When Role Models Have Flaws: Static Validation of Enterprise Security Policies

Minneapolis, Minnesota May 20-May 26

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/ICSE.2007.98

29th International Conference on Soft ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Marco Pistoia Articles by Stephen J. Fink Articles by Robert J. Flynn Articles by Eran Yahav

	ASCII Text	x
	Marco Pistoia, Stephen J. Fink, Robert J. Flynn, Eran Yahav, "When Role Models Have Flaws: Static Validation of Enterprise Security Policies," Software Engineering, International Conference on, pp. 478-488, 29th International Conference on Software Engineering (ICSE'07), 2007.

	BibTex	x
	@article{ 10.1109/ICSE.2007.98, author = {Marco Pistoia and Stephen J. Fink and Robert J. Flynn and Eran Yahav}, title = {When Role Models Have Flaws: Static Validation of Enterprise Security Policies}, journal ={Software Engineering, International Conference on}, volume = {0}, year = {2007}, issn = {0270-5257}, pages = {478-488}, doi = {http://doi.ieeecomputersociety.org/10.1109/ICSE.2007.98}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Software Engineering, International Conference on TI - When Role Models Have Flaws: Static Validation of Enterprise Security Policies SN - 0270-5257 SP478 EP488 A1 - Marco Pistoia, A1 - Stephen J. Fink, A1 - Robert J. Flynn, A1 - Eran Yahav, PY - 2007 KW - null VL - 0 JA - Software Engineering, International Conference on ER -

Marco Pistoia, IBM Watson Research Center, USA

Stephen J. Fink, IBM Watson Research Center, USA

Robert J. Flynn, Polytechnic University, USA

Eran Yahav, IBM Watson Research Center, USA

Modern multiuser software systems have adopted Role- Based Access Control (RBAC) for authorization management. This paper presents a formal model for RBAC policy validation and a static-analysis model for RBAC systems that can be used to (i) identify the roles required by users to execute an enterprise application, (ii) detect potential inconsistencies caused by principal-delegation policies, which are used to override a user?s role assignment, (iii) report if the roles assigned to a user by a given policy are redundant or insufficient, and (iv) report vulnerabilities that can result from unchecked intra-component accesses. The algorithms described in this paper have been implemented as part of IBM?s Enterprise Security Policy Evaluator (ESPE) tool. Experimental results show that the tool found numerous policy flaws, including ten previously unknown flaws from two production-level applications, with no false-positive reports.

Citation:

Marco Pistoia, Stephen J. Fink, Robert J. Flynn, Eran Yahav, "When Role Models Have Flaws: Static Validation of Enterprise Security Policies," icse, pp.478-488, 29th International Conference on Software Engineering (ICSE'07), 2007

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.