Reference : Comprehensive Specification and Efficient Enforcement of Role-based Access Control Po...
Dissertations and theses : Doctoral thesis
Engineering, computing & technology : Computer science
Comprehensive Specification and Efficient Enforcement of Role-based Access Control Policies using a Model-driven Approach
Ben Fadhel, Ameni mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
University of Luxembourg, ​​Luxembourg
Docteur De L’Universite ́ Du Luxembourg En Informatique
Briand, Lionel mailto
Bianculli, Domenico mailto
Klein, Jacques mailto
Balzarotti, Davide mailto
Steimann, Friedrich mailto
[en] Prohibiting unauthorized access to critical resources and data has become a major requirement for enterprises. Access control (AC) mechanisms manage requests from users to access system resources; the access is granted or denied based on the authorization policies defined within the enterprise. One of the most used AC paradigms is role-based access control (RBAC), in which access rights are determined based on the user’s role.
In this dissertation, we focus on the problems of modeling, specifying and enforcing complex RBAC policies, by making the following contributions:
1. the GemRBAC+CTX conceptual model, a UML extension of the RBAC model that includes all the entities required to express the various types of RBAC policies found in the literature, with a specific emphasis on contextual policies. For each type of policy, we provided the corresponding formalization using the Object Constraint Language (OCL) to operationalize the access decision for a user’s request using model-driven technologies.
2. the GemRBAC-DSL language, a domain-specific language for RBAC policies designed on top of the GemRBAC+CTX model. The language is characterized by a syntax close to natural language, which does not require any mathematical background for expressing RBAC policies. The language supports all the authorization policies captured by the GemRBAC+CTX model.
3. MORRO, a model-driven framework for the run-time enforcement of RBAC policies expressed in GemRBAC-DSL, built on top of the GemRBAC+CTX model. MORRO provides policy enforcement for both access and usage control.
4. three tools (an editor for GemRBAC-DSL, a model transformation tool for GemRBAC-DSL, a run-time enforcement framework) have been implemented and released as part of this work.
The GemRBAC+CTX model and the GemRBAC-DSL language have been adopted by our industrial partner for the specification of the access control policies of a Web application in the domain of disaster reliefintervention. We have extensively evaluated the applicability and the scalability of MORRO on this Web application. The experimental results show that an access decision can be made on average, in less than 107 ms and that the time for processing a notification of an AC-related event is less than 512ms. Furthermore, both the access decision time and the execution time for processing a notification of an AC-related event scale—in the majority of the cases—linearly with respect to the parameters characterizing AC configurations; in the remaining cases, the access decision time is constant.

File(s) associated to this reference

Fulltext file(s):

Open access
Thesis_AmeniBF2017.pdfAuthor postprint1.7 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.