Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
ICSE
2007
IEEE-ACM
2007
IEEE-ACM
When Role Models Have Flaws: Static Validation of Enterprise Security Policies
Modern multiuser software systems have adopted RoleBased Access Control (RBAC) for authorization management. This paper presents a formal model for RBAC policy validation and a static-analysis model for RBAC systems that can be used to (i) identify the roles required by users to execute an enterprise application, (ii) detect potential inconsistencies caused by principal-delegation policies, which are used to override a user's role assignment, (iii) report if the roles assigned to a user by a given policy are redundant or insufficient, and (iv) report vulnerabilities that can result from unchecked intra-component accesses. The algorithms described in this paper have been implemented as part of IBM's Enterprise Security Policy Evaluator (ESPE) tool. Experimental results show that the tool found numerous policy flaws, including ten previously unknown flaws from two production-level applications, with no false-positive reports.
Real-time TrafficICSE 2007 | Numerous Policy Flaws | RBAC Policy Validation | Security Policy Evaluator | Software Engineering |
| Added | 09 Dec 2009 |
| Updated | 09 Dec 2009 |
| Type | Conference |
| Year | 2007 |
| Where | ICSE |
| Authors | Marco Pistoia, Stephen J. Fink, Robert J. Flynn, Eran Yahav |
Comments (0)
Researcher Info
|
