Model Driven Security:from UML Models to
Access Control InfrastructuresProf. David Basin
Jürgen DoserTorrsten Lodderstedt
Supervisor: Raphael Eidenbenz Jan-Filip Zagalak
1Wednesday, December 17, 2008
outline:
• problem domain / problem solving
• approach
• example
• bottom line
2
2Wednesday, December 17, 2008
requirements
design
implementation
verification
maintenance
common software engineering process
3
3Wednesday, December 17, 2008
verification
requirements
design
implementation
maintenance
security requirements
4
4Wednesday, December 17, 2008
verification
requirements
design
implementation
maintenance
design
implementation
security requirements
5
5Wednesday, December 17, 2008
development of security requirements
• very late ad hoc integration of implemented security mechanisms
• hard to keep track of security requirements through development
➡ different representations of system / security
6
6Wednesday, December 17, 2008
problem solving
• one representation for system and security
• manual implementation is ambiguous:remove ambiguity
7
7Wednesday, December 17, 2008
outline:
• problem domain / problem solving
• approach
• example
• bottom line
8
8Wednesday, December 17, 2008
system
MDA: Model Driven Architecture
• specify system in abstract model
• apply transformation functions
• result:system specified in target platforme.g. EJB, .NET ...( only architecture, no business logic )
9
9Wednesday, December 17, 2008
simplified example:poseidon UML Class Diagram to Java Class
10
10Wednesday, December 17, 2008
systemsecurity
MDS: Model Driven Security
• specify system and security together in an abstract model
• apply transformation functions
• result:security aware system specified in target platforme.g. EJB, .NET ...( only architecture, no business logic )
11
11Wednesday, December 17, 2008
... but how to build a model?
• modeling language
abstract syntax
concrete syntax
semantics
transformation functions
12
12Wednesday, December 17, 2008
... but how to build a modeling language for MDS?
13
13Wednesday, December 17, 2008
.
.
modeling language combination schema
system design modeling language dialect security modeling
language
14
14Wednesday, December 17, 2008
modeling language combination schema
system design modeling language dialect security modeling
language
15
15Wednesday, December 17, 2008
<<ClassMethodAction>>...........
<<Permission>>
permission_name
...
...
...
...
...
...
modeling language combination schema
system design modeling language dialect security modeling
language
16
16Wednesday, December 17, 2008
<<ClassMethodAction>>...........
<<Permission>>
permission_name
...
...
...
...
...
...
modeling language combination schema
system design modeling language dialect security modeling
language
17
17Wednesday, December 17, 2008
<<ClassMethodAction>>...........
<<Permission>>
permission_name
...
...
...
...
...
...
modeling language combination schema
system design modeling language dialect security modeling
language
security design language
18
18Wednesday, December 17, 2008
<<ClassMethodAction>>...........
<<Permission>>
permission_name
...
...
...
...
modeling language combination schema
system and securitymodeled with security design language
19
19Wednesday, December 17, 2008
outline:
• problem domain / problem solving
• approach
• example
• bottom line
20
20Wednesday, December 17, 2008
example
21
21Wednesday, December 17, 2008
Briefing with “M”
• I need mi6 to get a new system
• I like my cars: protect them with RBAC
• I want everything deployed as EJBs
22
22Wednesday, December 17, 2008
user_1
user_2
user_n
...
perm_1
perm_2
perm_3
perm_4
perm_n
...
users permissions
Role Based Access Control
23
23Wednesday, December 17, 2008
role_A
role_B
user_1
user_2
user_n
...
perm_1
perm_2
perm_3
perm_4
perm_n
...
permissionsrolesusers
UA PA
Role Based Access Control
24
24Wednesday, December 17, 2008
EJB: Enterprise Java Beans
• Enterprise JavaBeans™ (EJB) is a managed, server-side component architecture for modular construction of enterprise applications.
25
25Wednesday, December 17, 2008
EJB: Security - role based access control
<method-permission> <role-name>employee</role-name> <method> <ejb-name>AardvarkPayroll</ejb-name> <method-name>findByPrimaryKey</method-name> </method>
<method> <ejb-name>AardvarkPayroll</ejb-name> <method-name>getEmployeeInfo</method-name> </method>
<method> <ejb-name>AardvarkPayroll</ejb-name> <method-name>updateEmployeeInfo</method-name> </method></method-permission>
26
26Wednesday, December 17, 2008
!"#!$%&'()
)*&+"$,!$%&'()
)*&+"$,!+$-) +.!!.'!+$-)
)"!*,&!$%&'() )&-/"+&!$%&'()
mi6 - car access policy
27
27Wednesday, December 17, 2008
<<ClassMethodAction>>...........
<<Permission>>
permission_name
...
...
...
...
...
...
modeling language combination schema
system design modeling language dialect security modeling
language
security design language
28
28Wednesday, December 17, 2008
modeling language combination schema
system design modeling language dialect security modeling
language
security design language
mi6UML SecureUML
Securemi6UML
29
29Wednesday, December 17, 2008
OperationOperation
AttributeAttribute
Car
OperationOperation
AttributeAttribute
<<Entity>>Car
AttributeAttribute
Class Name
AttributeAttribute
Class Name
AttributeAttribute
Class Name
system: protected resources
30
30Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
a car modeled with Securemi6UML
31
31Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
<<Role>>serviceAgent
role and entity
32
32Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
<<Role>>serviceAgent
permissionspermission-name
<<Permission>>
permissions as association class
33
33Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
<<Role>>serviceAgent
<<Permission>>
<<ClassMethodAction>> Car_refillOil: execute
<<ClassMethodAction>> Car_changeWheel: execute
<<ClassMethodAction>> Car_open: execute
MaintainingWork
role: serviceAgent - permission I
34
34Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
<<Role>>serviceAgent
<<ClassMethodAction>> Car_getManufacturerName: execute
<<ClassMethodAction>> Car_getModelName: execute
<<ClassMethodAction>> Car_getMPG: execute
<<ClassMethodAction>> Car_getOilLevel: execute
<<ClassMethodAction>> Car_getWheels: execute
MaintainingAnalysis
<<ClassMethodAction>> Car_refillOil: execute
<<ClassMethodAction>> Car_changeWheel: execute
<<ClassMethodAction>> Car_open: execute
MaintainingWork
<<Permission>>
<<Permission>>
role: serviceAgent - permission II
35
35Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
<<Role>>simpleAgent
<<ClassMethodAction>> Car_getManufacturerName: execute
<<ClassMethodAction>> Car_getModelName: execute
<<ClassMethodAction>> Car_getMPG: execute
AdmireCar
<<Permission>>
role: simpleAgent - permission I
36
36Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
<<Role>>serviceAgent
<<ClassMethodAction>> Car_getManufacturerName: execute
<<ClassMethodAction>> Car_getModelName: execute
<<ClassMethodAction>> Car_getMPG: execute
<<ClassMethodAction>> Car_getOilLevel: execute
<<ClassMethodAction>> Car_getWheels: execute
MaintainingAnalysis
<<ClassMethodAction>> Car_refillOil: execute
<<ClassMethodAction>> Car_changeWheel: execute
<<ClassMethodAction>> Car_open: execute
MaintainingWork
<<Role>>simpleAgent
<<ClassMethodAction>> Car_getManufacturerName: execute
<<ClassMethodAction>> Car_getModelName: execute
<<ClassMethodAction>> Car_getMPG: execute
AdmireCar
<<Permission>>
<<Permission>>
<<Permission>>
model
37
37Wednesday, December 17, 2008
<<ClassMethodAction>> Car_getManufacturerName: execute
<<ClassMethodAction>> Car_getModelName: execute
<<ClassMethodAction>> Car_getMPG: execute
CompositeAction:
read_specs
CompositeAction
38
38Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
<<Role>>serviceAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_getOilLevel: execute
<<ClassMethodAction>> Car_getWheels: execute
MaintainingAnalysis
<<ClassMethodAction>> Car_refillOil: execute
<<ClassMethodAction>> Car_changeWheel: execute
<<ClassMethodAction>> Car_open: execute
MaintainingWork
<<Role>>simpleAgent
<<ClassAction>> Car: read_specs
AdmireCar
<<Permission>>
<<Permission>>
<<Permission>>
model
39
39Wednesday, December 17, 2008
<<ClassMethodAction>> Car_getManufacturerName: execute
<<ClassMethodAction>> Car_getModelName: execute
<<ClassMethodAction>> Car_getMPG: execute
<<ClassMethodAction>> Car_getOilLevel: execute
<<ClassMethodAction>> Car_getWheels: execute
CompositeAction:
read_all
CompositeAction
40
40Wednesday, December 17, 2008
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_getOilLevel: execute
<<ClassMethodAction>> Car_getWheels: execute
CompositeAction:
read_all
CompositeAction
41
41Wednesday, December 17, 2008
<<ClassMethodAction>> Car_getOilLevel: execute
<<ClassMethodAction>> Car_getWheels: execute
CompositeAction:
read_all
<<ClassMethodAction>> Car_getManufacturerName: execute
<<ClassMethodAction>> Car_getModelName: execute
<<ClassMethodAction>> Car_getMPG: execute
CompositeAction:
read_specs
action hierarchy
42
42Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
<<Role>>serviceAgent
<<ClassAction>> Car: read_all
MaintainingAnalysis
<<ClassMethodAction>> Car_refillOil: execute
<<ClassMethodAction>> Car_changeWheel: execute
<<ClassMethodAction>> Car_open: execute
MaintainingWork
<<Role>>simpleAgent
<<ClassAction>> Car: read_specs
AdmireCar
<<Permission>>
<<Permission>>
<<Permission>>
model
43
43Wednesday, December 17, 2008
!"#!$%&'()
)*&+"$,!$%&'()
)*&+"$,!+$-) +.!!.'!+$-)
)"!*,&!$%&'() )&-/"+&!$%&'()
mi6 - car access policy
44
44Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
extend Car entity
45
45Wednesday, December 17, 2008
<<Role>>serviceAgent
<<ClassAction>> Car: read_all
MaintainingAnalysis
<<ClassMethodAction>> Car_refillOil: execute
<<ClassMethodAction>> Car_changeWheel: execute
<<ClassMethodAction>> Car_open: execute
MaintainingWork
<<Role>>simpleAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
DriveCommonCar
<<Permission>>
<<Permission>>
<<Permission>>
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
<<Entity>>
Car
model
46
46Wednesday, December 17, 2008
MDS: access control decisions
• declarative access control (static)⇒ Permissions
• programmatic access control (dynamic)⇒ AuthorizationConstraints
47
47Wednesday, December 17, 2008
permissions
permission-name
authorization
constraint
<OCL expression>
programmatic access control
48
48Wednesday, December 17, 2008
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
class : [ common | special ]
<<Entity>>
Car
extend Car Entity
49
49Wednesday, December 17, 2008
<<Role>>simpleAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
DriveCommonCar
<<Permission>>
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
class : [ common | special ]
<<Entity>>
Car
self.Car_class = common
simpleAgent: may only drive common cars
50
50Wednesday, December 17, 2008
<<Role>>serviceAgent
<<ClassAction>> Car: read_all
MaintainingAnalysis
<<ClassMethodAction>> Car_refillOil: execute
<<ClassMethodAction>> Car_changeWheel: execute
<<ClassMethodAction>> Car_open: execute
MaintainingWork
<<Permission>>
<<Permission>>
<<Role>>simpleAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
DriveCommonCar
<<Permission>>
self.Car_class = common
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
class : [ common | special ]
<<Entity>>
Car
model
51
51Wednesday, December 17, 2008
!"#!$%&'()
)*&+"$,!$%&'()
)*&+"$,!+$-) +.!!.'!+$-)
)"!*,&!$%&'() )&-/"+&!$%&'()
mi6 - car access policy
52
52Wednesday, December 17, 2008
<<Role>>specialAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
<<ClassMethodAction>> Car_act_secret_gadgets: execute
DriveSpecialCar
<<Permission>>
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
act_secret_gadgets()::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
class : [ common | special ]
<<Entity>>
Car
specialAgent:
53
53Wednesday, December 17, 2008
<<Role>>specialAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
<<ClassMethodAction>> Car_act_secret_gadgets: execute
DriveSpecialCar
<<Permission>>
self.Car_class = special
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
act_secret_gadgets()::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
class : [ common | special ]
<<Entity>>
Car
specialAgent: “may” only drive super cars
54
54Wednesday, December 17, 2008
<<Role>>specialAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
<<ClassMethodAction>> Car_act_secret_gadgets: execute
DriveSpecialCar
<<Permission>>
self.Car_class = special
self.Car_owner = caller.name
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
act_secret_gadgets()::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
class : [ common | special ]
owner : String
<<Entity>>
Car
specialAgents: don’t do carsharing
55
55Wednesday, December 17, 2008
<<Role>>serviceAgent
<<ClassAction>> Car: read_all
MaintainingAnalysis
<<ClassMethodAction>> Car_refillOil: execute
<<ClassMethodAction>> Car_changeWheel: execute
<<ClassMethodAction>> Car_open: execute
MaintainingWork
<<Permission>>
<<Permission>>
<<Role>>simpleAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
DriveCommonCar
<<Permission>>
self.Car_class = common
<<Role>>specialAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
<<ClassMethodAction>> Car_act_secret_gadgets: execute
DriveSpecialCar
<<Permission>>
self.Car_class = specialself.Car_owner = caller.name
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
act_secret_gadgets()::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
class : [ common | special ]
owner : String
<<Entity>>
Car
model
56
56Wednesday, December 17, 2008
change request
• I must reduce the CO2 emissions of our car fleet
• no car below 20 mpg may be used from now on
57
57Wednesday, December 17, 2008
<<Role>>serviceAgent
<<ClassAction>> Car: read_all
MaintainingAnalysis
<<ClassMethodAction>> Car_refillOil: execute
<<ClassMethodAction>> Car_changeWheel: execute
<<ClassMethodAction>> Car_open: execute
MaintainingWork
<<Permission>>
<<Permission>>
<<Role>>simpleAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
DriveCommonCar
<<Permission>>
self.Car_class = common
<<Role>>specialAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
<<ClassMethodAction>> Car_act_secret_gadgets: execute
DriveSpecialCar
<<Permission>>
self.Car_class = specialself.Car_owner = caller.name
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
act_secret_gadgets()::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
class : [ common | special ]
owner : String
<<Entity>>
Car
self.Car_mpg > 20
model
58
58Wednesday, December 17, 2008
!"#!$%&'()
)*&+"$,!$%&'()
)*&+"$,!+$-) +.!!.'!+$-)
)"!*,&!$%&'() )&-/"+&!$%&'()
specialAgents may drive any car
59
59Wednesday, December 17, 2008
<<Role>>specialAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
<<ClassMethodAction>> Car_act_secret_gadgets: execute
DriveSuperCar
<<Permission>>
self.Car_class = specialself.Car_owner = caller.name
change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
act_secret_gadget( int )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
class : [ common | special ]
owner : String
<<Entity>>
car
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
DriveCommonCar
self.Car_class = common
<<Permission>>
self.Car_mpg > 20
copy / paste simpleAgent permissions
60
60Wednesday, December 17, 2008
<<Role>>serviceAgent
<<ClassAction>> Car: read_all
MaintainingAnalysis
<<ClassMethodAction>> Car_refillOil: execute
<<ClassMethodAction>> Car_changeWheel: execute
<<ClassMethodAction>> Car_open: execute
MaintainingWork
<<Permission>>
<<Permission>>
<<Role>>simpleAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
DriveCommonCar
<<Permission>>
self.Car_class = common
<<Role>>specialAgent
<<ClassAction>> Car: read_specs
<<ClassMethodAction>> Car_open: execute
<<ClassMethodAction>> Car_go_for_a_ride: execute
<<ClassMethodAction>> Car_act_secret_gadgets: execute
DriveSpecialCar
<<Permission>>
self.Car_class = specialself.Car_owner = caller.name change_wheel ( int )::void
refill_oil( int )::void
open( )::void
go_for_a_ride()::void
act_secret_gadget( int )::void
manufacturer_name : Stringmodel_name : Stringmpg : int
oil_level : int
wheels : wheel[ ]
class : [ common | special ]
owner : String
<<Entity>>
Car
self.Car_mpg > 20
use role hierarchy
61
61Wednesday, December 17, 2008
systemsecurity
MDS: Model Driven Security
• mi6 as model
• cars as protected resources
• RBAC based security policies
• empty EJB stubs +code implementing security mechansims
62
62Wednesday, December 17, 2008
summary:
• roles | permissions | entities
• composite actions
• action hierarchy
• authorization constraints
• role hierarchy
63
63Wednesday, December 17, 2008
conventional approach vs. MDS
conventional approach MDS
low levelarbitrary level of
abstraction
policy format: XML model elements (UML)
copy - paste /wildcards
hierarchy / composite container
running code from day 1time intensive modeling,
business logic comes later
64
64Wednesday, December 17, 2008
remember:
<<ClassMethodAction>>...........
<<Permission>>
permission_name
...
...
...
...
systemsecurity
65
65Wednesday, December 17, 2008
bottom line:
• model driven security offers:
- common representation for system and security
- general language composition schema
- arbitrary levels of abstraction
- unambiguous target code generation
- semantics as basis for model checking
66
66Wednesday, December 17, 2008
bottom line:
• model driven security drawbacks:
- modeling needs time and skills( reduce needed skills: tool development process, system development process)
- new composite actions / action hierarchies⇒ change the dialect
⇒ recomposition of language( can be solved with macros)
- modifying the model ⇒ apply transformation
functions again( can be solved with dedicated IDE or business logic stored outside of bean )
- ( “code generator” needed )
67
67Wednesday, December 17, 2008
68Wednesday, December 17, 2008
SecureUML
• modeling language
abstract syntax
concrete syntax
semantics
transformation functions
69
69Wednesday, December 17, 2008
role based access control
role_1
...
u
user_n
...
perm
perm_n
permissionsrolesusers
UA PA
a_1
a_2
a_n
...
actions
AA
...
70
70Wednesday, December 17, 2008
role based access control
role_1
...
u
user_n
...
perm
perm_n
permissionsrolesusers
UA PA
a_1
a_2
a_n
...
actions
AA
...
70
RBACsimple = {(u, a1) ! Users"Actions|#role1 ! Roles, perm ! Permissions .(u, role1) ! UA $(role1, perm) ! PA $(perm, a1) ! AA}
70Wednesday, December 17, 2008
adding subjects
User
Subject
Group
CompositeContainer
71
71Wednesday, December 17, 2008
RBACw.subjects = {(u, a1) ! Users"Actions|#sub ! Subjects, role1 ! Roles, perm ! Permissions, a1 ! Actions .(sub, role1) ! UA $sub %Subjects u $(role1, perm) ! PA $(perm, a1) ! AA}
role_1
...
u
user_n
...
perm
perm_n
permissionsrolessubjects
UA PA
a_1
a_2
a_n
...
actions
AA
...
sub
... u2
adding subjects
72
72Wednesday, December 17, 2008
role_2
...
u
user_n
...
perm
perm_n
permissionsrolessubjects
UA PA
a_1
a_2
a_n
...
actions
AA
...
... u2
role_1
sub
adding role hierarchy
73
RBACw.roleH.={
(u, a1) ! Users"Actions|#sub ! Subjects, role1, role2 ! Roles, perm ! Permissions, a1 ! Actions .(sub, role1) ! UA $sub %Subjects u $role1 %Roles role2 $(role2, perm) ! PA $(perm, a1) ! AA}
73Wednesday, December 17, 2008
adding composite actions
role_2
...
u
user_n
...
perm
perm_n
permissionsrolessubjects
UA PA
a_1...
a_n
...
actions
AA
...
... u2
role_1
suba_2
74
RBACw.compA. = {(u, a1) ! Users"Actions|#sub ! Subjects, role1, role2 ! Roles, perm ! Permissions, a2 ! Actions .(sub, role1) ! UA $sub %Subjects u $role1 %Roles role2 $a2 %Actions a1 $(role2, perm) ! PA $(perm, a2) ! AA}
74Wednesday, December 17, 2008
SecureUML
• modeling language
abstract syntax
concrete syntax
semantics
transformation functions
75
75Wednesday, December 17, 2008
Attribute
Attribute
Role
Attribute
Attribute
Permission
Attribute
Attribute
User
UA PA
abstract syntax
76
76Wednesday, December 17, 2008
Role Permission
User
UA PASubject
Group
CompositeContainer
RoleHierarchy
Action
AuthorizationConstraint
ActionHierarchy
AtomicAction CompositeAction
CompositeContainer
Resource
ResourceHierarchy
AA RA
abstract syntax SecureUML
source: Security Engineering, Prof. D. Basin77
77Wednesday, December 17, 2008