Requirements-based Access Control Analysis and Policy Specification

نویسنده

  • Qingfeng He
چکیده

HE, QINGFENG. Requirements-Based Access Control Analysis and Policy Specification. (Under the direction of Dr. Ana (Annie) I. Antón.) Access control is a mechanism for achieving confidentiality and integrity in software systems. Access control policies (ACPs) define how access is managed and the high-level rules of who can access what information under certain conditions. Traditionally, access control policies have been specified in an ad-hoc manner, leaving systems vulnerable to security breaches. ACP specification is often isolated from requirements analysis, resulting in policies that are not in compliance with system requirements. This dissertation introduces the Requirements-based Access Control Analysis and Policy Specification (ReCAPS) method for deriving access control policies from various sources, including software requirements specifications (SRS), software designs, and high-level security/privacy policies. The ReCAPS method is essentially an analysis method supported by a set of heuristics and a software tool: the Security and Privacy Requirements Analysis Tool (SPRAT). The method was developed in two formative case studies and validated in two summative case studies. All four case studies involved operational systems, and ReCAPS evolved as a result of the lessons learned from applying the method to these case studies. Further validation of the method was performed via an empirical study to evaluate the usefulness and effectiveness of the approach. Results from these evaluations indicate that the process and heuristics provided by the ReCAPS method are useful for specifying database-level and application-level ACPs. Additionally, ReCAPS integrates policy specification into software development, thus providing a basic framework for ensuring compliance between different levels of policies, system requirements and software design. The method also improves the quality of requirements specifications and system designs by clarifying ambiguities and resolving conflicts across these artifacts.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

A model for specification, composition and verification of access control policies and its application to web services

Despite significant advances in the access control domain, requirements of new computational environments like web services still raise new challenges. Lack of appropriate method for specification of access control policies (ACPs), composition, verification and analysis of them have all made the access control in the composition of web services a complicated problem. In this paper, a new indepe...

متن کامل

A semantic-aware role-based access control model for pervasive computing environments

Access control in open and dynamic Pervasive Computing Environments (PCEs) is a very complex mechanism and encompasses various new requirements. In fact, in such environments, context information should be used in access control decision process; however, it is not applicable to gather all context information completely and accurately all the time. Thus, a suitable access control model for PCEs...

متن کامل

An automatic test case generator for evaluating implementation of access control policies

One of the main requirements for providing software security is the enforcement of access control policies which aim to protect resources of the system against unauthorized accesses. Any error in the implementation of such policies may lead to undesirable outcomes. For testing the implementation of access control policies, it is preferred to use automated methods which are faster and more relia...

متن کامل

Abstract HE, QINGFENG. Requirements-Based Access Control Analysis and Policy Specification. (Under

HE, QINGFENG. Requirements-Based Access Control Analysis and Policy Specification. (Under the direction of Dr. Ana (Annie) I. Antón.) Access control is a mechanism for achieving confidentiality and integrity in software systems. Access control policies (ACPs) define how access is managed and the high-level rules of who can access what information under certain conditions. Traditionally, access ...

متن کامل

Requirements-based Access Control Analysis and Policy Specification (ReCAPS)

Access control is a mechanism for achieving confidentiality and integrity in software systems. Access control policies (ACPs) are security requirements that define how access is managed and the high-level rules of who, under what conditions, can access what information. Traditionally, access control policies are often specified after a system is designed and deployed. Because ACP specification ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2005