The University of Southampton
University of Southampton Institutional Repository

A rigorous framework for specification, analysis and enforcement of access control policies

A rigorous framework for specification, analysis and enforcement of access control policies
A rigorous framework for specification, analysis and enforcement of access control policies
Access control systems are widely used means for the protection of computing systems. They are defined in terms of access control policies regulating the access to system resources. In this paper, we introduce a formally-defined, fully-implemented framework for specification, analysis and enforcement of attribute-based access control policies. The framework rests on FACPL, a language with a compact, yet expressive, syntax for specification of real-world access control policies and with a rigorously defined denotational semantics. The framework enables the automated verification of properties regarding both the authorisations enforced by single policies and the relationships among multiple policies. Effectiveness and performance of the analysis rely on a semantic-preserving representation of FACPL policies in terms of SMT formulae and on the use of efficient SMT solvers. Our analysis approach explicitly addresses some crucial aspects of policy evaluation, such as missing attributes, erroneous values and obligations, which are instead overlooked in other proposals. The framework is supported by Java-based tools, among which an Eclipse-based IDE offering a tailored development and analysis environment for FACPL policies and a Java library for policy enforcement. We illustrate the framework and its formal ingredients by means of an e-Health case study, while its effectiveness is assessed by means of performance stress tests and experiments on a well-established benchmark.
Margheri, Andrea
4b87c32d-3eaf-445e-8ac0-8207daace2e1
Masi, Massimiliano
907af659-20a2-49be-8561-27247cd073e8
Pugliese, Rosario
9de75828-b242-47ac-910f-50b83d101d3f
Tiezzi, Francesco
8b0781ff-17bc-46f5-8908-00dce441770e
Margheri, Andrea
4b87c32d-3eaf-445e-8ac0-8207daace2e1
Masi, Massimiliano
907af659-20a2-49be-8561-27247cd073e8
Pugliese, Rosario
9de75828-b242-47ac-910f-50b83d101d3f
Tiezzi, Francesco
8b0781ff-17bc-46f5-8908-00dce441770e

Margheri, Andrea, Masi, Massimiliano, Pugliese, Rosario and Tiezzi, Francesco (2017) A rigorous framework for specification, analysis and enforcement of access control policies. IEEE Transactions on Software Engineering. (doi:10.1109/TSE.2017.2765640).

Record type: Article

Abstract

Access control systems are widely used means for the protection of computing systems. They are defined in terms of access control policies regulating the access to system resources. In this paper, we introduce a formally-defined, fully-implemented framework for specification, analysis and enforcement of attribute-based access control policies. The framework rests on FACPL, a language with a compact, yet expressive, syntax for specification of real-world access control policies and with a rigorously defined denotational semantics. The framework enables the automated verification of properties regarding both the authorisations enforced by single policies and the relationships among multiple policies. Effectiveness and performance of the analysis rely on a semantic-preserving representation of FACPL policies in terms of SMT formulae and on the use of efficient SMT solvers. Our analysis approach explicitly addresses some crucial aspects of policy evaluation, such as missing attributes, erroneous values and obligations, which are instead overlooked in other proposals. The framework is supported by Java-based tools, among which an Eclipse-based IDE offering a tailored development and analysis environment for FACPL policies and a Java library for policy enforcement. We illustrate the framework and its formal ingredients by means of an e-Health case study, while its effectiveness is assessed by means of performance stress tests and experiments on a well-established benchmark.

Text
facpl_journal - Accepted Manuscript
Download (3MB)

More information

Accepted/In Press date: 24 September 2017
e-pub ahead of print date: 24 October 2017

Identifiers

Local EPrints ID: 415111
URI: https://eprints.soton.ac.uk/id/eprint/415111
PURE UUID: 20f9aa17-db04-4a9a-a17e-3b7d1532967a
ORCID for Andrea Margheri: ORCID iD orcid.org/0000-0002-5048-8070

Catalogue record

Date deposited: 30 Oct 2017 17:30
Last modified: 15 Aug 2019 00:34

Export record

Altmetrics

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of https://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×