Abstract
Role-Based Access Control (RBAC) is one of the most used models in designing and implementation of security policies, in large networking systems. Basic RBAC model does not consider temporal aspects which are so important in such policies. Temporal RBAC (TRBAC) is proposed to deal with these temporal aspects. Despite the elegance of these models, designing a security policy remains a challenge. Designers must ensure the consistency and the correctness of the policy. The use of formal methods provides techniques for proving that the designed policy is consistent. In this paper, we present a formal modelling/analysis approach of TRBAC policies. This approach uses Hierarchical Timed Coloured Petri Nets (HTCPN) formalism to model the TRBAC policy, and the CPN-tool to analyse the generated models. The timed aspect, in HTCPN, facilitates the consideration of temporal constraints introduced in TRBAC. The hierarchical aspect of HTCPN makes the model “manageable”, in spite of the complexity of TRBAC policy specification. The analysis phase allows the verification of many important properties about the TRBAC security policy.
Similar content being viewed by others
Change history
05 July 2019
In the original publication of this article, the third author’s name was incorrectly published.
References
Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: a temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4(3), 191–233 (2001)
Box, D.: Essential COM, 1st edn. Addison-Wesley Longman Publishing Co., Inc., Boston (1997)
Calvi, A., Ranise, S., Vigano, L.: Automated validation of security-sensitive web services specified in BPEL and RBAC. In: Proceedings of the 2010 12th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC ’10, Washington, DC, USA, 2010, pp. 456–464. IEEE Computer Society
Chen, B.-C., Yang, C.-T., Yeh, H.-T., Lin, C.-C.: Mutual authentication protocol for role-based access control using mobile RFID. Appl. Sci. 6(8), 215 (2016)
Chen, H.-C.J., Violetta, M.A., Yang, C.-Y.: Contract RBAC in cloud computing. J. Supercomput. 66(2), 1111–1131 (2013)
CPN-tool can be downloaded (free for academics) from: http://wiki.daimi.au.dk/cpntools/cpntools.wikim. Accessed 3 June 2017
Cuppens, F., Cuppens-Boulahia, N., Ghorbel-Talbi, M.B., Morucci, S., Essaouni, N.: Smatch: formal dynamic session management model for RBAC. J. Inf. Secur. Appl. 18(1), 30–44 (2013)
Darwish, W., Beznosov, K.: Analysis of ANSI RBAC support in COM+. Comput. Stand. Interfaces 32(4), 197–214 (2010)
Dong, X., Chen, G., Yin, J., Dong, J.: Petri-net-based context-related access control in workflow environment. In: The 7th International Conference on Computer Supported Cooperative Work in Design, pp. 381–384 (2002)
El Hassani, A.A., El Kalam, A.A., Bouhoula, A., Abassi, R., Ouahman, A.A.: Integrity-OrBAC: a new model to preserve critical infrastructures integrity. Int. J. Inf. Secur. 14(4), 367–385 (2015)
El Kalam, A.A., Deswarte, Y.: Multi-OrBAC: a new access control model for distributed, heterogeneous and collaborative systems. In: 8th IEEE International Symposium on Systems and Information Security (2006)
Feng, F., Li, J.: Verification and analysis of access control policy with Colored Petri Net. In: 2009 International Conference on Communication Software and Networks, pp. 610–614 (2009)
Feng, F., Lin, C., Peng, D., Li, J.: A trust and context based access control model for distributed systems. In: 2008 10th IEEE International Conference on High Performance Computing and Communications, pp. 629–634 (2008)
Ferraiolo, D., Kuhn, R.: Role-based access control. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)
Gofman, M.I., Luo, R., Solomon, A.C., Zhang, Y., Yang, P., Stoller, S.D.: RBAC-PAT: A Policy Analysis Tool for Role Based Access Control, pp. 46–49. Springer, Berlin (2009)
Gouglidis, A., Mavridis, I., Hu, V.C.: Security policy verification for multi-domains in cloud systems. Int. J. Inf. Secur. 13(2), 97–111 (2014)
Huang, H., Kirchner, H.: Secure Interoperation in Heterogeneous Systems Based on Colored Petri Nets. Working Paper or Preprint, June (2009)
Jensen, K.: An Introduction to the Theoretical Aspects of Coloured Petri Nets, pp. 230–272. Springer, Berlin (1994)
Jha, S., Sural, S., Vaidya, J., Atluri, V.: Security analysis of temporal RBAC under an administrative model. Comput. Secur. 46, 154–172 (2014)
Jiang, Y., Lin, C., Yin, H., Tan, Z.: Security analysis of mandatory access control model. In: 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No. 04CH37583), vol. 6, pp. 5013–5018 (2004)
Jie, A.: The realization of RBAC model in office automation system. In: 2008 International Seminar on Future Information Technology and Management Engineering, pp. 360–363 (2008)
Joshi, J.B.D., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005)
Juszczyszyn, K.: Verifying enterprise’s mandatory access control policies with Coloured Petri Nets. In: Proceedings of Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003, WET ICE 2003, pp. 184–189 (2003)
Kahloul, L., Djouani, K., Tfaili, W., Chaoui, A., Amirat, Y.: Modeling and Verification of RBAC Security Policies Using Colored Petri Nets and CPN-Tool, pp. 604–618. Springer, Berlin (2010)
Kim, K., Fox, G.C.: XGSP-RBAC: access control mechanism based on RBAC model in ubiquitous collaboration system (2009)
Knorr, K.: Dynamic access control through Petri net workflows. In: 16th Annual Conference on Computer Security Applications, 2000. ACSAC ’00, pp. 159–167 (2000)
Knorr, K.: Multilevel security and information flow in Petri net workflows. Technical report. In: Proceedings of the 9th International Conference on Telecommunication Systems—Modeling and Analysis, Special Session on Security Aspects of Telecommunication Systems, pp. 9–20. IEEE Computer Society Press, Dallas, Los Alamitos, USA (2001)
Kosiyatrakul, T., Older, S., Chin, S.-K.: A Modal Logic for Role-Based Access Control, pp. 179–193. Springer, Berlin (2005)
Li, D., Liu, C., Liu, B.: H-RBAC: a hierarchical access control model for SAAS systems. Int. J. Mod. Educ. Comput. Sci. 5, 47–53 (2011)
Liang, Z., Bai, S.: Role based workflow modeling. In: 2006 IEEE International Conference on Systems, Man and Cybernetics, vol. 6, pp. 4845–4849 (2006)
Luo, J., Wang, H., Gong, X., Li, T.: A novel role-based access control model in cloud environments. Int. J. Comput. Intell. Syst. 9(1), 1–9 (2016)
Masood, R., Shibli, M.A., Ghazi, Y., Kanwal, A., Ali, A.: Cloud authorization: exploring techniques and approach towards effective access control framework. Front. Comput. Sci. 9(2), 297–321 (2015)
Mondal, S., Sural, S.: Security analysis of temporal-RBAC using timed automata. In: Fourth International Conference on Information Assurance and Security, 2008. ISIAS’08, pp. 37–40. IEEE (2008)
Mondal, S., Sural, S., Atluri, V.: Security analysis of GTRBAC and its variants using model checking. Comput. Secur. 30(23), 128–147 (2011)
Murata, T.: Petri Nets and Their Application an Introduction, pp. 351–368. Springer, Boston (1984)
Nezar, N., Eric, S.: Security service design for the RMI distributed system based on parameterized RBAC. In: The Proceeding of the International Multi-Conference of Engineers and Computer Scientists, vol. I, pp. 1–6 (2011)
Pang, J., Zhang, Y.: A new access control scheme for Facebook-style social networks. Comput. Secur. 54, 44–59 (2015)
Ranchal, R., Bhargava, B., Fernando, R., Lei, H., Jin, Z.: Privacy preserving access control in service-oriented architecture. In: 2016 IEEE International Conference on Web Services (ICWS), pp. 412–419 (2016)
Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control. In: Proceedings of the 19th ACM Symposium on Access Control Models and Technologies, pp. 103–114. ACM (2014)
Venkateswar Rao, K., Srinivasa Rao, M., Mrunalini Devi, K., Sravan Kumar, D., Upendra Kumar, M.: Web services security architectures using role-based access control. Int. J. Comput. Sci. Inf. Technol. 1(5), 402–407 (2010)
Nagarajan, S., Gopalan, N.P.: A dynamic context aware role based access control secure user authentication algorithm for wireless networks. Int. J. Appl. Eng. Res. 11(6), 4141–4143 (2016)
Sabri, K.E.: Automated verification of role-based access control policies constraints using Prover9 (2015). CoRR, arxiv:1503.07645
Sabri, K.E., Obeid, N.: A temporal defeasible logic for handling access control policies. Appl. Intell. 44(1), 30–42 (2016)
Sandhu, R., Ferraiolo, D.F., Kuhn, D.R.: The NIST model for role-based access control: towards a unified standard. In: The Fifth ACM Workshop on Role-Based Access Control (RBAC ’00), pp. 47–63 (2000)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)
Shafiq, B., Masood, A., Joshi, J., Ghafoor, A.: A role-based access control policy verification framework for real-time systems. In: 10th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems, pp. 13–20 (2005)
Sohr, K., Mustafa, T., Bao, X., Ahn, G.J.: Enforcing role-based access control policies in web services with UML and OCL. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 257–266 (2008)
Song, M., Pang, Z.: Specification of SA-RBAC policy based on Colored Petri Net. In: 2008 IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology, vol. 3, pp. 207–210 (2008)
Steele, R., Min, K.: Role-based access to portable personal health records. In: 2009 International Conference on Management and Service Science, pp. 1–4 (2009)
Tapiador, A., Carrera, D., Salvachúa, J.: Tie-RBAC: an application of RBAC to social networks (2012). CoRR, arxiv:1205.5720
The site of standard ML (SML), adopted in CPN-tool, is: http://www.lfcs.inf.ed.ac.uk/software/ML/. Accessed 3 June 2017
Toahchoodee, M., Ray, I.: On the formalization and analysis of a spatio-temporal role-based access control model. J. Comput. Secur. 19(3), 399–452 (2011)
Uzun, E., Atluri, V., Vaidya, J., Sural, S., Ferrara, A.L., Parlato, G., Madhusudan, P.: Security analysis for temporal role based access control. J. Comput. Secur. 22(6), 961–996 (2014)
Walvekar, A., Smith, M., Kelkar, M., Gamble, R.: Using Petri nets to detect access control violations in a system of systems. In: The Joint Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis (2006)
Wang, X., Bayrak, C.: Injecting a permission-based delegation model to secure web-based workflow systems. In: 2009 IEEE International Conference on Intelligence and Security Informatics, pp. 101–106 (2009)
Yu, S., Brewster, J.J.: Formal specification and implementation of RBAC model with SOD. J. Softw. 7(4), 870–877 (2012)
Zhang, Z., Hong, F., Xiao, H.: Verification of strict integrity policy via Petri nets. In: International Conference on Systems and Networks Communications, 2006. ICSNC ’06, pp. 23–23 (2006)
Zhou, Y., Ma, L., Wen, M.: A multi-level dynamic access control model and its formalization. In: 2015 2nd International Conference on Information Science and Control Engineering, pp. 23–27 (2015)
Zhu, Y., Huang, D., Hu, C.J., Wang, X.: From RBAC to ABAC: constructing flexible data access control for cloud storage services. IEEE Trans. Serv. Comput. 8(4), 601–616 (2015)
Acknowledgements
The authors thank the anonymous reviewers for their invaluable feedback on this work. The authors thank Mrs. Soltana Chaouch, the engineer of computer science in the court of Biskra city, for her support during the achievement of this work.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Ethical approval
This article does not contain any studies with human participants performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Ben Attia, H., Kahloul, L., Benhazrallah, S. et al. Using Hierarchical Timed Coloured Petri Nets in the formal study of TRBAC security policies. Int. J. Inf. Secur. 19, 163–187 (2020). https://doi.org/10.1007/s10207-019-00448-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-019-00448-9