A talk I gave at University of Kent in Canterburry on the 30th of October 2013, as part of their security group seminars.

1. Model-Based Analysis of Role-Based Access
Control
Lionel Montrieux <lionel.Montrieux@open.ac.uk>
The Open University, Milton Keynes, UK

2. Contents
•
Introduction
•
Access Control
•
Model-Driven Engineering
•
RBAC with MDE
•
Modelling, Verification
•
Fixing Incorrect Models
•
Performance
•
Case Study
•
Future Work

3. Introduction - About Me
•
PhD Dissertation: “Model-Based Analysis of Role-Based
Access Control”
•
Supervisors: Charles B. Haley (retired), Yijun Yu, Michel
Wermelinger
•
Examiners: Jon Whittle (Lancaster), Robin Laney (OU)

4. Access Control

5. Access Control in a Nutshell
•
Authentication
•
Authorisation
•
MAC
•
DAC
•
RBAC
•
ABAC
•
and many others

6. Role-Based Access
Control (RBAC)
[Sandhu00]

7. Model-Driven
Engineering

8. Model-Driven Engineering
•
“[…] the consideration of models as first-class entities. A
model is an artefact that conforms to a metamodel and
that represents a given aspect of a system” [Bézivin06]
•
Model-Driven Security Engineering [FernandezMedina09]

9. RBAC Models

10. UMLsec
[Jürjens05, Montrieux09, Montrieux10]

11. SecureUML
[Basin09, Basin11]

12. SecureUML (2)

13. Our Solution(s)

14. rbacDSML, rbacUML and rbacMDE
•
one DSML
•
•
•
for RBAC only
using a UML profile
one DSL
•
•
one extension of UML
•
•
textual
to integrate RBAC into the design
from the same domain meta-model

15. rbacDSML, rbacUML
and rbacMDE

16. Domain Meta-Model
in MOF

17. 5 constraints
•
SSoD
•
DSoD
•
Activated roles have been assigned to the user
•
Granted scenarios
•
Forbidden scenarios

18. A Sample Model
•
Students marks system
•
Professors and TAs can add
marks for the courses they
teach
•
Students can read their own
marks

19. rbacDSML
Meta-Model, in MOF

20. Sample rbacDSML
Model
Everything on One Diagram

21. rbacMDE - Sample Model
• user Doe {
role Student;
role TA;
}
user Wood {
role TA;
}
user Smith {
role Professor;
}
role Student {
permission Access Marks;
ssod Professor;
}
[…]

22. rbacUML
Meta-Model, in MOF

23. Sample rbacUML Model
Access Control Diagram

24. Sample rbacUML Model
(2)
Class Diagram

25. Sample rbacUML Model
(3)
Sequence Diagram

26. Sample rbacUML Model
(4)
Activity Diagram

27. OCL Constraints Categories
•
Well-formedness
•
Verification
•
Satisfiability
•
Completeness
•
Coverage
•
Redundancy

28. OCL Evaluation Order
Selective evaluation

29. Demo

30. Fixing rbacDSML
Models
When errors are found

31. Overview
How it works

32. Classification of OCL Constraints
•
∀A: ∃B
•
∀A: ∄B
•
∃A: ∄B

33. How are Solutions Generated
•
Fixing individual errors
•
•
completeness, correctness
Combining them to fix the whole model
•
“keep” profile
•
heuristics for building the graph
•
completeness, correctness

34. Demo

35. The Tool
•
Plugins for IBM Rational
Software Architect 8.0
•
EPL licence
•
Available on github
(contributions are very
welcome)
•
rbacUML and rbacDSML
modelling and verification
•
rbacDSML fixing
•
rbacMDE in progress (using
Xtext)

36. Performance

37. 250
sum
full
coverage
completeness
redundancy
satis ability
well-formedness
veri cation
time (seconds)
200
150
100
50
0
0
1000
2000
3000
4000
5000
6000
7000
8000
model size (elements + associations)
rbacUML Evaluation
Time
Time vs. model size
9000

38. 220
200
180
160
140
120
100
80
60
40
20
0
Malformed
time (seconds)
time (seconds)
Correct
full
lazy
2000
4000
6000
8000
model size (elements + associations)
time (seconds)
Incorrect
220
200
180
160
140
120
100
80
60
40
20
full
lazy
2000
4000
6000
8000
model size (elements + associations)
rbacUML - selective
evaluation
250
200
150
100
50
0
full
lazy
2000
4000
6000
8000
model size (elements + associations)

39. Chiselapp
Github for the Fossil dvcs

40. Chiselapp
•
Created both rbacUML and rbacDSML models
•
PHP_UML to extract a class diagram, grep and manual
inspection for the rest
•
We found a bug
•
… but the maintainer insists that it’s a feature

41. Chiselapp rbacDSML
model

42. Future Work

43. Future Work
•
Nobody “really” uses UML [Petre13]
•
Adaptation
•
Performance improvements [Egyed07, Egyed11,
Reder13]
•
ABAC
•
Bidirectional graph transformations [Hidaka10]

44. Thank you. Any questions?
The tool: http://computing-research.open.ac.uk/rbac/
My dissertation: http://oro.open.ac.uk/28672/

45. References
•
[Basin09] Basin, D.; Clavel, M.; Doser, J. & Egea, M. Automated analysis of security-design
models Information and Software Technology, 2009, 51, 815 - 831
•
[Basin11] Basin, D.; Clavel, M. & Egea, M. A decade of model-driven security Proceedings of
the 16th ACM symposium on Access control models and technologies, ACM, 2011, 1-10
•
[Bézivin06] Bézivin, J. Model Driven Engineering: An Emerging Technical Space Generative and
Transformational Techniques in Software Engineering, 2006, 36-64
•
[Egyed07] Egyed, A. Fixing Inconsistencies in UML Design Models ICSE '07: Proceedings of the
29th international conference on Software Engineering, IEEE Computer Society, 2007, 292-301
•
[Egyed11] Egyed, A. Automatically Detecting and Tracking Inconsistencies in Software Design
Models Software Engineering, IEEE Transactions on, 2011, 37, 188 -204
•
[Fernandez-Medina09] Fernández-Medina, E.; Jurjens, J.; Trujillo, J. & Jajodia, S. Model-Driven
Development for secure information systems Information and Software Technology, 2009, 51,
809 - 814

46. References (2)
•
[Hidaka10] Hidaka, S.; Hu, Z.; Inaba, K.; Kato, H.; Matsuda, K. & Nakano, K.
Bidirectionalizing graph transformations Proceedings of the 15th ACM SIGPLAN
international conference on Functional programming, ACM, 2010, 205-216
•
[Jürjens05] Jürjens, J.; Lehrhuber, M. & Wimmel, G. Model-Based Design and
Analysis of Permission-Based Security Proceedings of the 10th IEEE
International Conference on Engineering of Complex Computer Systems, IEEE
Computer Society, 2005, 224-233
•
[Montrieux09] Montrieux, L. Implementation of Access Control using AspectOriented Programming University of Namur, 2009
•
[Montrieux10] Montrieux, L.; Jürjens, J.; Haley, C. B.; Yu, Y.; Schobbens, P.-Y. &
Toussaint, H. Tool support for code generation from a UMLsec property
Proceedings of the IEEE/ACM international conference on Automated software
engineering, ACM, 2010, 357-358

47. References (3)
•
[Montrieux11] Montrieux, L.; Wermelinger, M. & Yu, Y. Tool support for
UML-based specification and verification of role-based access control
properties ESEC/FSE: Procs. SIGSOFT Symposium and European Conf.
on Foundations of Software Engineering, ACM, 2011, 456-459
•
[Petre13] Petre, M. UML in practice 35th International Conference on
Software Engineering (ICSE 2013), 2013
•
[Reder13] Reder, A. & Egyed, A. Determining the Cause of a Design Model
Inconsistency Software Engineering, IEEE Transactions on, 2013, 1-1
•
[Sandhu00] Sandhu, R.; Ferraiolo, D. & Kuhn, R. The NIST model for rolebased access control: towards a unified standard Proceedings of the fifth
ACM workshop on Role-based access control, ACM, 2000, 47-63

48. Pictures Credits
•
LHC by UK dept. for Business, Innovation and Skills (by-nd)
•
Newton’s tree by Bob Franklin (by-nc-nd)
•
Robot by Yo Mostro (by-nc-nd)
•
Giant wrenches by Lars Hammar (by-nc-sa)
•
Speedometer by Don Melanson (by-nc-sa)
•
Case study by Binuri Ranashinghe (by-nc-nd)
•
Holy Grail drawings by Jessica Hardaway (with permission)
•
SecureUML models from [Basin09]