Skip to main content
SpringerLink
Log in

Using Hierarchical Timed Coloured Petri Nets in the formal study of TRBAC security policies

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

A Correction to this article was published on 05 July 2019

This article has been updated

Abstract

Role-Based Access Control (RBAC) is one of the most used models in designing and implementation of security policies, in large networking systems. Basic RBAC model does not consider temporal aspects which are so important in such policies. Temporal RBAC (TRBAC) is proposed to deal with these temporal aspects. Despite the elegance of these models, designing a security policy remains a challenge. Designers must ensure the consistency and the correctness of the policy. The use of formal methods provides techniques for proving that the designed policy is consistent. In this paper, we present a formal modelling/analysis approach of TRBAC policies. This approach uses Hierarchical Timed Coloured Petri Nets (HTCPN) formalism to model the TRBAC policy, and the CPN-tool to analyse the generated models. The timed aspect, in HTCPN, facilitates the consideration of temporal constraints introduced in TRBAC. The hierarchical aspect of HTCPN makes the model “manageable”, in spite of the complexity of TRBAC policy specification. The analysis phase allows the verification of many important properties about the TRBAC security policy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18

Similar content being viewed by others

Change history

  • 05 July 2019

    In the original publication of this article, the third author’s name was incorrectly published.

Notes

  1. https://drive.google.com/drive/folders/15zYjyRcaZ25L98Mniqqq3VZU4AlC5vrz.

References

  1. Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: a temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4(3), 191–233 (2001)

    Article  Google Scholar 

  2. Box, D.: Essential COM, 1st edn. Addison-Wesley Longman Publishing Co., Inc., Boston (1997)

    MATH  Google Scholar 

  3. Calvi, A., Ranise, S., Vigano, L.: Automated validation of security-sensitive web services specified in BPEL and RBAC. In: Proceedings of the 2010 12th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC ’10, Washington, DC, USA, 2010, pp. 456–464. IEEE Computer Society

  4. Chen, B.-C., Yang, C.-T., Yeh, H.-T., Lin, C.-C.: Mutual authentication protocol for role-based access control using mobile RFID. Appl. Sci. 6(8), 215 (2016)

    Article  Google Scholar 

  5. Chen, H.-C.J., Violetta, M.A., Yang, C.-Y.: Contract RBAC in cloud computing. J. Supercomput. 66(2), 1111–1131 (2013)

    Article  Google Scholar 

  6. CPN-tool can be downloaded (free for academics) from: http://wiki.daimi.au.dk/cpntools/cpntools.wikim. Accessed 3 June 2017

  7. Cuppens, F., Cuppens-Boulahia, N., Ghorbel-Talbi, M.B., Morucci, S., Essaouni, N.: Smatch: formal dynamic session management model for RBAC. J. Inf. Secur. Appl. 18(1), 30–44 (2013)

    Google Scholar 

  8. Darwish, W., Beznosov, K.: Analysis of ANSI RBAC support in COM+. Comput. Stand. Interfaces 32(4), 197–214 (2010)

    Article  Google Scholar 

  9. Dong, X., Chen, G., Yin, J., Dong, J.: Petri-net-based context-related access control in workflow environment. In: The 7th International Conference on Computer Supported Cooperative Work in Design, pp. 381–384 (2002)

  10. El Hassani, A.A., El Kalam, A.A., Bouhoula, A., Abassi, R., Ouahman, A.A.: Integrity-OrBAC: a new model to preserve critical infrastructures integrity. Int. J. Inf. Secur. 14(4), 367–385 (2015)

    Article  Google Scholar 

  11. El Kalam, A.A., Deswarte, Y.: Multi-OrBAC: a new access control model for distributed, heterogeneous and collaborative systems. In: 8th IEEE International Symposium on Systems and Information Security (2006)

  12. Feng, F., Li, J.: Verification and analysis of access control policy with Colored Petri Net. In: 2009 International Conference on Communication Software and Networks, pp. 610–614 (2009)

  13. Feng, F., Lin, C., Peng, D., Li, J.: A trust and context based access control model for distributed systems. In: 2008 10th IEEE International Conference on High Performance Computing and Communications, pp. 629–634 (2008)

  14. Ferraiolo, D., Kuhn, R.: Role-based access control. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)

  15. Gofman, M.I., Luo, R., Solomon, A.C., Zhang, Y., Yang, P., Stoller, S.D.: RBAC-PAT: A Policy Analysis Tool for Role Based Access Control, pp. 46–49. Springer, Berlin (2009)

    Google Scholar 

  16. Gouglidis, A., Mavridis, I., Hu, V.C.: Security policy verification for multi-domains in cloud systems. Int. J. Inf. Secur. 13(2), 97–111 (2014)

    Article  Google Scholar 

  17. Huang, H., Kirchner, H.: Secure Interoperation in Heterogeneous Systems Based on Colored Petri Nets. Working Paper or Preprint, June (2009)

  18. Jensen, K.: An Introduction to the Theoretical Aspects of Coloured Petri Nets, pp. 230–272. Springer, Berlin (1994)

    Google Scholar 

  19. Jha, S., Sural, S., Vaidya, J., Atluri, V.: Security analysis of temporal RBAC under an administrative model. Comput. Secur. 46, 154–172 (2014)

    Article  Google Scholar 

  20. Jiang, Y., Lin, C., Yin, H., Tan, Z.: Security analysis of mandatory access control model. In: 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No. 04CH37583), vol. 6, pp. 5013–5018 (2004)

  21. Jie, A.: The realization of RBAC model in office automation system. In: 2008 International Seminar on Future Information Technology and Management Engineering, pp. 360–363 (2008)

  22. Joshi, J.B.D., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005)

    Article  Google Scholar 

  23. Juszczyszyn, K.: Verifying enterprise’s mandatory access control policies with Coloured Petri Nets. In: Proceedings of Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003, WET ICE 2003, pp. 184–189 (2003)

  24. Kahloul, L., Djouani, K., Tfaili, W., Chaoui, A., Amirat, Y.: Modeling and Verification of RBAC Security Policies Using Colored Petri Nets and CPN-Tool, pp. 604–618. Springer, Berlin (2010)

    Google Scholar 

  25. Kim, K., Fox, G.C.: XGSP-RBAC: access control mechanism based on RBAC model in ubiquitous collaboration system (2009)

  26. Knorr, K.: Dynamic access control through Petri net workflows. In: 16th Annual Conference on Computer Security Applications, 2000. ACSAC ’00, pp. 159–167 (2000)

  27. Knorr, K.: Multilevel security and information flow in Petri net workflows. Technical report. In: Proceedings of the 9th International Conference on Telecommunication Systems—Modeling and Analysis, Special Session on Security Aspects of Telecommunication Systems, pp. 9–20. IEEE Computer Society Press, Dallas, Los Alamitos, USA (2001)

  28. Kosiyatrakul, T., Older, S., Chin, S.-K.: A Modal Logic for Role-Based Access Control, pp. 179–193. Springer, Berlin (2005)

    Google Scholar 

  29. Li, D., Liu, C., Liu, B.: H-RBAC: a hierarchical access control model for SAAS systems. Int. J. Mod. Educ. Comput. Sci. 5, 47–53 (2011)

    Article  Google Scholar 

  30. Liang, Z., Bai, S.: Role based workflow modeling. In: 2006 IEEE International Conference on Systems, Man and Cybernetics, vol. 6, pp. 4845–4849 (2006)

  31. Luo, J., Wang, H., Gong, X., Li, T.: A novel role-based access control model in cloud environments. Int. J. Comput. Intell. Syst. 9(1), 1–9 (2016)

    Article  Google Scholar 

  32. Masood, R., Shibli, M.A., Ghazi, Y., Kanwal, A., Ali, A.: Cloud authorization: exploring techniques and approach towards effective access control framework. Front. Comput. Sci. 9(2), 297–321 (2015)

    Article  MathSciNet  Google Scholar 

  33. Mondal, S., Sural, S.: Security analysis of temporal-RBAC using timed automata. In: Fourth International Conference on Information Assurance and Security, 2008. ISIAS’08, pp. 37–40. IEEE (2008)

  34. Mondal, S., Sural, S., Atluri, V.: Security analysis of GTRBAC and its variants using model checking. Comput. Secur. 30(23), 128–147 (2011)

    Article  Google Scholar 

  35. Murata, T.: Petri Nets and Their Application an Introduction, pp. 351–368. Springer, Boston (1984)

    Google Scholar 

  36. Nezar, N., Eric, S.: Security service design for the RMI distributed system based on parameterized RBAC. In: The Proceeding of the International Multi-Conference of Engineers and Computer Scientists, vol. I, pp. 1–6 (2011)

  37. Pang, J., Zhang, Y.: A new access control scheme for Facebook-style social networks. Comput. Secur. 54, 44–59 (2015)

    Article  Google Scholar 

  38. Ranchal, R., Bhargava, B., Fernando, R., Lei, H., Jin, Z.: Privacy preserving access control in service-oriented architecture. In: 2016 IEEE International Conference on Web Services (ICWS), pp. 412–419 (2016)

  39. Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control. In: Proceedings of the 19th ACM Symposium on Access Control Models and Technologies, pp. 103–114. ACM (2014)

  40. Venkateswar Rao, K., Srinivasa Rao, M., Mrunalini Devi, K., Sravan Kumar, D., Upendra Kumar, M.: Web services security architectures using role-based access control. Int. J. Comput. Sci. Inf. Technol. 1(5), 402–407 (2010)

    Google Scholar 

  41. Nagarajan, S., Gopalan, N.P.: A dynamic context aware role based access control secure user authentication algorithm for wireless networks. Int. J. Appl. Eng. Res. 11(6), 4141–4143 (2016)

    Google Scholar 

  42. Sabri, K.E.: Automated verification of role-based access control policies constraints using Prover9 (2015). CoRR, arxiv:1503.07645

  43. Sabri, K.E., Obeid, N.: A temporal defeasible logic for handling access control policies. Appl. Intell. 44(1), 30–42 (2016)

    Article  Google Scholar 

  44. Sandhu, R., Ferraiolo, D.F., Kuhn, D.R.: The NIST model for role-based access control: towards a unified standard. In: The Fifth ACM Workshop on Role-Based Access Control (RBAC ’00), pp. 47–63 (2000)

  45. Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)

    Article  Google Scholar 

  46. Shafiq, B., Masood, A., Joshi, J., Ghafoor, A.: A role-based access control policy verification framework for real-time systems. In: 10th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems, pp. 13–20 (2005)

  47. Sohr, K., Mustafa, T., Bao, X., Ahn, G.J.: Enforcing role-based access control policies in web services with UML and OCL. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 257–266 (2008)

  48. Song, M., Pang, Z.: Specification of SA-RBAC policy based on Colored Petri Net. In: 2008 IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology, vol. 3, pp. 207–210 (2008)

  49. Steele, R., Min, K.: Role-based access to portable personal health records. In: 2009 International Conference on Management and Service Science, pp. 1–4 (2009)

  50. Tapiador, A., Carrera, D., Salvachúa, J.: Tie-RBAC: an application of RBAC to social networks (2012). CoRR, arxiv:1205.5720

  51. The site of standard ML (SML), adopted in CPN-tool, is: http://www.lfcs.inf.ed.ac.uk/software/ML/. Accessed 3 June 2017

  52. Toahchoodee, M., Ray, I.: On the formalization and analysis of a spatio-temporal role-based access control model. J. Comput. Secur. 19(3), 399–452 (2011)

    Article  Google Scholar 

  53. Uzun, E., Atluri, V., Vaidya, J., Sural, S., Ferrara, A.L., Parlato, G., Madhusudan, P.: Security analysis for temporal role based access control. J. Comput. Secur. 22(6), 961–996 (2014)

    Article  Google Scholar 

  54. Walvekar, A., Smith, M., Kelkar, M., Gamble, R.: Using Petri nets to detect access control violations in a system of systems. In: The Joint Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis (2006)

  55. Wang, X., Bayrak, C.: Injecting a permission-based delegation model to secure web-based workflow systems. In: 2009 IEEE International Conference on Intelligence and Security Informatics, pp. 101–106 (2009)

  56. Yu, S., Brewster, J.J.: Formal specification and implementation of RBAC model with SOD. J. Softw. 7(4), 870–877 (2012)

    Article  Google Scholar 

  57. Zhang, Z., Hong, F., Xiao, H.: Verification of strict integrity policy via Petri nets. In: International Conference on Systems and Networks Communications, 2006. ICSNC ’06, pp. 23–23 (2006)

  58. Zhou, Y., Ma, L., Wen, M.: A multi-level dynamic access control model and its formalization. In: 2015 2nd International Conference on Information Science and Control Engineering, pp. 23–27 (2015)

  59. Zhu, Y., Huang, D., Hu, C.J., Wang, X.: From RBAC to ABAC: constructing flexible data access control for cloud storage services. IEEE Trans. Serv. Comput. 8(4), 601–616 (2015)

    Article  Google Scholar 

Download references

Acknowledgements

The authors thank the anonymous reviewers for their invaluable feedback on this work. The authors thank Mrs. Soltana Chaouch, the engineer of computer science in the court of Biskra city, for her support during the achievement of this work.

Author information

Authors and Affiliations

  1. LINFI Laboratory, Biskra University, Biskra, Algeria

    Hasiba Ben Attia, Laid Kahloul & Samir Bourekkache

  2. LINFI Laboratory, Batna 2 University, Batna, Algeria

    Saber Benhazrallah

Authors
  1. Hasiba Ben Attia
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Laid Kahloul
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Saber Benhazrallah
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Samir Bourekkache
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Laid Kahloul.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ben Attia, H., Kahloul, L., Benhazrallah, S. et al. Using Hierarchical Timed Coloured Petri Nets in the formal study of TRBAC security policies. Int. J. Inf. Secur. 19, 163–187 (2020). https://doi.org/10.1007/s10207-019-00448-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-019-00448-9

Keywords

Search

Navigation