rigorous analysis of uml access
play

Rigorous Analysis of UML Access Control Policy Models Wuliang Sun , - PowerPoint PPT Presentation

Aug 25, 2023 •371 likes •834 views

Rigorous Analysis of UML Access Control Policy Models Wuliang Sun , Robert France and Indrakshi Ray Computer Science Department Colorado State University Fort Collins, Colorado Security Policies Security policies Expressed by different

  1. Rigorous Analysis of UML Access Control Policy Models Wuliang Sun , Robert France and Indrakshi Ray Computer Science Department Colorado State University Fort Collins, Colorado

  2. Security Policies  Security policies  Expressed by different languages XACML, OWL/RDF, CIM/SPL, PONDER, UML   Errors in policy models  Can cause security breaches that have serious consequences  Correcting the errors once policies are deployed can be expensive  Need error detection before policies are deployed

  3. Motivation  We use UML (Unified Modeling Language) for policy specification  UML together with OCL can be used to provide a formal and graphical representation of security policies  UML is the de facto specification language used in the software industry  UML policy models can be transformed to code using existing technologies

  4. Motivation  Using UML (Unified Modeling Language) as a policy specification language  Challenge: few mature tools supporting rigorous analysis of UML models  Solution: Transform UML to Alloy for automated model analysis

  5. Approach  Rigorous analysis of UML access control policy models  Front-end: use UML to describe security policies  Back-end: use Alloy Analyzer to analyze the modeled properties  Transformation between UML and Alloy: obviate the need for security designers to understand the Alloy language

  6. Approach Overview 6

  7. Background: SUDA  Scenario-based UML Design Analysis (SUDA)  A design class model with operation specifications is transformed to a static model of behavior, called a snapshot model.  A snapshot is an object configuration that represents a state of the system at a particular time.  A snapshot transition describes the behavior of an operation in terms of its before and after effect on the system state. 7

  8. Background: Snapshot Model Example of a snapshot model generated from a class model  UML Class Model UML Snapshot Model 8

  9. Background: Snapshot Model Example of a snapshot model generated from a class model  UML Class Model UML Snapshot Model 9

  10. Background: Snapshot Model Example of a snapshot model generated from a class model  UML Class Model UML Snapshot Model 10

  11. Background: Snapshot Model Example of a snapshot model generated from a class model  UML Class Model UML Snapshot Model 11

  12. Background: Snapshot Model Example of a snapshot model generated from a class model  UML Class Model UML Snapshot Model 12

  13. Background: SUDA  SUDA vs. Our approach  SUDA: is the given scenario supported by the UML class model?  Our approach: is there a scenario supported by the UML class model that starts in a specified valid state and ends in a specified invalid state? 13

  14. Approach Overview 14

  15. Background: Dynamic Analysis using Alloy  Alloy  Model = signatures + facts + predicates (operation specifications)  Facts: define constraints on the elements of the model  Predicates: probe model  Trace mechanism: specify a fact to associate the transitions triggered by operation invocations with states defined by signatures 15

  16. Snapshot Model to Alloy Model Transformation  Step 1: Transform each class that is part of Snapshot class to a signature in Alloy sig Role{} sig User{} 16

  17. Snapshot Model to Alloy Model Transformation  Step 2: Transform the Snapshot class to a Snapshot signature containing fields that specify the object configurations within a snapshot sig Snapshot{ // Object fields roles: set Role, users: set User, // Link fields ASSIGN: User set->set Role, } { // Linked objects must exist in the snapshot ASSIGN=ASSIGN:>roles&users<: ASSIGN } 17

  18. Snapshot Model to Alloy Model Transformation  Step 2: Transform the Snapshot class to a Snapshot signature containing fields that specify the object configurations within a snapshot sig Snapshot{ // Object fields roles: set Role, users: set User, // Link fields ASSIGN: User set->set Role, } { // Linked objects must exist in the snapshot ASSIGN=ASSIGN:>roles&users<: ASSIGN } 18

  19. Snapshot Model to Alloy Model Transformation  Step 2: Transform the Snapshot class to a Snapshot signature containing fields that specify the object configurations within a snapshot sig Snapshot{ // Object fields roles: set Role, users: set User, // Link fields ASSIGN: User set->set Role, } { // Linked objects must exist in the snapshot ASSIGN=ASSIGN:>roles&users<: ASSIGN } 19

  20. Snapshot Model to Alloy Model Transformation  Step 3: Transform each Transition pred AssignRole[disj before, after: Snapshot, specialization to a rPre, rPost: Role, uPre, uPost: User] { // Precondition predicate in Alloy rPre in before.roles uPre in before.users rPre not in uPre.(before.ASSIGN) // Postcondition rPost in after.roles uPost in after.users uPost.(after.ASSIGN) = uPre.(before.ASSIGN) + rPost // Unchanged object configuration ….. } 20

  21. Snapshot Model to Alloy Model Transformation  Step 3: Transform each Transition specialization to a predicate in Alloy pred AssignRole[disj before, after: Snapshot, rPre, rPost: Role, uPre, uPost: User]{ Context AssignRole inv: // Precondition uPre.ASSIGN->excludes(rPre) rPre not in uPre.(before.ASSIGN) … … … // Postcondition uPost.ASSIGN = uPost.(after.ASSIGN) = uPre.(before.ASSIGN) + uPre.ASSIGN->including(rPost) rPost … … … // Unchanged object configuration after.roles->excluding(rPost)= after.roles – rPost = before.roles – rPre before.roles->excluding(rPre) … … } 21

  22. Snapshot Model to Alloy Model Transformation  Step 4: Define a trace fact to associate transitions between two consecutive snapshots with operations fact traces{ all before: Snapshot - SnapshotSequence/last | let after = SnapshotSequence/next[before] | Some r: Role | some u: User | AssignRole[before, after, r, r, u, u] } 22

  23. Approach Overview 23

  24. Alloy Instance to UML Object Model Transformation Alloy Instance A Sequence of UML Object Models 24

  25. Research Goal  Analysis: check whether a system can move from a valid to an invalid state as result of a sequence of access control operation calls  If analysis uncovers such a sequence, then the designer uses the trace information output by the analysis to help find the source of the errors in the UML policy model 25

  26. Demonstration Case Study: LRBAC  Location-aware Role-based Access Control (LRBAC) Model 26

  27. Demonstration Case Study: LRBAC  Location-aware Role-based Access Control (LRBAC) Model 27

  28. Demonstration Case Study: LRBAC  Location-aware Role-based Access Control (LRBAC) Model 28

  29. Demonstration Case Study: LRBAC  Location-aware Role-based Access Control (LRBAC) Model 29

  30. Demonstration Case Study: LRBAC  Operation specifications in form of pre/post- conditions for DeleteRoleAssignLocation // English specification: remove a location from a set of locations // in which a role can be assigned Context Role::DeleteRoleAssignLocation(l:Location) Precondition: location l has been associated with the role Postcondition: location l has been removed from a set of locations // OCL specification: remove a location from a set of locations // in which a role can be assigned Context Role::DeleteRoleAssignLocation(l:Location) Pre: self.AssignLoc->includes(l) Post: self.AssignLoc=self.AssignLoc@pre->excluding(l) 30

  31. Demonstration Case Study: Specifying the Property-to-Verify  Valid and Invalid LRBAC Snapshot Patterns  Is there a sequence of operation invocations that takes the system from a valid state consisting of at least one user in a location to an invalid state in which the user is linked to a role that does not include the user’s location? 31

  32. Demonstration Case Study: Generating the LRBAC Snapshot Model 32

  33. Demonstration Case Study: Generating an LRBAC Alloy Model  Role_DeleteRoleAssignLocation predicate generated from the class invariant pred Role_DeleteRoleAssignLocation[disj before,after :Snapshot, rPre, rPost:Role, lPre, lPost:Location] { // Precondition Pre in rPre.(before.AssignLoc) … // Postcondition rPost.(after.AssignLoc) = rPre.(before.AssignLoc) – lPost… // Unchanged parts of object configuration after.roles - rPost = before.roles – rPre … } 33

  34. Demonstration Case Study: Analyzing the Alloy Model  The verification predicate generated from the property-to-verify pred valid2invalid{ // Specify that the first snapshot is valid let first = SnapshotSequence/first | … all u:first.users | u.(first.UserAssign) = none and u.(first.UserLoc) != none … Valid Snapshot // Query whether there exists a path from a valid // state to an invalid state some s: Snapshot - first | … l not in r.(s.AssignLoc) and r in u.(s.UserAssign) and l in u.(s.UserLoc) } Invalid Snapshot 34

  35. Demonstration Case Study: Analyzing the Alloy Model First Snapshot: Valid Second Snapshot: Valid 35

  36. Demonstration Case Study: Analyzing the Alloy Model Third Snapshot: Valid Fourth Snapshot: Invalid 36

Recommend

Conducting rigorous research on large open-access developmental datasets Amy Orben Department

Conducting rigorous research on large open-access developmental datasets Amy Orben Department

Conducting rigorous research on large open-access developmental datasets Amy Orben Department of Experimental Psychology, University of Oxford ABCD Workshop, Portland @OrbenAmy 1 1. Curbing analytical flexibility 2. Preregistration +

988 views • 78 slides
Rigorous Reading Doug Fisher &amp; Nancy Frey April 7, 2015 5 Access Points

Rigorous Reading Doug Fisher &amp; Nancy Frey April 7, 2015 5 Access Points

Rigorous Reading Doug Fisher &amp; Nancy Frey April 7, 2015 5 Access Points Purpose and Modeling Close and Scaffolded Reading Collabora9ve Conversa9ons Wide, Independent

678 views • 55 slides
Three Techniques for Rigorous Analysis of Intensive Within-person Experiments Ty A. Ridenour,

Three Techniques for Rigorous Analysis of Intensive Within-person Experiments Ty A. Ridenour,

RTI International Three Techniques for Rigorous Analysis of Intensive Within-person Experiments Ty A. Ridenour, Ph.D., M.P.E. Behavioral Health Epidemiology, Research Triangle Institute Center on Education and Drug Abuse Research, U. Pittsburgh

376 views • 26 slides
Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability

Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability

Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability Testing by J. Dumas, J. Redish R.I.T S. Ludi/R. Kuehl p. 1 R I T Software Engineering Summarize and Analyze Test Data Qualitative data -

598 views • 31 slides
A Rigorous Curriculum A rigorous curriculum is an inclusive set of intentionally aligned

A Rigorous Curriculum A rigorous curriculum is an inclusive set of intentionally aligned

A Rigorous Curriculum A rigorous curriculum is an inclusive set of intentionally aligned components- clear learning outcomes with matching assessments, engaging learning experiences and instructional strategies - organized into sequenced units

431 views • 22 slides
Why Algorithmic and Rigorous Polynomial Approximations? Rigorous Polynomial Approximation =

Why Algorithmic and Rigorous Polynomial Approximations? Rigorous Polynomial Approximation =

Why Algorithmic and Rigorous Polynomial Approximations? Rigorous Polynomial Approximation = Polynomial + error bound Rigorous methods Algorithmic methods Efficient and accurate 1/16 Multinormval Why Algorithmic and Rigorous Polynomial

1.12k views • 98 slides
Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability

Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability

Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability Testing by J. Dumas, J. Redish Results from Usability Tests Quantitative data: Performance data - times, error rates, etc. Subjective

392 views • 26 slides
Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing

Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing

Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing using a structured process Validate adherence to interaction requirements Actual users who perform realistic and representative tasks

490 views • 38 slides
Subject Representation and Access Subject Analysis and Access (SAA) Section Presenters: Andreas

Subject Representation and Access Subject Analysis and Access (SAA) Section Presenters: Andreas

Multicultural Issues and Awareness in Subject Representation and Access Subject Analysis and Access (SAA) Section Presenters: Andreas Oskar Kempf, National Library of Economics, Germany Athena Salaba, Kent State University, USA Session 155:

220 views • 17 slides
Geometry as made rigorous by Euclid and Descartes David Pierce October ,

Geometry as made rigorous by Euclid and Descartes David Pierce October ,

Geometry as made rigorous by Euclid and Descartes David Pierce October , Contents Hilberts geometry Introduction Analysis and synthesis Origins of geometry

954 views • 47 slides
Rigorous approach to the derivation of 1D models for wave propagation in electrical networks

Rigorous approach to the derivation of 1D models for wave propagation in electrical networks

Rigorous approach to the derivation of 1D models for wave propagation in electrical networks Patrick Joly (INRIA) EPI POEMS (UMR CNRS-ENSTA-INRIA) e with G. Beck (Poems, INRIA) and S. Imperiale (M3DISIM, INRIA) Analysis and Numerics of

1.42k views • 98 slides
from rigorous science from rigorous science to impactful practice to impactful

from rigorous science from rigorous science to impactful practice to impactful

September 17, 2009 September 17, 2009 from rigorous science from rigorous science to impactful practice to impactful practice 1 Stay Tuned Stay Tuned Toward elimination of healthcare associated infections Toward

299 views • 25 slides
Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad

Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad

Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad University and Rice University Rigorous Simulation Aaron Ames, Kevin Atkinson , Jerker Bengtsson, Raktim Bhattacharya, Paul Brauner, Robert Cartwright,

887 views • 44 slides
A New System for Big Music Data Analysis Daniel Wolff The DML System Provides ... Access :

A New System for Big Music Data Analysis Daniel Wolff The DML System Provides ... Access :

A New System for Big Music Data Analysis Daniel Wolff The DML System Provides ... Access : Systematic exploration of heterogenuous and large music libraries Control : Interfacing with complex automatic music analysis tools Analysis

466 views • 8 slides
A Prospective Analysis of In a nutshell Analog Audio Recording with To access an analog

A Prospective Analysis of In a nutshell Analog Audio Recording with To access an analog

A Prospective Analysis of In a nutshell Analog Audio Recording with To access an analog synthesizer online, for high-quality recording Web Servers With batched access, it optimizes user and system time Lucas Zawacki A prototype

263 views • 4 slides
Overview Deduction can be carried out by rigorous formal rules of inference. With mechanization,

Overview Deduction can be carried out by rigorous formal rules of inference. With mechanization,

The Kernel of Truth 1 N. Shankar Computer Science Laboratory SRI International Menlo Park, CA Mar 3, 2010 1 This research was supported NSF Grants CSR-EHCS(CPS)-0834810 and CNS-0917375. Overview Deduction can be carried out by rigorous

510 views • 36 slides
ACCESS TO JUSTICE AND LITIGATION TRADE-OFF: A Theoretical Analysis ACCESS TO JUSTICE AND

ACCESS TO JUSTICE AND LITIGATION TRADE-OFF: A Theoretical Analysis ACCESS TO JUSTICE AND

ACCESS TO JUSTICE AND LITIGATION TRADE-OFF: A Theoretical Analysis ACCESS TO JUSTICE AND LITIGATION TRADE-OFF: A Theoretical Analysis Margherita Saraceno ACLE, Seminar on Access to Justice April 18, 2008 Margherita Saraceno April

371 views • 14 slides
We all need some help! The new style 9-1 GCSEs 2017 More rigorous in their content More

We all need some help! The new style 9-1 GCSEs 2017 More rigorous in their content More

We all need some help! The new style 9-1 GCSEs 2017 More rigorous in their content More rote learning / closed book examinations Changes in tiers of entry in some subjects REVISION IS MORE IMPORTANT THAN EVER BECAUSE COURSEWORK IS

1.06k views • 60 slides
Rigorous approximation of invariant measures for IFS Joint work with S. Galatolo e I. Nisoli

Rigorous approximation of invariant measures for IFS Joint work with S. Galatolo e I. Nisoli

Rigorous approximation of invariant measures for IFS Joint work with S. Galatolo e I. Nisoli Maurizio Monge maurizio.monge@im.ufrj.br Universidade Federal do Rio de Janeiro April 8, 2016 Rigorous approximation of invariant measures for IFS

607 views • 21 slides
A Household/Village Approach to the Analysis of Land Access and its Implications on Household

A Household/Village Approach to the Analysis of Land Access and its Implications on Household

A Household/Village Approach to the Analysis of Land Access and its Implications on Household Welfare Stefania Lovo LAND ACCESS Land reforms/Agrarian reforms are one of the key instruments for addressing rural poverty and improving living

315 views • 20 slides
RWTHApp From a requirements analysis to a service oriented architecture for secure mobile access

RWTHApp From a requirements analysis to a service oriented architecture for secure mobile access

RWTHApp From a requirements analysis to a service oriented architecture for secure mobile access to personalized data Marius Politze, Bernd Decker IT Center RWTH Aachen University Overview Requirements Analysis Process

557 views • 16 slides
A Single Window Gateway for e-Content Access, Delivery and Analysis www.remotexs.xyz

A Single Window Gateway for e-Content Access, Delivery and Analysis www.remotexs.xyz

A Single Window Gateway for e-Content Access, Delivery and Analysis www.remotexs.xyz Confidential RemoteXs Key Features ! Serve &amp; Access e-content from a single portal Zero IT infrastructure cost (IP address allocation) Inbuilt

356 views • 11 slides
Partnering with Joint and Operations Analysis Division 1 UNCLASSIFIED Joint and Operations

Partnering with Joint and Operations Analysis Division 1 UNCLASSIFIED Joint and Operations

UNCLASSIFIED Partnering with Joint and Operations Analysis Division 1 UNCLASSIFIED Joint and Operations Analysis Division undertakes rigorous scientifically-based analysis of Defence operations and capability 2 UNCLASSIFIED Major

457 views • 29 slides
Interprocedural Heap Analysis using Access Graphs and Value Contexts with applications to

Interprocedural Heap Analysis using Access Graphs and Value Contexts with applications to

Interprocedural Heap Analysis using Access Graphs and Value Contexts with applications to liveness-based garbage collection Rohan Padhye under the guidance of Prof. Uday Khedker Department of Computer Science &amp; Engineering Indian

1.58k views • 142 slides

More recommend