Title :
Verifying Access Control Properties with Design by Contract: Framework and Lessons Learned
Author :
Rubio-Medrano, Carlos E. ; Ahn, Gail-Joon ; Sohr, Karsten
Author_Institution :
Ira. A. Fulton Schools of Eng., Arizona State Univ., Tempe, AZ, USA
Abstract :
Ensuring the correctness of high-level security properties including access control policies in mission-critical applications is indispensable. Recent literature has shown how immaturity of such properties has caused serious security vulnerabilities, which are likely to be exploited by malicious parties for compromising a given application. This situation gets aggravated by the fact that modern applications are mostly built on previously developed reusable software modules and any failures in security properties in these reusable modules may lead to vulnerabilities across associated applications. In this paper, we propose a framework to address this issue by adopting Design by Contract (DBC) features. Our framework accommodates security properties in each application focusing on access control requirements. We demonstrate how access control requirements based on ANSI RBAC standard model can be specified and verified at the source code level.
Keywords :
authorisation; formal specification; formal verification; safety-critical software; ANSI RBAC standard model; DBC features; access control property verification; access control requirements specification; access control requirements verification; design by contract; mission-critical applications; source code level; ANSI standards; Access control; Contracts; Java; Runtime; Software; access control; formal verification; security;
Conference_Titel :
Computer Software and Applications Conference (COMPSAC), 2013 IEEE 37th Annual
Conference_Location :
Kyoto
DOI :
10.1109/COMPSAC.2013.7
