. The framework enables the automated verification of properties regarding both the authorisations enforced by single policies and the relationships among multiple policies. Effectiveness and performance of the analysis rely on a semantic-preserving representation of FACPL policies in terms of SMT formulae and on the use of efficient SMT solvers. Our analysis approach explicitly addresses some crucial aspects of policy evaluation, such as missing attributes, erroneous values and obligations, which are instead overlooked in other proposals. The framework is supported by Java-based tools, among which an Eclipse-based IDE offering a tailored development and analysis environment for FACPL policies and a Java library for policy enforcement. We illustrate the framework and its formal ingredients by means of an e-Health case study, while its effectiveness is assessed by means of performance stress tests and experiments on a well-established benchmark.
Text
facpl_journal
- Accepted Manuscript
More information
Accepted/In Press date: 24 September 2017
e-pub ahead of print date: 24 October 2017
Published date: January 2019
Identifiers
Local EPrints ID: 415111
URI: http://eprints.soton.ac.uk/id/eprint/415111
PURE UUID: 20f9aa17-db04-4a9a-a17e-3b7d1532967a
Catalogue record
Date deposited: 30 Oct 2017 17:30
Last modified: 15 Mar 2024 16:31
Export record
Altmetrics
Contributors
Author:
Massimiliano Masi
Author:
Rosario Pugliese
Author:
Francesco Tiezzi
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics
