Verifying Access Control in Statecharts

Access control is one the main security mechanisms for software applications. It ensures that all accesses conform to a predefined access control policy. It is important to check that the access control policy is well implemented in the system. When following an MDD methodology it may be necessary to check this early during the development lifecycle, namely when modeling the application. This paper tackles the issue of verifying access control policies in statecharts. The approach is based on the transformation of a statechart into an Algebraic Petri net to enable checking access control policies and identifying potential inconsistencies with an OrBAC set of access control policies. Our method allows locating the part of the statechart that is causing the problem. The approach has been successfully applied to a Library Management System. Based on our proposal a tool for performing the transformation and localization of errors in the statechart has been implemented.