Abstract
Mobile application technology is quickly evolving and being progressively utilized in the commercial and public sectors. Such applications make use of spatio-temporal information to provide better services and functionalities. Authorization to such services often depends on the credentials of the user and also on the location and time. Although researchers have proposed spatio-temporal access control models for such applications, not much has been done with respect to enforcement of spatio-temporal access control. Towards this end, we provide a practical framework that allows one to enforce spatio-temporal policies in mobile applications. Our policy enforcement mechanism illustrates the practical viability of spatio-temporal authorization models and discusses potential challenges with possible solutions. Specifically, we propose an architecture for enforcing spatio-temporal access control and demonstrate its feasibility by developing a prototype. We also provide a number of protocols for granting and revoking access and formally analyze these protocols using the Alloy constraint solver to provide assurance that our proposed approach is indeed secure.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
Schaad A, Moffett J (2002) A lightweight approach to specification and analysis of role-based access control extensions. In: Proceedings of the symposium on access control models and technologies (SACMAT), pp 13–22
Anne A (2004) XACML profile for role-based access control (RBAC). OASIS Access Control TC Comm Draft 1:13
Samuel A, Ghafoor A, Bertino E (2007) A framework for specification and verification of generalized spatio-temporal role based access control model. Technical report CERIAS TR 2007–08, Purdue University, West Lafayette
Chaudhuri A (2009) Language-based security on Android. In: Proceedings of the ACM workshop on programming languages and analysis for security (PLAS), pp 1–7
Shafiq B, Masood A, Joshi J, Ghafoor A (2005) A role-based access control policy verification framework for real-time systems. In: Proceedings of the workshop on object-oriented real-time dependable systems (WORDS), pp 13–20
Bose B, Sane S (2010) DTCOT: distributed timeout based transaction commit protocol for mobile database systems. In: Proceedings of the international conference and workshop on emerging trends in technology (ICWET), Mumbai, India, pp 518–523
Kim D-K, Ray I, France RB, Li N (2004) Modeling role-based access control using parameterized UML models. In: Proceedings of the 7th international conference FASE’2004, pp 180–193
Daniel J (2002) Alloy: a lightweight object modelling notation. ACM Trans Softw Eng Methodol 11(2):256–290
Daniel M, Gerald P, Richard M (1980) A locking protocol for resource coordination in distributed databases. ACM Trans Database Syst 5(2):103–138
Technische Universität Darmstadt. FlexiProvider. http://www.flexiprovider.de/overview.html/. Accessed on 30 Nov 2012
Bertino E, Catania B, Damiani ML, Perlasca P (2005) GEO-RBAC: a spatially aware RBAC. In: Proceedings of the ACM symposium on access control models and technologies (SACMAT), pp 29–37
Bertino E, Piero B, Elena F (2001) TRBAC: a temporal role-based access control model. ACM Trans Inf Syst Secur 4(3):191–233
Sposaro F, Tyson G (2009) iFall: an Android application for fall monitoring and response. In: Proceedings of the annual international conference of the IEEE at Engineering in Medicine and Biology Society (EMBC), 3–6 Sept 2009, pp 6119–6122
Frank S, Window S (2004) Threat modeling (Microsoft professional). Microsoft Press, Redmond (ISBN: 0735619913)
Hansen F, Oleshchuk V (2003) SRBAC: a spatial role-based access control model for mobile systems. In: Proceedings of the 8th Nordic workshop secure IT systems (NORDSEC), pp 129–141
Ahn G, Shin M (2001) Role-based authorization constraints specification using object constraint language. In: Proceedings of the IEEE international workshops on enabling technologies: infrastructure for collaborative enterprises (WETICE), pp 157–162
Gail-Joon A, Ravi S (2000) Role-based authorization constraints specification. ACM Trans Inf Syst Secur 3(4):207–226
US Government (2012) Global positioning system. http://www.gps.gov/. Accessed on 30 Nov 2012
Booch G, James R, Ivar J (2005) The unified modeling language user guide, 2nd edn. Addison-Wesley Professional, Boston
Grisham P, Chen C, Khurshid S, Perry D (2006) Design and validation of a security model with the Alloy analyzer. In: Proceedings of the workshop at ACM SIGSOFT first Alloy, 6th Nov 2006, Portland, OR, USA
Google Inc. (2012) Android SDK. http://developer.android.com/sdk/index.html. Accessed on 30 Nov 2012
Google Inc. (2012) The Android mobile (OS). http://www.android.com/. Accessed on 30 Nov 2012
Ray I, Kumar M, Yu L (2006) LRBAC: a location-aware role-based access control model. In: Proceedins of the 2nd international conference on information systems security (ICISS 2006), 17–21 Dec 2006, Indian Statistical institute, Kolkata, India, pp 147–161
Ray I, Toahchoodee M (2007) A spatio-temporal role-based access control model. In: Proceedings of the DBSec, pp 211–226
Jaehong P, Ravi S (2004) The \(\text{ UCON }_{\text{ ABC }}\) usage control model. ACM Trans Inf Syst Secur 7(1):128–174
James J, Elisa B, Usman L, Arif G (2005) A generalized temporal role-based access control model. IEEE Trans Knowl Data Eng 17(1):4–23
James J, Elisa B, Usman L, Arif G (2005) A generalized temporal role-based access control model. IEEE Trans Knowl Data Eng 17(1):4–23
Larman C (2004) Applying UML and patterns: an introduction to object-oriented analysis and design and iterative development, 3rd edn. Prentice Hall, Englewood Cliffs
Chen L, Crampton J (2008) On spatio-temporal constraints and inheritance in role-based access control. In: Proceedings of the ACM symposium on information, computer and communications security (ASIACCS), Mar 2008, pp 205–216
Lin A, Bond M, Clulow J (2007) Modeling partial attacks with Alloy. In: Proceedings of the workshop on security protocols, pp 20–33
Lockhart H, Parducci B, Levinson R (2012) OASIS eXtensible access control markup language (XACML) TC. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml/. Accessed on 30 Nov 2012
Tamer Özsu M, Valduriez P (1999) Principles of distributed database systems, 2nd edn. Prentice-Hall, Englewood cliffs (ISBN-10: 1441988335)
Toahchoodee M, Ray I (2011) On the formalization and analysis of a spatio-temporal role-based access control model. J Comput Secur 19(3):399–452
Toahchoodee M, Ray I, Anastasakis K, Georg G, Bordbar B (2009) Ensuring spatio-temporal access control for real-world applications. In: Proceedings of the 13th ACM symposium on access control models and technologies (SACMAT), Estes Park, CO, USA, 11–13 June 2008 pp 13–22
Manuel K, Francesco P-P (2006) UML specification of access control policies and their formal verification. Softw Syst Modell 5(4):429–447
Michael H, David L (2002) Writing secure code, 2nd edn. Microsoft Press, Redmond (ISBN: 0735617228)
Kirkpatrick M, Bertino E (2010) Enforcing spatial constraints for mobile RBAC systems. In: Proceedings of the 15th ACM symposium on access control models and technologies (SACMAT), Pittsburgh, pp 99–108
Xu M, Wijesekera D (2009) A role-based XACML administration and delegation profile and its enforcement architecture. In: Proceedings of the 6th ACM workshop on secure web services (SWS), 13 Nov 2009, Chicago, IL, USA, pp 53–60
MySQL (2012) The world’s most popular open source database. http://www.mysql.com/. Accessed on 30 Nov 2012
Abdunabi R, Al-Lail M, Ray I, Robert B (2013) Specification, validation, and enforcement of a generalized spatio-temporal role-based access control model. IEEE Syst J (to be appear)
Ravi S, Edward C, Hal F, Charles Y (1996) Role-based access control models. IEEE Comput 29(2):38–47
Ravi S, Kumar R, Xinwen Z (2006) Secure information sharing enabled by trusted computing and PEI models. In: Proceedings of the ACM symposium on information, computer and communications security (ASIACCS’06), 21–24 Mar 2006, Taipei, Taiwan
Mondal S, Sural S (2008) Security analysis of temporal-RBAC using timed automata. In: Proceedings of the 4th international symposium on information assurance and security (IAS), 8–10 Sept 2008, pp 37–40
Ravi S (1995) Rationale for the RBAC96 family of access control models. In: Proceedings of the 1st ACM workshop on role-based access control
Subhendu A, Samrat M, Shamik S, Arun M (2009) Role based access control with spatiotemporal context for mobile applications. Trans Comput Sci 4:177–199
Subhendu A, Shamik S, Arun M (2007) STARBAC: spatio temporal role based access control. In: Proceedings of the OTM, pp 1567–1582
Syed A, Mohammad I (2011) Location-based services handbook: applications, technologies, and security. CRC Press, Boca Raton (ISBN: 1420071963)
Taghdiri M, Jackson D (2003) A lightweight formal analysis of a multicast key management scheme. In: Proceedings of the FORTE, pp 240–256
Arensman W, Whipple J, Boler M (2009) A public safety application of GPS-enabled smartphones and the Android operating system. In: Proceedings of the systems, man and cybernetics (SMC), pp 2059–2061
Sun W, France R, Ray I (2011) Rigorous analysis of UML access control policy models. In: Proceedings of the POLICY, pp 9–16
Yu L, France RB, Ray I (2008) Scenario-based static analysis of UML class models. In: Proceedings of the ACM/IEEE 11th international conference on model driven engineering languages and systems (MoDELS), Toulouse, France, pp 234–248
Yu L, France RB, Ray I, Sun W (2012) Systematic scenario-based analysis of UML design class models. In: Proceedings of a ICECCS meeting held 18–20 July 2012, Paris, France, pp 86–95
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A
1.1 Alloy specification of the access control protocol
Appendix B
1.1 Alloy specification of successful MITM attack
Appendix C
1.1 Spatio-temporal access control model specification
We present our complete model and formalize its specification using the unified modeling language (UML) and the object constraint language (OCL).
1.2 Effect of spatio-temporal constraints on RBAC entities
The RBAC entities: users, roles, permissions, and objects are associated with spatio-temporal zones.
Users We assume that each valid user, interested in doing some location-sensitive operations, carries a locating device that is able to track his location. The location of a user changes with time. The spatio-temporal zone associated with a user gives the user’s current location and time.
Note that, time and location can have different levels of granularity. For example, the current time can be expressed as 12:00:05 or 12:00 pm. Similarly, a user’s current location can be Fort Collins or it can be Colorado. The user’s current location and time information will be used for making access decisions. Consequently, we require the minimal temporal and location be used to express the spatio-temporal zone associated with a user. We define the function \(currentzone\) that returns the minimal spatio-temporal zone associated with a user. This function is formally defined as follows:
-
\(currentzone: Users \rightarrow STZones\)
Objects Objects may also be mobile like the user. Here again, we have locating devices that track the location of an object. Moreover, an object may not be accessible everywhere and anytime. For example, tellers can only review customer information at a teller office during working hours. The ozones function returns the spatio-temporal zones that determine where and when every object is available.
-
\(ozones: Objects \rightarrow 2^{STZones}\)
Roles Role can be assigned or activated only in specific locations and time. The role of on-campus student can only be assigned/activated inside the campus during the semester. The spatio-temporal zone associated with a role gives the location and time from which roles can be assigned or activated. The \(rzones\) function gives the set of spatio-temporal zones associated with a given role.
-
\(rzones: Roles \rightarrow 2^{STZones}\)
Permissions Permissions are also associated with a spatio-temporal zone that indicate where and when a permission can be invoked. For example, a permission to perform a backup of servers can be executed only from the department after 10 pm on Friday nights. The function \(pzones\) gives the zones in which a specific permission can be accessed.
-
\(pzones: Permissions \rightarrow 2^{STZones}\)
Figure 10 shows the class diagram of GSTRBAC. Therefore, a security policy of a mobile application can be specified as one possible instance of this GSTRBAC class diagram. The GSTRBAC entities: User, Role, Permission, Object, Activity, and STZone, are represented by classes. Permission is represented in the GSTRBAC class diagram as an aggregation of the classes Object and Activity. The STZone class aggregates the location and time subclasses. In STZone class, zcontainment is a reflexive association specifying that a zone can contain other zones. Different relationships between entities including UserRoleAssignment, UserRoleActivation, PermissionRoleAssignment, RoleHierarchy, and SoD are modeled using association classes which are transformed to normal classes following the modeling guidelines in [19, 28]. These association classes have binary relationships with STZone class to enforce the spatio-temporal constraints.
1.3 Effect of spatio-temporal constraints on RBAC operations
User-role assignment A user-role assignment is location and time dependent. That is, a user can be assigned to a role provided the user is in specific locations. For example, a person can be assigned the on-campus student role only when he is in the campus during the semester. This requirement is expressed using the zone concept:
-
UserRoleAssignment \(\subseteq \) users \(\times \) roles \(\times \) STZones
This relationship is depicted in the GSTRBAC class diagram as association class UserRoleAssignment. The OCL operation assignRole assigns role \(r\) to user \(u\) in zone \(z\) if \(z\) is in the set of rzones, user \(u\) is present in zone \(z\), and role \(r\) is not already assigned to user \(u\) in zone \(z\). For the lack of space, we omit the descriptions of the OCL queries used in the assignRole operation.
User-role activation A user can activate a role if the role can be activated on the specific zone and it is already assigned to that user. For example, the role of doctor trainee can only be activated in a hospital during the training period. We define the UserRoleActivation relation to determine the current active roles based on zones:
-
UserRoleActivation \(\subseteq \) users \(\times \) roles \(\times \) STZones
In GSTRBAC class diagram, UserRoleActivation class is specified in a manner similar to UserRoleAssignment. The only difference is that the activateRole operation ensures that a user is already assigned to a role before the role is being activated.
Check access This operation checks whether a user is authorized to perform some operation on an object during a certain time and from a certain location. A user is allowed to fire a missile if he is assigned the role of top secret commander and he is in the controller room of the missile during a severe crisis period. Thus, a user can access an object in a certain zone if that user has activated a role which has an appropriate permission for that object in that zone.
Permission-role assignment Permissions can only be assigned to a role during specific time and locations. For example, the permission of opening a cashier drawer in a store should be only assigned to a salesman role during the day time. The assignment of permissions to roles is specified based on zones.
-
PermissionRoleAssignment \(\subseteq \) permissions \(\times \) roles \(\times \) STZones
The following OCL operation assigns permission \(p\) to role \(r\) in zone \(z\) if \(z\) is in the set of \(pzones\) and \(rzones\).
1.4 Spatio-temporal role hierarchy
The permission-inheritance hierarchy (I-Hierarchy) and the role-activation hierarchy (A-Hierarchy) are two variations of role hierarchy (RoleHierarchy) in RBAC [27, 41]. In our model, a senior role could have a subset of junior roles in a particular zone. The spatio-temporal role hierarchies are formally defined as follows:
-
RoleHierarchy \(\subseteq \) Roles \(\times \) Roles \(\times \) STZones
-
I-Hierarchy \(\subseteq \) RoleHierarchy, A-Hierarchy \(\subseteq \) RoleHierarchy, and I-Hierarchy \(\cap \) A-Hierarchy = \(\phi \)
The subtypes of RoleHierarchy are represented in the GSTRBAC class diagram by the subclasses I-Hierarchy and A-Hierarchy, which are connected to STZone class to restrict the roles associations.
Permission-inheritance hierarchy In permission-inheritance hierarchy, a senior role \(r\) can only inherit junior role \(r'\) permissions in zone \(z\) if both roles are available in zone \(z\). A project manager inherits the permissions of a developer when he is at the customer site giving a demo. The following OCL expression specifies the spatio-temporal constraint on I-Hierarchy for adding new junior role.
The delete operation of a junior role in I-Hierarchy can be defined in the similar manner. The I-Hierarchy relationship is acyclic as shown by the following OCL constraint.
The boolean operation inheritsIH(r,z) returns true if role \(r\) is directly or indirectly a junior role of the context role in particular zone, otherwise it returns false.
We define the OCL query operation getAuthorizedPermissions(z) to get the authorized permissions for a given role at zone \(z\) through direct assignment or indirect I-Hierarchy.
Role-activation hierarchy Restricted spatio-temporal A-Hierarchy allows members of senior roles to activate junior roles in predefined spatio-temporal zones. For example, a department chair can activate a staff role during the semester inside the department building. The OCL operations of adding and deleting junior roles to the A-Hierarchy are defined in similar manner to I-Hierarchy. Further, the acyclic constraints on A-Hierarchy is enforced in the same way of the I-Hierarchy.
The only differences are that, the OCL query operation getAHJuniorRoles(z) returns all the junior role in A-Hierarchy of the context role in particular zone. Moreover, the OCL query operation getAuthorizedRoles(z) gives the authorized activation roles for the context user that are either explicitly assigned or implicitly obtained through A-Hierarchy in certain zones.
1.5 Spatio-temporal separation of duty
The static SoD (SSoD) and dynamic SoD (DSoD) are two special classes of the SoD constraints in RBAC [17]. Further, the role SSoD (RSSoD) constraints are defined on roles assignment, while the permission SSoD (PSSoD) constraints are defined on permissions assignments.
In our model, the conflicting roles and permissions in SoD are defined over some zones. The spatio-temporal RSSoD, PSSoD, and DSoD relations are formally defined as follows:
-
RSSoD \(\subseteq \) Roles \(\times \) Roles \(\times \) STZones
-
DSoD \(\subseteq \) Roles \(\times \) Roles \(\times \) STZones, and RSSoD \(\cap \) DSoD = \(\phi \)
-
PSSoD \(\subseteq \) permissions \(\times \) permissions \(\times \) STZones
The static and dynamic SoD relations are represented in the GSTRBAC class diagram using the associations classes RSSoD, PSSoD, and DSoD, which connect the conflicting entities with certain zones.
Role SSoD The same individual should not be assigned to specific roles in specific location for some duration. For example, the same user should not be assigned to billing clerk and account receivable clerk roles in the same time at specific trade corporation. The following OCL invariant forbids the assignment of conflicting roles in a particular zone.
However, the above constraint might be violated through role hierarchy relation. For example, a billing supervisor role might be a senior role of the two conflicting roles billing clerk and account clerk at the same time and in the same accounting department. The following OCL constraint prevents such situation.
Permissions SSoD PSSoD prevents the assignment of conflicting permissions to a role. For example, a loan officer is not permissible to issue loan request and approve it in the bank building during the day-time. The following OCL invariant expresses the PSSoD requirement in our model.
However, this constraint might be violated through I-Hierarchy in which a senior role inherits some junior roles that have been mutually assigned conflicting permissions. The following OCL invariant prevents the violation of PSSoD via I-Hierarchy.
DSoD Two conflicting activation roles cannot be activated in some spatio-temporal zones by the same user. For example, the simultaneous activation of cashier and cashier supervisor is forbidden during the working hours in the same store to deter such user from committing a fraud. The DSoD constraints are expressed in OCL invariants in a similar manner to the RSSoD constraints. The only difference is that the OCL invariants prevent the activations of conflicting roles that are connected by DSoD in some zones through either the explicit role assignment or the implicit A-Hierarchy.
1.6 Spatio-temporal prerequisite constraints
In RBAC, the prerequisite constraints obligates that some actions to be taken prior to performing an operation [16].
Prerequisite constraints on user-role assignment The prerequisite constraint on roles assignments imposes that a user must be assigned to some less critical roles in a given spatio-temporal zone before being assigned more critical roles in specific zones. For example, the role of emergency-nurse can be assigned to John in the urgent care unit from 12:00 to 5:00 am if he is assigned the role of nurse-on-night-duty at the hospital during those hours. The following OCL invariant expresses the prerequisite constraints on user-role assignment. The query operation getPreqAssRoles() returns all the assignment prerequisite roles needed for assigning a certain role.
Prerequisite constraints on permission-role assignment The prerequisite constraints on permissions assignments indicates that a role can be assigned a permission in a specific zone if some prerequisite permissions are already assigned to that role in the same zone. For example, a bank teller must have the permission of reading an account during working hours before he can be given the permission to update that account. The prerequisite constraint on permission-role assignment can be specified using OCL expression as follows.
Prerequisite user-role activation A role can be activated if some prerequisite roles are already activated in specific zones. For example, in a university the teaching assistant role can be activated during a semester in a department if the student role can be activated during the same time. This requirement is specified in our model in the same way of the prerequisite user-role assignment constraint except that the OCL query getPreqAssRoles() is substituted with getPreqActRole(). The query operation getPreqActRole() returns all activation prerequisite roles needed to activate a role.
Rights and permissions
About this article
Cite this article
Abdunabi, R., Sun, W. & Ray, I. Enforcing spatio-temporal access control in mobile applications. Computing 96, 313–353 (2014). https://doi.org/10.1007/s00607-013-0340-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00607-013-0340-2