Skip to main content
SpringerLink
Log in

Fine-Grained Access Control with Object-Sensitive Roles

  • Conference paper
ECOOP 2009 – Object-Oriented Programming (ECOOP 2009)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 5653))

Included in the following conference series:

Abstract

Role-based access control (RBAC) is a common paradigm to ensure that users have sufficient rights to perform various system operations. In many cases though, traditional RBAC does not easily express application-level security requirements. For instance, in a medical records system it is difficult to express that doctors should only update the records of their own patients. Further, traditional RBAC frameworks like Java’s Enterprise Edition rely solely on dynamic checks, which makes application code fragile and difficult to ensure correct.

We introduce Object-sensitive RBAC (ORBAC), a generalized RBAC model for object-oriented languages. ORBAC resolves the expressiveness limitations of RBAC by allowing roles to be parameterized by properties of the business objects being manipulated. We formalize and prove sound a dependent type system that statically validates a program’s conformance to an ORBAC policy. We have implemented our type system for Java and have used it to validate fine-grained access control in the OpenMRS medical records system.

This material is based upon work supported in part by the National Science Foundation under grants CCF-0545850 and CCF-0546170.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abdallah, A.E., Khayat, E.J.: A formal model for parameterized role-based access control. In: Dimitrakos, T., Martinelli, F. (eds.) Formal Aspects in Security and Trust, pp. 233–246. Springer, Heidelberg (2004)

    Google Scholar 

  2. Andreae, C., Noble, J., Markstrum, S., Millstein, T.: A framework for implementing pluggable type systems. In: OOPSLA 2006: Proceedings of the 21st annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications, pp. 57–74. ACM Press, New York (2006)

    Chapter  Google Scholar 

  3. Barkley, J., Beznosov, K., Uppal, J.: Supporting relationships in access control using role based access control. In: RBAC 1999: Proceedings of the fourth ACM workshop on Role-based access control, pp. 55–65. ACM, New York (1999)

    Chapter  Google Scholar 

  4. Barth, A., Mitchell, J., Datta, A., Sundaram, S.: Privacy and utility in business processes. In: CSF 2007, pp. 279–294. IEEE Computer Society Press, Los Alamitos (2007)

    Google Scholar 

  5. Becker, M.: Information governance in nhs’s npfit: A case for policy specification. International Journal of Medical Informatics (IJMI) 76(5-6) (2007)

    Google Scholar 

  6. Becker, M., Sewell, P.: Cassandra: Distributed access control policies with tunable expressiveness. In: POLICY 2004, pp. 159–168 (2004)

    Google Scholar 

  7. Clarke, D.G., Potter, J.M., Noble, J.: Ownership types for flexible alias protection. In: Proceedings of the 13th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, pp. 48–64. ACM Press, New York (1998)

    Chapter  Google Scholar 

  8. eXtensible Access Control Markup Language (XACML) Version 2.03. OASIS Standard (February 2005)

    Google Scholar 

  9. Ferraiolo, D., Kuhn, R.: Role-based access control. In: 15th National Computer Security Conference (1992)

    Google Scholar 

  10. Fischer, J., Marino, D., Majumdar, R., Millstein, T.: Fine-grained access control with object-sensitive roles. Technical Report CSD-TR-090010, UCLA Comp. Sci. Dept. (2009)

    Google Scholar 

  11. Gifford, D.K., Lucassen, J.M.: Integrating functional and imperative programming. In: LFP 1986: Proceedings of the 1986 ACM Conference on LISP and Functional Programming, pp. 28–38. ACM Press, New York (1986)

    Chapter  Google Scholar 

  12. Giuri, L., Iglio, P.: Role templates for content-based access control. In: RBAC 1997: Proceedings of the second ACM workshop on Role-based access control, pp. 153–159. ACM Press, New York (1997)

    Google Scholar 

  13. Hibernate home page, http://www.hibernate.org

  14. Igarashi, A., Pierce, B.C., Wadler, P.: Featherweight Java: a minimal core calculus for Java and GJ. ACM Transactions on Programming Languages and Systems 23(3), 396–450 (2001)

    Article  Google Scholar 

  15. Jaeger, T., Michailidis, T., Rada, R.: Access control in a virtual university. In: WETICE 1999: Proceedings of the 8th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises, Washington, DC, USA, pp. 135–140. IEEE Computer Society Press, Los Alamitos (1999)

    Google Scholar 

  16. Java Platform, Enterprise Edition home page, http://java.sun.com/javaee

  17. Markstrum, S., Marino, D., Esquivel, M., Millstein, T.: Practical enforcement and testing of pluggable type systems. Technical Report CSD-TR-080013, UCLA Comp. Sci. Dept. (2008)

    Google Scholar 

  18. Martin-Löf, P.: Constructive mathematics and computer programming. In: Sixth International Congress for Logic, Methodology, and Philosophy of Science, pp. 153–175. North-Holland, Amsterdam (1982)

    Chapter  Google Scholar 

  19. Nystrom, N., Saraswat, V., Palsberg, J., Grothoff, C.: Constrained types for object-oriented languages. In: OOPSLA 2008: Proceedings of the 23rd ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, pp. 457–474. ACM Press, New York (2008)

    Chapter  Google Scholar 

  20. Olson, L., Gunter, C., Madhusudan, P.: A formal framework for reflective database access control policies. In: CCS 2008: Proceedings of the 15th ACM conference on Computer and communications security, pp. 289–298. ACM Press, New York (2008)

    Chapter  Google Scholar 

  21. OpenMRS home page, http://openmrs.org

  22. Oracle 11g Virtual Private Database (2009), http://www.oracle.com/technology/deploy/security/database-security/virtual-private-database/index.html

  23. Pandey, R., Hashii, B.: Providing fine-grained access control for Java programs. In: Guerraoui, R. (ed.) ECOOP 1999. LNCS, vol. 1628, pp. 668–692. Springer, Heidelberg (1999)

    Google Scholar 

  24. Pierce, B.C.: Types and Programming Languages. The MIT Press, Cambridge (2002)

    MATH  Google Scholar 

  25. Pistoia, M., Fink, S., Flynn, R., Yahav, E.: When role models have flaws: Static validation of enterprise security policies. In: ICSE 2007, pp. 478–488. IEEE, Los Alamitos (2007)

    Google Scholar 

  26. Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P.: Extending query rewriting techniques for fine-grained access control. In: SIGMOD 2004: Proceedings of the 2004 ACM SIGMOD international conference on Management of data, pp. 551–562. ACM Press, New York (2004)

    Google Scholar 

  27. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  28. Spring Application Framework home page, http://www.springsource.org

  29. Walker, D., Crary, K., Morrisett, G.: Typed memory management via static capabilities. ACM Trans. Program. Lang. Syst. 22(4), 701–771 (2000)

    Article  Google Scholar 

  30. Wright, A.K., Felleisen, M.: A syntactic approach to type soundness. Information and Computation 115(1), 38–94 (1994)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, University of California, Los Angeles, USA

    Jeffrey Fischer, Daniel Marino, Rupak Majumdar & Todd Millstein

Authors
  1. Jeffrey Fischer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Marino
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rupak Majumdar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Todd Millstein
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computing, Imperial College London, 180 Queen’s Gate, SW7 2AZ, London, UK

    Sophia Drossopoulou

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Fischer, J., Marino, D., Majumdar, R., Millstein, T. (2009). Fine-Grained Access Control with Object-Sensitive Roles. In: Drossopoulou, S. (eds) ECOOP 2009 – Object-Oriented Programming. ECOOP 2009. Lecture Notes in Computer Science, vol 5653. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03013-0_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-03013-0_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-03012-3

  • Online ISBN: 978-3-642-03013-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation