Static Enforcement of Role-Based Access Control

Asad Ali; Maribel Fern\'andez

arXiv:1409.3533·cs.SE·September 12, 2014·WWV

Static Enforcement of Role-Based Access Control

Asad Ali, Maribel Fern\'andez

PDF

TL;DR

This paper introduces a static enforcement method for RBAC policies in Java applications, integrating security into system design and verifying policies at compile time for improved security assurance.

Contribution

It presents a novel static enforcement approach for RBAC in Java, including a policy language, design patterns, and verification techniques.

Findings

01

Effective static verification of RBAC policies in Java

02

Integration of security requirements into system architecture

03

Reduction of runtime security checks

Abstract

We propose a new static approach to Role-Based Access Control (RBAC) policy enforcement. The static approach we advocate includes a new design methodology, for applications involving RBAC, which integrates the security requirements into the system's architecture. We apply this new approach to policies restricting calls to methods in Java applications. We present a language to express RBAC policies on calls to methods in Java, a set of design patterns which Java programs must adhere to for the policy to be enforced statically, and a description of the checks made by our static verifier for static enforcement.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.