Abstract
Access control is a central issue among the overall security goals of information systems. Despite of the existence of a vast literature on the subject, it is still very hard to assure the compliance of a large existing system to a given dynamic access control policy. Based on our previous work on formal islands, we provide in this paper a systematic methodology to weave dynamic, formally specified policies on existing applications using aspect-oriented programming. To that end, access control policies are formalized using term rewriting systems, allowing us to have an agile, modular, and precise way to specify and to ensure their formal termination. These high-level descriptions are then weaved into the existing code, in a manner that the resulting program implements a safe reference monitor for the specified policy. For developers, this provides a systematic process to enforce dynamic policies in a modular and flexible way. Since policies are independently specified and checked to be later weaved into various different applications, the level of reuse is improved. We implemented the approach on test cases with quite encouraging results.

URL:
http://rewerse.net/publications/rewerse-publications.html#REWERSE-RP-2007-052

BibTeX:

@inproceedings{REWERSE-RP-2007-052,
	author = {Anderson Santana de Oliveira and Eric Ke Wang and Claude Kirchner and H\'{e}lène Kirchner},
	title = {Weaving Rewrite-Based Access Control Policies},
	booktitle = {Proceedings of 5th ACM Workshop on Formal Methods in Security Engineering: From Specifications to Code, George Mason University, USA (2nd November 2007)},
	year = {2007},
	pages = {71--80},
	url = {http://rewerse.net/publications/rewerse-publications.html#REWERSE-RP-2007-052}
}