Modularity and Dynamic Adaptation of Flexibly Secure Systems: Model-Driven Adaptive Delegation in Access Control Management

Model-Driven Security (Mds) is a specialized Model-Driven Engineering (Mde) approach for supporting the development of secure systems. Model-Driven Security aims at improving the productivity of the development process and quality of the resulting secure systems, with models as the main artifact. Among the variety of models that have been studied in a Model-Driven Security perspective, one can mention access control models that specify the access rights. So far, these models mainly focus on static definitions of access control policies, without taking into account the more complex, but essential, delegation of rights mechanism. Delegation is a meta-level mechanism for administrating access rights, which allows a user without any specific administrative privileges to delegate his/her access rights to another user. This paper gives a formalization of access control and delegation mechanisms, and analyses the main hard-points for introducing various advanced delegation semantics in Model-Driven Security. Then, we propose a modular model-driven framework for 1) specifying access control, delegation and the business logic as separate concerns; 2) dynamically enforcing/weaving access control policies with various delegation features into securitycritical systems; and 3) providing a flexibly dynamic adaptation strategy. We demonstrate the feasibility and effectiveness of our proposed solution through the proof-of-concept implementations of different componentbased systems running on different adaptive execution platforms, i.e. OSGi and Kevoree.