rigorous analysis of uml access
play

Rigorous Analysis of UML Access Control Policy Models Wuliang Sun , - PowerPoint PPT Presentation

Aug 25, 2023 •371 likes •834 views

Rigorous Analysis of UML Access Control Policy Models Wuliang Sun , Robert France and Indrakshi Ray Computer Science Department Colorado State University Fort Collins, Colorado Security Policies Security policies Expressed by different

  1. Rigorous Analysis of UML Access Control Policy Models Wuliang Sun , Robert France and Indrakshi Ray Computer Science Department Colorado State University Fort Collins, Colorado

  2. Security Policies  Security policies  Expressed by different languages XACML, OWL/RDF, CIM/SPL, PONDER, UML   Errors in policy models  Can cause security breaches that have serious consequences  Correcting the errors once policies are deployed can be expensive  Need error detection before policies are deployed

  3. Motivation  We use UML (Unified Modeling Language) for policy specification  UML together with OCL can be used to provide a formal and graphical representation of security policies  UML is the de facto specification language used in the software industry  UML policy models can be transformed to code using existing technologies

  4. Motivation  Using UML (Unified Modeling Language) as a policy specification language  Challenge: few mature tools supporting rigorous analysis of UML models  Solution: Transform UML to Alloy for automated model analysis

  5. Approach  Rigorous analysis of UML access control policy models  Front-end: use UML to describe security policies  Back-end: use Alloy Analyzer to analyze the modeled properties  Transformation between UML and Alloy: obviate the need for security designers to understand the Alloy language

  6. Approach Overview 6

  7. Background: SUDA  Scenario-based UML Design Analysis (SUDA)  A design class model with operation specifications is transformed to a static model of behavior, called a snapshot model.  A snapshot is an object configuration that represents a state of the system at a particular time.  A snapshot transition describes the behavior of an operation in terms of its before and after effect on the system state. 7

  8. Background: Snapshot Model Example of a snapshot model generated from a class model  UML Class Model UML Snapshot Model 8

  9. Background: Snapshot Model Example of a snapshot model generated from a class model  UML Class Model UML Snapshot Model 9

  10. Background: Snapshot Model Example of a snapshot model generated from a class model  UML Class Model UML Snapshot Model 10

  11. Background: Snapshot Model Example of a snapshot model generated from a class model  UML Class Model UML Snapshot Model 11

  12. Background: Snapshot Model Example of a snapshot model generated from a class model  UML Class Model UML Snapshot Model 12

  13. Background: SUDA  SUDA vs. Our approach  SUDA: is the given scenario supported by the UML class model?  Our approach: is there a scenario supported by the UML class model that starts in a specified valid state and ends in a specified invalid state? 13

  14. Approach Overview 14

  15. Background: Dynamic Analysis using Alloy  Alloy  Model = signatures + facts + predicates (operation specifications)  Facts: define constraints on the elements of the model  Predicates: probe model  Trace mechanism: specify a fact to associate the transitions triggered by operation invocations with states defined by signatures 15

  16. Snapshot Model to Alloy Model Transformation  Step 1: Transform each class that is part of Snapshot class to a signature in Alloy sig Role{} sig User{} 16

  17. Snapshot Model to Alloy Model Transformation  Step 2: Transform the Snapshot class to a Snapshot signature containing fields that specify the object configurations within a snapshot sig Snapshot{ // Object fields roles: set Role, users: set User, // Link fields ASSIGN: User set->set Role, } { // Linked objects must exist in the snapshot ASSIGN=ASSIGN:>roles&users<: ASSIGN } 17

  18. Snapshot Model to Alloy Model Transformation  Step 2: Transform the Snapshot class to a Snapshot signature containing fields that specify the object configurations within a snapshot sig Snapshot{ // Object fields roles: set Role, users: set User, // Link fields ASSIGN: User set->set Role, } { // Linked objects must exist in the snapshot ASSIGN=ASSIGN:>roles&users<: ASSIGN } 18

  19. Snapshot Model to Alloy Model Transformation  Step 2: Transform the Snapshot class to a Snapshot signature containing fields that specify the object configurations within a snapshot sig Snapshot{ // Object fields roles: set Role, users: set User, // Link fields ASSIGN: User set->set Role, } { // Linked objects must exist in the snapshot ASSIGN=ASSIGN:>roles&users<: ASSIGN } 19

  20. Snapshot Model to Alloy Model Transformation  Step 3: Transform each Transition pred AssignRole[disj before, after: Snapshot, specialization to a rPre, rPost: Role, uPre, uPost: User] { // Precondition predicate in Alloy rPre in before.roles uPre in before.users rPre not in uPre.(before.ASSIGN) // Postcondition rPost in after.roles uPost in after.users uPost.(after.ASSIGN) = uPre.(before.ASSIGN) + rPost // Unchanged object configuration ….. } 20

  21. Snapshot Model to Alloy Model Transformation  Step 3: Transform each Transition specialization to a predicate in Alloy pred AssignRole[disj before, after: Snapshot, rPre, rPost: Role, uPre, uPost: User]{ Context AssignRole inv: // Precondition uPre.ASSIGN->excludes(rPre) rPre not in uPre.(before.ASSIGN) … … … // Postcondition uPost.ASSIGN = uPost.(after.ASSIGN) = uPre.(before.ASSIGN) + uPre.ASSIGN->including(rPost) rPost … … … // Unchanged object configuration after.roles->excluding(rPost)= after.roles – rPost = before.roles – rPre before.roles->excluding(rPre) … … } 21

  22. Snapshot Model to Alloy Model Transformation  Step 4: Define a trace fact to associate transitions between two consecutive snapshots with operations fact traces{ all before: Snapshot - SnapshotSequence/last | let after = SnapshotSequence/next[before] | Some r: Role | some u: User | AssignRole[before, after, r, r, u, u] } 22

  23. Approach Overview 23

  24. Alloy Instance to UML Object Model Transformation Alloy Instance A Sequence of UML Object Models 24

  25. Research Goal  Analysis: check whether a system can move from a valid to an invalid state as result of a sequence of access control operation calls  If analysis uncovers such a sequence, then the designer uses the trace information output by the analysis to help find the source of the errors in the UML policy model 25

  26. Demonstration Case Study: LRBAC  Location-aware Role-based Access Control (LRBAC) Model 26

  27. Demonstration Case Study: LRBAC  Location-aware Role-based Access Control (LRBAC) Model 27

  28. Demonstration Case Study: LRBAC  Location-aware Role-based Access Control (LRBAC) Model 28

  29. Demonstration Case Study: LRBAC  Location-aware Role-based Access Control (LRBAC) Model 29

  30. Demonstration Case Study: LRBAC  Operation specifications in form of pre/post- conditions for DeleteRoleAssignLocation // English specification: remove a location from a set of locations // in which a role can be assigned Context Role::DeleteRoleAssignLocation(l:Location) Precondition: location l has been associated with the role Postcondition: location l has been removed from a set of locations // OCL specification: remove a location from a set of locations // in which a role can be assigned Context Role::DeleteRoleAssignLocation(l:Location) Pre: self.AssignLoc->includes(l) Post: self.AssignLoc=self.AssignLoc@pre->excluding(l) 30

  31. Demonstration Case Study: Specifying the Property-to-Verify  Valid and Invalid LRBAC Snapshot Patterns  Is there a sequence of operation invocations that takes the system from a valid state consisting of at least one user in a location to an invalid state in which the user is linked to a role that does not include the user’s location? 31

  32. Demonstration Case Study: Generating the LRBAC Snapshot Model 32

  33. Demonstration Case Study: Generating an LRBAC Alloy Model  Role_DeleteRoleAssignLocation predicate generated from the class invariant pred Role_DeleteRoleAssignLocation[disj before,after :Snapshot, rPre, rPost:Role, lPre, lPost:Location] { // Precondition Pre in rPre.(before.AssignLoc) … // Postcondition rPost.(after.AssignLoc) = rPre.(before.AssignLoc) – lPost… // Unchanged parts of object configuration after.roles - rPost = before.roles – rPre … } 33

  34. Demonstration Case Study: Analyzing the Alloy Model  The verification predicate generated from the property-to-verify pred valid2invalid{ // Specify that the first snapshot is valid let first = SnapshotSequence/first | … all u:first.users | u.(first.UserAssign) = none and u.(first.UserLoc) != none … Valid Snapshot // Query whether there exists a path from a valid // state to an invalid state some s: Snapshot - first | … l not in r.(s.AssignLoc) and r in u.(s.UserAssign) and l in u.(s.UserLoc) } Invalid Snapshot 34

  35. Demonstration Case Study: Analyzing the Alloy Model First Snapshot: Valid Second Snapshot: Valid 35

  36. Demonstration Case Study: Analyzing the Alloy Model Third Snapshot: Valid Fourth Snapshot: Invalid 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Conducting rigorous research on large open-access developmental datasets Amy Orben Department

Conducting rigorous research on large open-access developmental datasets Amy Orben Department

Conducting rigorous research on large open-access developmental datasets Amy Orben Department of Experimental Psychology, University of Oxford ABCD Workshop, Portland @OrbenAmy 1 1. Curbing analytical flexibility 2. Preregistration +

988 views • 78 slides
Rigorous Reading Doug Fisher &amp; Nancy Frey April 7, 2015 5 Access Points

Rigorous Reading Doug Fisher &amp; Nancy Frey April 7, 2015 5 Access Points

Rigorous Reading Doug Fisher &amp; Nancy Frey April 7, 2015 5 Access Points Purpose and Modeling Close and Scaffolded Reading Collabora9ve Conversa9ons Wide, Independent

678 views • 55 slides
Three Techniques for Rigorous Analysis of Intensive Within-person Experiments Ty A. Ridenour,

Three Techniques for Rigorous Analysis of Intensive Within-person Experiments Ty A. Ridenour,

RTI International Three Techniques for Rigorous Analysis of Intensive Within-person Experiments Ty A. Ridenour, Ph.D., M.P.E. Behavioral Health Epidemiology, Research Triangle Institute Center on Education and Drug Abuse Research, U. Pittsburgh

376 views • 26 slides
Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability

Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability

Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability Testing by J. Dumas, J. Redish R.I.T S. Ludi/R. Kuehl p. 1 R I T Software Engineering Summarize and Analyze Test Data Qualitative data -

598 views • 31 slides
A Rigorous Curriculum A rigorous curriculum is an inclusive set of intentionally aligned

A Rigorous Curriculum A rigorous curriculum is an inclusive set of intentionally aligned

A Rigorous Curriculum A rigorous curriculum is an inclusive set of intentionally aligned components- clear learning outcomes with matching assessments, engaging learning experiences and instructional strategies - organized into sequenced units

431 views • 22 slides
Why Algorithmic and Rigorous Polynomial Approximations? Rigorous Polynomial Approximation =

Why Algorithmic and Rigorous Polynomial Approximations? Rigorous Polynomial Approximation =

Why Algorithmic and Rigorous Polynomial Approximations? Rigorous Polynomial Approximation = Polynomial + error bound Rigorous methods Algorithmic methods Efficient and accurate 1/16 Multinormval Why Algorithmic and Rigorous Polynomial

1.12k views • 98 slides
Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability

Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability

Rigorous Evaluation Analysis and Reporting Structure is from A Practical Guide to Usability Testing by J. Dumas, J. Redish Results from Usability Tests Quantitative data: Performance data - times, error rates, etc. Subjective

392 views • 26 slides
Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing

Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing

Rigorous Evaluation Usability Testing What is Usability Testing? Formal and rigorous testing using a structured process Validate adherence to interaction requirements Actual users who perform realistic and representative tasks

490 views • 38 slides
Subject Representation and Access Subject Analysis and Access (SAA) Section Presenters: Andreas

Subject Representation and Access Subject Analysis and Access (SAA) Section Presenters: Andreas

Multicultural Issues and Awareness in Subject Representation and Access Subject Analysis and Access (SAA) Section Presenters: Andreas Oskar Kempf, National Library of Economics, Germany Athena Salaba, Kent State University, USA Session 155:

220 views • 17 slides
Geometry as made rigorous by Euclid and Descartes David Pierce October ,

Geometry as made rigorous by Euclid and Descartes David Pierce October ,

Geometry as made rigorous by Euclid and Descartes David Pierce October , Contents Hilberts geometry Introduction Analysis and synthesis Origins of geometry

954 views • 47 slides
Rigorous approach to the derivation of 1D models for wave propagation in electrical networks

Rigorous approach to the derivation of 1D models for wave propagation in electrical networks

Rigorous approach to the derivation of 1D models for wave propagation in electrical networks Patrick Joly (INRIA) EPI POEMS (UMR CNRS-ENSTA-INRIA) e with G. Beck (Poems, INRIA) and S. Imperiale (M3DISIM, INRIA) Analysis and Numerics of

1.42k views • 98 slides
from rigorous science from rigorous science to impactful practice to impactful

from rigorous science from rigorous science to impactful practice to impactful

September 17, 2009 September 17, 2009 from rigorous science from rigorous science to impactful practice to impactful practice 1 Stay Tuned Stay Tuned Toward elimination of healthcare associated infections Toward

299 views • 25 slides
Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad

Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad

Acumen A Cyber-Physical (CPS) Modeling Language Rigorous Simulation Walid Taha Halmstad University and Rice University Rigorous Simulation Aaron Ames, Kevin Atkinson , Jerker Bengtsson, Raktim Bhattacharya, Paul Brauner, Robert Cartwright,

887 views • 44 slides
A New System for Big Music Data Analysis Daniel Wolff The DML System Provides ... Access :

A New System for Big Music Data Analysis Daniel Wolff The DML System Provides ... Access :

A New System for Big Music Data Analysis Daniel Wolff The DML System Provides ... Access : Systematic exploration of heterogenuous and large music libraries Control : Interfacing with complex automatic music analysis tools Analysis

466 views • 8 slides
A Prospective Analysis of In a nutshell Analog Audio Recording with To access an analog

A Prospective Analysis of In a nutshell Analog Audio Recording with To access an analog

A Prospective Analysis of In a nutshell Analog Audio Recording with To access an analog synthesizer online, for high-quality recording Web Servers With batched access, it optimizes user and system time Lucas Zawacki A prototype

263 views • 4 slides
Overview Deduction can be carried out by rigorous formal rules of inference. With mechanization,

Overview Deduction can be carried out by rigorous formal rules of inference. With mechanization,

The Kernel of Truth 1 N. Shankar Computer Science Laboratory SRI International Menlo Park, CA Mar 3, 2010 1 This research was supported NSF Grants CSR-EHCS(CPS)-0834810 and CNS-0917375. Overview Deduction can be carried out by rigorous

510 views • 36 slides
On Using UML Diagrams to Identify and Assess Software Design Smells Thorsten Haendler Vienna

On Using UML Diagrams to Identify and Assess Software Design Smells Thorsten Haendler Vienna

13th International Conference on Software Technologies (ICSOFT 2018) On Using UML Diagrams to Identify and Assess Software Design Smells Thorsten Haendler Vienna University of Economics and Business (WU Vienna) thorsten.haendler@wu.ac.at

403 views • 17 slides
UML big picture Perdita Stevens School of Informatics University of Edinburgh Plan Whence

UML big picture Perdita Stevens School of Informatics University of Edinburgh Plan Whence

UML big picture Perdita Stevens School of Informatics University of Edinburgh Plan Whence UML? Parts of UML How it all fits together UML as a language Consistency: what does it mean, do we need it? Defining UML

600 views • 17 slides
UML Diagrams CSE 403 Think of it as A more concise and accurate documentation of

UML Diagrams CSE 403 Think of it as A more concise and accurate documentation of

UML Diagrams CSE 403 Think of it as A more concise and accurate documentation of software architecture than English A way to guide discussion to reveal assumptions and miscommunications A compact and quick way to take notes in

314 views • 15 slides
sixfw thinking ipv6 first an easy-to-use, non-bloated firewall that thinks IPv6 first Vision

sixfw thinking ipv6 first an easy-to-use, non-bloated firewall that thinks IPv6 first Vision

sixfw thinking ipv6 first an easy-to-use, non-bloated firewall that thinks IPv6 first Vision power up get ULA (fc00::/7) surf https://[fd00::1]/ set-up packet filter NA T64 Maybe? pc engines apu.1d2 1ghz

374 views • 10 slides
UML meets XP Position statement for UML + extremity workshop, UML2001 Alan Cameron Wills Trireme

UML meets XP Position statement for UML + extremity workshop, UML2001 Alan Cameron Wills Trireme

UML meets XP Position statement for UML + extremity workshop, UML2001 Alan Cameron Wills Trireme International Ltd www.trireme.com alan@trireme.com I have always been a strong believer and practitioner of the JFDI approach to

409 views • 14 slides
Simple Example of a UML Design BorrowerService Subsystem Design Robert France CSU This is a

Simple Example of a UML Design BorrowerService Subsystem Design Robert France CSU This is a

Simple Example of a UML Design BorrowerService Subsystem Design Robert France CSU This is a simple model of the Library System. In this model there is only one subsystem (other than the User Interface subsystem). The checkOut and return

366 views • 4 slides
Theoretical Foundations of the UML Lecture 14: Realising Local-Choice MSGs Joost-Pieter Katoen

Theoretical Foundations of the UML Lecture 14: Realising Local-Choice MSGs Joost-Pieter Katoen

Theoretical Foundations of the UML Lecture 14: Realising Local-Choice MSGs Joost-Pieter Katoen Lehrstuhl fr Informatik 2 Software Modeling and Verification Group moves.rwth-aachen.de/teaching/ss-20/fuml/ June 9, 2020 Joost-Pieter Katoen

964 views • 26 slides
Modeling with UML Chapter 2, lecture 1, Overview: modeling with UML What is modeling?

Modeling with UML Chapter 2, lecture 1, Overview: modeling with UML What is modeling?

Object-Oriented Software Engineering Using UML, Patterns, and Java Modeling with UML Chapter 2, lecture 1, Overview: modeling with UML What is modeling? What is UML? Use case diagrams Class diagrams Sequence diagrams Bernd

357 views • 22 slides

More recommend