Authors:
Marius Schlegel
and
Peter Amthor
Affiliation:
Technische Universität Ilmenau, Germany
Keyword(s):
Security Engineering, Security Policies, Access Control, Role-based Access Control Models, RBAC, Heuristic Safety Analysis, Formal Methods.
Abstract:
Despite defining a de-facto standard in model-based security engineering, role-based access control models still suffer from limited analysis capabilities. This is especially true for dynamic security properties in the lineage of HRU safety. As a consequence, despite of their widespread use for policy specification and implementation, it is difficult to provide and preserve correctness guarantees for such models. We propose a formal framework, called DRBAC, to resolve this dilemma: While retaining application-oriented model abstractions, our approach allows to configure their dynamics in terms of state transitions. This enables a security engineer to tailor both a model and its analysis method to certain safety-related analysis goals. We demonstrate this claim based on a practical security policy.