[en] In this paper, we present a policy-based approach for au-
tomating the integration of security mechanisms into Java-based business
applications. In particular, we introduce an expressive Domain Specific
modeling Language (Dsl), called Security@Runtime, for the specification
of security configurations of targeted systems. The Security@Runtime
Dsl supports the expression of authorization, obligation and reaction
policies, covering many of the security requirements of modern applica-
tions. Security requirements specified in security configurations are en-
forced using an application-independent Policy Enforcement Point (Pep)-
Policy Decision Point (Pdp) architecture, which enables the runtime up-
date of security requirements. Our work is evaluated using two systems
and its advantages and limitations are discussed
Disciplines :
Computer science
Author, co-author :
Elrakaiby, Yehia ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Amrani, Moussa ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Le Traon, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Language :
English
Title :
A Flexible MDE approach to Enforce Fine- grained Security Policies
Publication date :
2014
Event name :
International Symposium on Engineering Secure Software and Systems
Event date :
from 26-02-2014 to 28-02-2014
Audience :
International
Main work title :
Proceedings of the International Symposium on Engineering Secure Software and Systems
Hussein, S., Meredith, P., Rolu, G.: Security-policy monitoring and enforcement with JavaMOP. In: PLAS, pp. 1-11 (2012)
Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C.V., Loingtier, J.M., Irwin, J.: Aspect-Oriented Programming. In: Aķsit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220-242. Springer, Heidelberg (1997)
Lodderstedt, T., Basin, D.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Proceedings of the 5th International Conference on The Unified Modeling Language, pp. 426-441 (2002)
Mouelhi, T., Fleurey, F., Baudry, B., Le Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Czarnecki, K., Ober, I., Bruel, J.-M., Uhl, A., V̈olter, M. (eds.) MODELS 2008. LNCS, vol. 5301, pp. 537-552. Springer, Heidelberg (2008)
Basin, D., Clavel, M., Egea, M.: A decade of model-driven security. In: SACMAT 2011, pp. 1-10 (2011)
Basin, D., Clavel, M., Doser, J., Egea, M.: A Metamodel-Based Approach for Analyzing Security-Design Models. In: Engels, G., Opdyke, B., Schmidt, D.C., Weil, F. (eds.) MODELS 2007. LNCS, vol. 4735, pp. 420-435. Springer, Heidelberg (2007)
May, M., Gunter, C., Lee, I.: Privacy APIs: Access control techniques to analyze and verify legal privacy policies. In: 19th IEEE Computer Security Foundations Workshop, CSFW 2006 (2006)
Barth, A., Datta, A., Mitchell, J., Nissenbaum, H.: Privacy and contextual integrity: framework and applications. In: IEEE Symposium on Security and Privacy (2006)
Barth, A., Mitchell, J., Datta, A., Sundaram, S.: Privacy and Utility in Business Processes. In: 20th IEEE Computer Security Foundations Symposium, pp. 279-294 (2007)
Lam, P.E., Mitchell, J.C., Sundaram, S.: A formalization of HIPAA for a medical messaging system. In: Fischer-Ḧubner, S., Lambrinoudakis, C., Pernul, G. (eds.) TrustBus 2009. LNCS, vol. 5695, pp. 73-85. Springer, Heidelberg (2009)
Basin, D., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology (TOSEM) 15(1), 39-91 (2006)
J̈urjens, J.: UMLsec: Extending UML for secure systems development. In: J́eźequel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412-425. Springer, Heidelberg (2002)
Moebius, N., Stenzel, K., Grandy, H., Reif, W.: SecureMDD: a model-driven development method for secure smart card applications. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 841-846 (March 2009)
Cuppens, F., Mìege, A.: Modelling contexts in the Or-BAC model. In: ACSAC, pp. 416-425 (2003)
Elrakaiby, Y., Cuppens, F., Cuppens-Boulahia, N.: Formal enforcement and management of obligation policies. In: Data & Knowledge Engineering, pp. 1-21 (2011)
Jajodia, S., Samarati, P., Subrahmanian, V.: A logical language for expressing authorizations. In: Proceedings of 1997 IEEE Symposium on Security and Privacy, pp. 31-42 (1997)
Kagal, L., Finin, T.: A policy language for a pervasive computing environment. In: IEEE 4th International Workshop on Policies for Distributed Systems and Networks, pp. 63-74 (2003)
Gosling, J., Joy, B., Steele, G., Bracha, G., Buckley, A.: The Java Language Specification. Addison-Wesley Longman (2013)
Ben-Ghorbel-Talbi, M., Cuppens, F., Cuppens-Boulahia, N., Bouhoula, A.: A delegation model for extended RBAC. International Journal of Information Security 9(3), 209-236 (2010)
Cuppens, F., Cuppens-Boulahia, N., Ghorbel, M.B.: High Level Conflict Management Strategies in Advanced Access Control Models. Electronic Notes in Theoretical Computer Science 186, 3-26 (2007)
Autrel, F., Cuppens, F., Cuppens-Boulahia, N., Coma, C.: Motorbac 2: a security policy tool. In: 3rd Conference on Security in Network Architectures and Information Systems (SAR-SSI 2008), Loctudy, France, pp. 273-288 (2008)
Kateb, D.E., Mouelhi, T., Traon, Y.L., Hwang, J., Xie, T.: Refactoring access control policies for performance improvement. In: ICPE, pp. 323-334 (2012)
Molina, F., Toval, A., Śanchez, O., Garca-Molina, J.: ModelSec: A Generative Architecture for Model-Driven Security. Journal of Universal Computer Science 15(15), 2957-2980 (2009)
Breu, R., Popp, G., Alam, M.: Model based development of access policies. International Journal on Software Tools for Technology Transfer 9(5-6), 457-470 (2007)
