Static verification of security requirements in role based CSCW systems

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Static verification of security requirements in role based CSCW systems

Full text

Pdf (261 KB)

Source

Symposium on Access Control Models and Technologies archive
Proceedings of the eighth ACM symposium on Access control models and technologies table of contents

Como, Italy

SESSION: Verification table of contents

Pages: 196 - 203

Year of Publication: 2003

ISBN:1-58113-681-1

Authors

Tanvir Ahmed	University of Minnesota, Minneapolis, MN
Anand R. Tripathi	University of Minnesota, Minneapolis, MN

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 5, Downloads (12 Months): 59, Citation Count: 7

Additional Information:

abstract references cited by index terms collaborative colleagues peer to peer

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/775412.775438 What is a DOI?

ABSTRACT

In this paper, we present static verification of security requirements for CSCW systems using finite-state techniques, i.e., model checking. The coordination and security constraints of CSCW systems are specified using a role based collaboration model. The verification ensures completeness and consistency of the specification given global requirements. We have developed several verification models to check security properties, such as task-flow constraints, information flow or confidentiality, and assignment of administrative privileges. The primary contribution of this paper is a methodology for verification of security requirements during designing collaboration systems.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Jean Bacon , Ken Moody , Walt Yao, A model of OASIS role-based access control and its support for active security, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.492-540, November 2002 [doi>10.1145/581271.581276]
	2	Elisa Bertino , Elena Ferrari , Vijayalakshmi Atluri, A flexible model supporting the specification and enforcement of role-based authorization in workflow management systems, Proceedings of the second ACM workshop on Role-based access control, p.1-12, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266746]
	3	Roy H. Campbell , A. Nico Habermann, The specification of process synchronization by path expressions, Operating Systems, Proceedings of an International Symposium, p.89-102, April 23-25, 1974
	4	S. Castano, P. Samarati, and C. Villa. Verifying System Security Using Petri Nets. In Security Technology, 1993. Security Technology, Proceedings. Institute of Electrical and Electronics Engineers 1993 International Carnahan Conference on, pages 244--250, Oct 1993.
	5	James C. Corbett , Matthew B. Dwyer , John Hatcliff , Shawn Laubach , Corina S. Păsăreanu , Robby , Hongjun Zheng, Bandera: extracting finite-state models from Java source code, Proceedings of the 22nd international conference on Software engineering, p.439-448, June 04-11, 2000, Limerick, Ireland [doi>10.1145/337180.337234]
	6	Dorothy Elizabeth Rob Denning, Cryptography and Data Security, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1982
	7	Rik Eshuis , Roel Wieringa, Verification support for workflow design with UML activity graphs, Proceedings of the 24th International Conference on Software Engineering, May 19-25, 2002, Orlando, Florida [doi>10.1145/581339.581362]
	8	S. Foley and J. Jacob. Specifying Security for Computer Supported Collaborative Computing. Journal of Computer Security, 3(4):233--253, 1995.
	9	Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, Protection in operating systems, Communications of the ACM, v.19 n.8, p.461-471, Aug. 1976 [doi>10.1145/360303.360333]
	10	Gerard J. Holzmann, The Model Checker SPIN, IEEE Transactions on Software Engineering, v.23 n.5, p.279-295, May 1997 [doi>10.1109/32.588521]
	11	Trent Jaeger , Jonathon E. Tidswell, Practical safety in flexible access control models, ACM Transactions on Information and System Security (TISSEC), v.4 n.2, p.158-190, May 2001 [doi>10.1145/501963.501966]
	12	W. Janssen, R. Mateescu, S. Mauw, and J. Springintveld. Verifying Business Processes using Spin. In Proc. of 4th International SPIN Workshop, 1998.
	13	Emil Lupu , Morris Sloman, Reconciling role based management and role based access control, Proceedings of the second ACM workshop on Role-based access control, p.135-141, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266770]
	14	Paolo Maggi , Riccardo Sisto, Using SPIN to Verify Security Properties of Cryptographic Protocols, Proceedings of the 9th International SPIN Workshop on Model Checking of Software, p.187-204, April 11-13, 2002
	15	P. Muth, D. Wodtke, J. Weissenfels, G. Weikum, and A. Kotz~Dittrich. Enterprise-wide Workflow Management based on State and Activity Charts, Workflow Management Systems and Interoperability in: A. Dogac, L. Kalinichenko, T. Ozsu, A. Sheth (Eds.):. Springer Verlag, 1998.
	16	Andrew C. Myers , Barbara Liskov, A decentralized model for information flow control, Proceedings of the sixteenth ACM symposium on Operating systems principles, p.129-142, October 05-08, 1997, Saint Malo, France
	17	Matunda Nyanchama , Sylvia Osborn, The role graph model and conflict of interest, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.3-33, Feb. 1999 [doi>10.1145/300830.300832]
	18	Sylvia L. Osborn, Information flow analysis of an RBAC system, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA [doi>10.1145/507711.507738]
	19	P. Roberts and J.-P. Verjus. Towards Autonomous Descriptions of Synchronization Modules. In Proc. of IFIP Congress, pages 981--986, 1977.
	20	P. Ryan , J. McLean , J. Millen , V. Gligor, Non-Interference: Who Needs It?, Proceedings of the 14th IEEE Workshop on Computer Security Foundations, p.237, June 11-13, 2001
	21	Ravi S. Sandhu, The Typed Access Matrix Model, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.122, May 04-06, 1992
	22	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845]
	23	L. Snyder. Formal Models of Capability-Based Protection Systems. IEEE Transactions on Computers, C-30(3):172--181, March 1981.
	24	Roshan K. Thomas, Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments, Proceedings of the second ACM workshop on Role-based access control, p.13-19, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266748]
	25	R. K. Thomas and R. S. Sandhu. Conceptual Foundations for a Model of Task-based Authorizations. In IEEE Computer Security Foundations Workshop, pages 66--79, 1994.
	26	Anand R. Tripathi , Tanvir Ahmed , Richa Kumar, Specification of Secure Distributed Collaboration Systems, Proceedings of the The Sixth International Symposium on Autonomous Decentralized Systems (ISADS'03), p.149, April 09-11, 2003
	27	Anand R. Tripathi , Tanvir Ahmed , Richa Kumar , Shremattie Jaman, Design of a Policy-Driven Middleware for Secure Distributed Collaboration, Proceedings of the 22 nd International Conference on Distributed Computing Systems (ICDCS'02), p.393, July 02-05, 2002
	28	A. Zakinthinos , E. S. Lee, A general theory of security properties, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.94, May 04-07, 1997

CITED BY 7

	Kathi Fisler , Shriram Krishnamurthi , Leo A. Meyerovich , Michael Carl Tschantz, Verification and change-impact analysis of access-control policies, Proceedings of the 27th international conference on Software engineering, May 15-21, 2005, St. Louis, MO, USA
	Devdatta Kulkarni , Anand Tripathi, Generative Programming Approach for Building Pervasive Computing Applications, Proceedings of the 1st International Workshop on Software Engineering for Pervasive Computing Applications, Systems, and Environments, p.3, May 20-26, 2007
	Keith Irwin , Ting Yu , William H. Winsborough, Enforcing security properties in task-based systems, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA
	Tiziana Margaria , Bernhard Steffen, Middleware: just another level for orchestration, Proceedings of the 2007 Workshop on Middleware for next-generation converged networks and applications, p.1-6, November 26-26, 2007, Port Beach, California
	Nan Zhang , Mark Ryan , Dimitar P. Guelev, Synthesising verified access control systems through model checking, Journal of Computer Security, v.16 n.1, p.1-61, January 2008
	Dan Lin , Prathima Rao , Elisa Bertino , Jorge Lobo, An approach to evaluate policy similarity, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
	Tanvir Ahmed , Anand R. Tripathi, Specification and verification of security requirements in a programming model for decentralized CSCW systems, ACM Transactions on Information and System Security (TISSEC), v.10 n.2, p.7-es, May 2007