1.Model-Based Analysis of Role-Based Access Control Lionel Montrieux The Open University, Milton Keynes, UK

2. Contents IntroductionAccess ControlModel-Driven EngineeringRBAC with MDEModelling, VericationFixing Incorrect ModelsPerformanceCase StudyFuture Work 3. Introduction - About Me PhD Dissertation: Model-Based Analysis of Role-Based Access ControlSupervisors: Charles B. Haley (retired), Yijun Yu, Michel WermelingerExaminers: Jon Whittle (Lancaster), Robin Laney (OU) 4. Access Control 5. Access Control in a Nutshell AuthenticationAuthorisation MACDACRBACABACand many others 6. Role-Based Access Control (RBAC)[Sandhu00] 7. Model-Driven Engineering 8. Model-Driven Engineering [] the consideration of models as rst-class entities. A model is an artefact that conforms to a metamodel and that represents a given aspect of a system [Bzivin06]Model-Driven Security Engineering [FernandezMedina09] 9. RBAC Models 10. UMLsec[Jrjens05, Montrieux09, Montrieux10] 11. SecureUML[Basin09, Basin11] 12. SecureUML (2) 13. Our Solution(s) 14. rbacDSML, rbacUML and rbacMDE one DSML for RBAC only using a UML proleone DSL one extension of UML textualto integrate RBAC into the designfrom the same domain meta-model 15. rbacDSML, rbacUML and rbacMDE 16. Domain Meta-Modelin MOF 17. 5 constraints SSoDDSoDActivated roles have been assigned to the userGranted scenariosForbidden scenarios 18. A Sample Model Students marks system Professors and TAs can add marks for the courses they teach Students can read their own marks 19. rbacDSMLMeta-Model, in MOF 20. Sample rbacDSML ModelEverything on One Diagram 21. rbacMDE - Sample Model user Doe { role Student; role TA; } user Wood { role TA; } user Smith { role Professor; } role Student { permission Access Marks; ssod Professor; } [] 22. rbacUML Meta-Model, in MOF 23. Sample rbacUML ModelAccess Control Diagram 24. Sample rbacUML Model (2)Class Diagram 25. Sample rbacUML Model (3)Sequence Diagram 26. Sample rbacUML Model (4)Activity Diagram 27. OCL Constraints Categories Well-formednessVericationSatisabilityCompletenessCoverageRedundancy 28. OCL Evaluation OrderSelective evaluation 29. Demo 30. Fixing rbacDSML ModelsWhen errors are found 31. OverviewHow it works 32. Classication of OCL Constraints A: BA: BA: B 33. How are Solutions Generated Fixing individual errors completeness, correctnessCombining them to x the whole model keep proleheuristics for building the graphcompleteness, correctness 34. Demo 35. The Tool Plugins for IBM Rational Software Architect 8.0 EPL licence Available on github (contributions are very welcome) rbacUML and rbacDSML modelling and verication rbacDSML xing rbacMDE in progress (using Xtext) 36. Performance 37. 250sum full coverage completeness redundancy satis ability well-formedness veri cationtime (seconds)200150100500010002000300040005000600070008000model size (elements + associations)rbacUML Evaluation TimeTime vs. model size9000 38. 220 200 180 160 140 120 100 80 60 40 20 0Malformed time (seconds)time (seconds)Correct full lazy2000400060008000model size (elements + associations)time (seconds)Incorrect 220 200 180 160 140 120 100 80 60 40 20full lazy2000400060008000model size (elements + associations)rbacUML - selective evaluation250 200 150 100 50 0full lazy2000400060008000model size (elements + associations) 39. ChiselappGithub for the Fossil dvcs 40. Chiselapp Created both rbacUML and rbacDSML modelsPHP_UML to extract a class diagram, grep and manual inspection for the restWe found a bug but the maintainer insists that its a feature 41. Chiselapp rbacDSML model 42. Future Work 43. Future Work Nobody really uses UML [Petre13]AdaptationPerformance improvements [Egyed07, Egyed11, Reder13]ABACBidirectional graph transformations [Hidaka10] 44. Thank you. Any questions?The tool: http://computing-research.open.ac.uk/rbac/ My dissertation: http://oro.open.ac.uk/28672/ 45. References [Basin09] Basin, D.; Clavel, M.; Doser, J. & Egea, M. Automated analysis of security-design models Information and Software Technology, 2009, 51, 815 - 831[Basin11] Basin, D.; Clavel, M. & Egea, M. A decade of model-driven security Proceedings of the 16th ACM symposium on Access control models and technologies, ACM, 2011, 1-10[Bzivin06] Bzivin, J. Model Driven Engineering: An Emerging Technical Space Generative and Transformational Techniques in Software Engineering, 2006, 36-64[Egyed07] Egyed, A. Fixing Inconsistencies in UML Design Models ICSE '07: Proceedings of the 29th international conference on Software Engineering, IEEE Computer Society, 2007, 292-301[Egyed11] Egyed, A. Automatically Detecting and Tracking Inconsistencies in Software Design Models Software Engineering, IEEE Transactions on, 2011, 37, 188 -204[Fernandez-Medina09] Fernndez-Medina, E.; Jurjens, J.; Trujillo, J. & Jajodia, S. Model-Driven Development for secure information systems Information and Software Technology, 2009, 51, 809 - 814 46. References (2) [Hidaka10] Hidaka, S.; Hu, Z.; Inaba, K.; Kato, H.; Matsuda, K. & Nakano, K. Bidirectionalizing graph transformations Proceedings of the 15th ACM SIGPLAN international conference on Functional programming, ACM, 2010, 205-216[Jrjens05] Jrjens, J.; Lehrhuber, M. & Wimmel, G. Model-Based Design and Analysis of Permission-Based Security Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems, IEEE Computer Society, 2005, 224-233[Montrieux09] Montrieux, L. Implementation of Access Control using AspectOriented Programming University of Namur, 2009[Montrieux10] Montrieux, L.; Jrjens, J.; Haley, C. B.; Yu, Y.; Schobbens, P.-Y. & Toussaint, H. Tool support for code generation from a UMLsec property Proceedings of the IEEE/ACM international conference on Automated software engineering, ACM, 2010, 357-358 47. References (3) [Montrieux11] Montrieux, L.; Wermelinger, M. & Yu, Y. Tool support for UML-based specication and verication of role-based access control properties ESEC/FSE: Procs. SIGSOFT Symposium and European Conf. on Foundations of Software Engineering, ACM, 2011, 456-459[Petre13] Petre, M. UML in practice 35th International Conference on Software Engineering (ICSE 2013), 2013[Reder13] Reder, A. & Egyed, A. Determining the Cause of a Design Model Inconsistency Software Engineering, IEEE Transactions on, 2013, 1-1[Sandhu00] Sandhu, R.; Ferraiolo, D. & Kuhn, R. The NIST model for rolebased access control: towards a unied standard Proceedings of the fth ACM workshop on Role-based access control, ACM, 2000, 47-63 48. Pictures Credits LHC by UK dept. for Business, Innovation and Skills (by-nd)Newtons tree by Bob Franklin (by-nc-nd)Robot by Yo Mostro (by-nc-nd)Giant wrenches by Lars Hammar (by-nc-sa)Speedometer by Don Melanson (by-nc-sa)Case study by Binuri Ranashinghe (by-nc-nd)Holy Grail drawings by Jessica Hardaway (with permission)SecureUML models from [Basin09]