Abstract
In this paper, we present a policy-based approach for automating the integration of security mechanisms into Java-based business applications. In particular, we introduce an expressive Domain Specific modeling Language (Dsl), called Security@Runtime, for the specification of security configurations of targeted systems. The Security@Runtime Dsl supports the expression of authorization, obligation and reaction policies, covering many of the security requirements of modern applications. Security requirements specified in security configurations are enforced using an application-independent Policy Enforcement Point Pep)- Policy Decision Point (Pdp) architecture, which enables the runtime update of security requirements. Our work is evaluated using two systems and its advantages and limitations are discussed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Sandhu, R., Park, J.: The UCON ABC usage control model. ACM Transactions on Information and System Security (TISSEC) 7(1), 128–174 (2004)
Ni, Q., Bertino, E., Lobo, J.: An obligation model bridging access control policies and privacy policies. In: SACMAT 2008, p. 133 (2008)
Mont, M.: Dealing with privacy obligations in enterprises. In: ISSE 2004 Securing Electronic Business Processes, pp. 28–30 (2004)
Erlingsson, U., Schneider, F.B.: SASI enforcement of security policies. In: NSPW, pp. 87–95 (2000)
Bauer, L., Ligatti, J., Walker, D.: Composing security policies with polymer. ACM SIGPLAN Notices 40(6), 305 (2005)
de Oliveira, A.S., Wang, E.K., Kirchner, C., Kirchner, H.: Weaving rewrite-based access control policies. In: FMSE, pp. 71–80 (2007)
Hamlen, K.W., Jones, M.: Aspect-oriented in-lined reference monitors. In: PLAS, p. 11 (2008)
Hussein, S., Meredith, P., Rolu, G.: Security-policy monitoring and enforcement with JavaMOP. In: PLAS, pp. 1–11 (2012)
Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C.V., Loingtier, J.M., Irwin, J.: Aspect-Oriented Programming. In: Akşit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)
Lodderstedt, T., Basin, D.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Proceedings of the 5th International Conference on The Unified Modeling Language, pp. 426–441 (2002)
Mouelhi, T., Fleurey, F., Baudry, B., Le Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Czarnecki, K., Ober, I., Bruel, J.-M., Uhl, A., Völter, M. (eds.) MODELS 2008. LNCS, vol. 5301, pp. 537–552. Springer, Heidelberg (2008)
Morin, B., Mouelhi, T., Fleurey, F., Le Traon, Y., Barais, O., Jézéquel, J.M.: Security-driven model-based dynamic adaptation. In: ASE 2010 (2010)
Basin, D., Clavel, M., Egea, M.: A decade of model-driven security. In: SACMAT 2011, pp. 1–10 (2011)
Basin, D., Clavel, M., Doser, J., Egea, M.: A Metamodel-Based Approach for Analyzing Security-Design Models. In: Engels, G., Opdyke, B., Schmidt, D.C., Weil, F. (eds.) MODELS 2007. LNCS, vol. 4735, pp. 420–435. Springer, Heidelberg (2007)
May, M., Gunter, C., Lee, I.: Privacy APIs: Access control techniques to analyze and verify legal privacy policies. In: 19th IEEE Computer Security Foundations Workshop, CSFW 2006 (2006)
Barth, A., Datta, A., Mitchell, J., Nissenbaum, H.: Privacy and contextual integrity: framework and applications. In: IEEE Symposium on Security and Privacy (2006)
Barth, A., Mitchell, J., Datta, A., Sundaram, S.: Privacy and Utility in Business Processes. In: 20th IEEE Computer Security Foundations Symposium, pp. 279–294 (2007)
Lam, P.E., Mitchell, J.C., Sundaram, S.: A formalization of HIPAA for a medical messaging system. In: Fischer-Hübner, S., Lambrinoudakis, C., Pernul, G. (eds.) TrustBus 2009. LNCS, vol. 5695, pp. 73–85. Springer, Heidelberg (2009)
Basin, D., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology (TOSEM) 15(1), 39–91 (2006)
Jürjens, J.: UMLsec: Extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)
Moebius, N., Stenzel, K., Grandy, H., Reif, W.: SecureMDD: a model-driven development method for secure smart card applications. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 841–846 (March 2009)
Cuppens, F., Miège, A.: Modelling contexts in the Or-BAC model. In: ACSAC, pp. 416–425 (2003)
Elrakaiby, Y., Cuppens, F., Cuppens-Boulahia, N.: Formal enforcement and management of obligation policies. In: Data & Knowledge Engineering, pp. 1–21 (2011)
Jajodia, S., Samarati, P., Subrahmanian, V.: A logical language for expressing authorizations. In: Proceedings of 1997 IEEE Symposium on Security and Privacy, pp. 31–42 (1997)
Kagal, L., Finin, T.: A policy language for a pervasive computing environment. In: IEEE 4th International Workshop on Policies for Distributed Systems and Networks, pp. 63–74 (2003)
Gosling, J., Joy, B., Steele, G., Bracha, G., Buckley, A.: The Java Language Specification. Addison-Wesley Longman (2013)
Ben-Ghorbel-Talbi, M., Cuppens, F., Cuppens-Boulahia, N., Bouhoula, A.: A delegation model for extended RBAC. International Journal of Information Security 9(3), 209–236 (2010)
Cuppens, F., Cuppens-Boulahia, N., Ghorbel, M.B.: High Level Conflict Management Strategies in Advanced Access Control Models. Electronic Notes in Theoretical Computer Science 186, 3–26 (2007)
Autrel, F., Cuppens, F., Cuppens-Boulahia, N., Coma, C.: Motorbac 2: a security policy tool. In: 3rd Conference on Security in Network Architectures and Information Systems (SAR-SSI 2008), Loctudy, France, pp. 273–288 (2008)
Kateb, D.E., Mouelhi, T., Traon, Y.L., Hwang, J., Xie, T.: Refactoring access control policies for performance improvement. In: ICPE, pp. 323–334 (2012)
Molina, F., Toval, A., Sánchez, O., Garca-Molina, J.: ModelSec: A Generative Architecture for Model-Driven Security. Journal of Universal Computer Science 15(15), 2957–2980 (2009)
Breu, R., Popp, G., Alam, M.: Model based development of access policies. International Journal on Software Tools for Technology Transfer 9(5-6), 457–470 (2007)
XSB Porlog, http://xsb.sourceforge.net
interProlog, http://www.declarativa.com/interprolog
Extensible Access Control Markup Language (XACML) version 3.0, http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Elrakaiby, Y., Amrani, M., Le Traon, Y. (2014). Security@Runtime: A Flexible MDE Approach to Enforce Fine-grained Security Policies. In: Jürjens, J., Piessens, F., Bielova, N. (eds) Engineering Secure Software and Systems. ESSoS 2014. Lecture Notes in Computer Science, vol 8364. Springer, Cham. https://doi.org/10.1007/978-3-319-04897-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-04897-0_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04896-3
Online ISBN: 978-3-319-04897-0
eBook Packages: Computer ScienceComputer Science (R0)