Authorization and Access Control

The research impact on authorization and access control is three fold and directly effects the attainment of information assurance in a number of different research contexts. First, work conducted in late 1990s through the mid 2000s, the focus was on exploring authorization and access control for service-based computing through middleware such as CORBA, JINI, etc. This effort proposed a security model for service-based computing that included role-based, mandatory, and discretionary access control, augmented with timing constraints (when access to services was allowed). This work was published in many venues (IEEE Information Assurance, IFIP WG11.3 on Database Security, and SACMAT), with a domain focus of dynamic coalitions (1 doctoral student graduated – C. Phillips, Phillips03, Phillips05). This work is directly applicable today to web services based computing models, to allow a more fine-grained access to “who” can access “web services (e.g., SOAP messages) at what time and under what conditions, and to grid computing for the myriad of grid services that have exploded in computing. For example, rather than have all web services available to all users, the approach would allow the web services to be restricted based on user role and/or classification level, based on the clearance level and role of the authorized user.

Second, this effort was followed through the mid to late 2000s with an emphasis on secure software engineering. As software gets more and more complex, the ability to specific access control and authorization at the earliest stages and throughout the design process through development and deployment (enforcement) will be critical from an information assurance perspective, providing a guarantee and tractability throughout the software process. There are two approaches related to the Unified Modeling Language (UML). One approach involved incorporating role-based and mandatory access control directly into UML use case, class, and sequence diagrams, with limited changes to the model and design-time security analysis for information assurance (1 doctoral student graduated – T. Doan – Doan10). This approach focused on limiting the changes to UML to allow a software engineer to easily define security along with his/her use- case, class, and sequence diagrams, with the caveat that the security was spread across the entire design. The other approach involved the proposal of new UML diagrams for supporting role-based, mandatory, and discretionary access control, from which aspect-oriented security enforcement code could be automatically generated (1 doctoral student graduated – J. Pavlich-Mariscal – Pavlich-Mariscal10). This approach focused on new UML diagrams that collect all security design issues in a cohesive manner, limiting the scattering of secure code across the application. Collectively, the two approaches provide complementary means to address secure software engineering.

The third effort, begun in 2007 and ongoing, focuses on security for collaborative web portals (WIKIs). The use of collaborative portals has exploded in the computing arena (MediaWiki, Microsoft Sharepoint, Google Wave, etc.), providing the ability to author, create, update, and share content via easy-to-use web-based interfaces. This work was initiated by participating in SBIR funding from NSF (fine-grained role-based access control for a web portal) and from the Department of Navy (mandatory access control for a web portal). A current doctoral student – S. Berhe Berhe09 – is working on extensions to the NIST RBAC model to support collaboration on duty and workflow, to allow the security model to define when and how authorized users are allowed to collaborate; form an information assurance perspective, we are applying this work to the health care domain where medical providers collaborate to administer patient care under strict HIPAA compliance. The medical home in health care allows a physician or other health care provider to coordinate care of multiple providers, particularly in regards to patients with chronic conditions. Collaboration on duty for a given set of providers (each with a role), will extend NIST RBAC to define when these health professionals need to interact to facilitate patient care with the intent to reduce medical errors, keep the patient healthy, limit hospitalization, and hopefully reduce costs.

Key Faculty

Steven A. Demurjian (CSE)

Wei-Kuang Huang (OPIM)

Laurent Michel (CSE) Publications

  • Book Chapters
    • S. Demurjian, H. Ren, S. Berhe, M. Devineni, S. Vegad, and K. Polineni, “Chapter XXV: Improving the Information Security of Collaborative Web Portals via Fine-Grained Role-Based Access Control,” in Handbook of Research on Web 2.0, 3.0 and X.0: Technologies, Business and Social Applications, S. Murugesan (ed.), IGI Global, Oct. 2009.
    • R. Crowell, T. Agresta, M. Cook, J. Fifield, S. Demurjian, S. Carter, I. Becerra-Ortiz, S. Vegad, and K. Polineni, “CHAPTER XL: Using a Collaborative Web Portal for Making Health Information Technology (HIT) Decisions,” in Handbook of Research on Web 2.0, 3.0 and X.0: Technologies, Business and Social Applications, S. Murugesan (ed.), IGI Global, Oct. 2009.
    • S. Berhe, S. Demurjian, T. Agresta, “Emerging Trends in Health Care Delivery: Towards Collaborative Security for NIST RBAC,” in Research Directions in Data and Applications Security XXIII, E. Gudes and J. Viadya (eds.), LNCS 5645, Springer, July 2009, pp. 283-290.
    • C. Phillips, S. Demurjian, K. Bessette, “A Service-Based Approach for RBAC and MAC Security,” in Service-Oriented Software System Engineering: Challenges and Practices, Z. Stojanovic and A. Dahanayake (eds.), Idea Group, Apr. 2005, pp. 317-339.
    • S. Demurjian, K. Bessette, T. Doan, C. Phillips, “Concepts and Capabilities of Middleware Security,” in Middleware for Communications, Q. Mohammed (ed.), John-Wiley, Aug. 2004, pp. 211-236.
    • T. Doan, S. Demurjian, T.C. Ting, C. Phillips, “RBAC/MAC Security for UML,” in Research Directions in Data and Applications Security XVIII, C. Farkas and P. Samarati (eds.), Vol. IFIP 144, 2004, Springer, July 2004, pp. 189-204.
    • C. Phillips, S. Demurjian, T.C. Ting, “Safety and Liveness for an RBAC/MAC Security Model,” in Database and Applications Security XVII: Status and Prospects, S. di Vimercati, I. Ray, and I. Ray, (eds.), Vol. IFIP 142, Springer, July 2004, pp. 316-329.
    • V. Atluri and W.-K. Huang, “An Authorization Model for Workflows,” Lecture Notes in Computer Science, No. 1146, Springer-Verlag, pp. 44-64, 1996.
  • Journal Articles
    • W.-K. Huang and V. Atluri “A Petri net Based Safety Analysis of Workflow Authorization Models”, Journal of Computer Security 8(2000).
    • V. Atluri and W.-K. Huang “Analyzing the Safety of Workflow Authorization Models,” Database Security: Status and Prospects, Volume XII, pp. 43-57, 1999.
    • V. Atluri, Elisa Bertino and W.-K. Huang “A Semantic Based execution Model for Multilevel Secure Workflows”, Journal of Computer Security 1999.
    • W.-K. Huang, Nabil Adam and V. Atluri “Modeling and Analysis of Workflows using Petri nets” Journal of Intelligent Information System, Special Issue on Workflow and Process Management, Volume 10, Number 2, 1998.
    • V. Atluri, Elisa Bertino and W.-K. Huang “An Execution Model for Multilevel Secure Workflows”, in Database Security: Status and Prospects, Volume XI, pp. 151-165, 1998.
    • V. Atluri and W.-K. Huang “An Extended Petri Net Model for Supporting Workflows in a Multilevel Secure Environment”, Database Security, Volume X status and Prospects, pages 240-257, 1997.
    • V. Atluri and W.-K. Huang “Enforcing Mandatory and Discretionary Security in Workflow Management Systems”, 1997(5), pages 303-339, Journal of Computer Security.
  • Conference Papers
    • S. Berhe, S. Demurjian, H. Ren, M. Devineni, S. Vegad, and K. Polineni, “Axon-An Adaptive Collaborative Web Portal,” Proc. Of Intl. Wksp. on Adaptation and Evolution in Web Systems Engineering (AEWSE2008), pp. 81-88, July 2008.…
    • J. Pavlich-Mariscal, L. Michel, S. Demurjian, “Role Slices and Runtime Permissions: Improving an AOP-based Access Control Schema,” Proc. of 7th Intl. Wksp. on Aspect-Oriented Modeling, co-located with MoDELS/UML 2005, Montego Bay, Jamaica, Oct. 2005.
    • J. Pavlich-Mariscal, L. Michel, S. Demurjian, “A Formal Enforcement Framework for Role-Based Access Control using Aspect-Oriented Programming,” Proc. of ACM/IEEE 8th Intl. Conf. on Model Driven Engineering Languages and Systems (MoDELS/UML 2005), Montego Bay, Jamaica, Oct. 2005, pp. 537-552.
    • T. Doan, L. Michel, S. Demurjian, T.C. Ting, “Stateful Design for Secure Information Systems,” Proc. of 3rd Intl. Wksp. on Security in Information Systems (WOSIS05), Miami FL, May 2005, pp. 277-286.
    • V. Atluri and W.-K. Huang “SecureFlow: A Secure Web-ebabled Workflow Management System”, Fourth ACM workshop on Role-Based Access Control., 1999
  • Dissertations
    • J.A. Pavlich-Mariscal, “A Framework of Composable Security Features: Preserving Separation of Security Concerns from Models to Code,” (Advisors: S. Demurjian, L. Michel), December 2008. PDF
    • T.N. Doan, “A Framework for Software Security in UML with Assurance,” (Advisors: S. Demurjian, T.C. Ting), August 2008 PDF
    • C.E. Phillips, “Security Assurance for a Resource-Based RBAC/DAC/MAC Security Model,” (Advisor: S. Demurjian), May 2004. PDF
  • Software Artifacts
    • Distributed Security with JINI and CORBA Over the past 4 years, as part of numerous independent studies and design laboratories by graduate students, a prototype system that realizes distributed role-based security has been undertaken by Dr. Demurjian. The purpose of the work is to provide a means to control access to legacy and COTS APIs via a mechanism that limits which users (clients) can call which methods of the different APIs that are available in a distributed application. The current prototype works with Windows NT 4.0 and Linux as OSs, Microsoft Access and Oracle as databases, and JINI 1.1 running under Java 1.3 and Visibroker as middleware. Our prototype supports a Course DB Resource and a Course Client (GUI tool) where students can query course information and enroll in classes, and faculty can query and modify the class schedule. To realize distributed role-based security, a Unified Security Resource (USR) has been prototyped in both JINI and CORBA. In addition, two other security officer tools have been designed and prototyped, namely: a Security Policy Client (SPC) to manage user roles and establish privileges, and a Security Authorization Client (SAC) for associating roles with actual users. The underlying security mechanism is transparent to clients utilizing tools.
    • Security for XML This effort began in Spring 2003 by Dr. Demurjian, and continued in Fall 2003/Spring 2004 with a prototyping effort to transition our RBAC/MAC security model into the XML/web-based context. Specifically, we have designed an approach to allow an XML document to appear differently at different times to different individuals based on role and security clearance levels. In Fall 2003, the implementation effort began (as part of CSE367), and this effort continued in Spring 2004 (as part of a project in CSE333) and is ongoing for the upcoming summer.