Detecting policy conﬂicts by model checking UML state machines 1 Maurice H. TER BEEK a , Stefania GNESI a , Carlo MONTANGERO b and Laura SEMINI b,2 a ISTI–CNR, Pisa b Dipartimento di Informatica, Università di Pisa Abstract. Policies are convenient means to modify system behaviour at run-time. Nowadays, policies are created in great numbers by different actors, ranging from system administrators to lay-users. However, this situation may lead naturally to inconsistencies, a problem that has been recognized and termed policy conﬂict. The adoption of a widely-used notation, with good tool support, to express the policies, can not only support the detection, but also help all the involved actors in understanding and resolving the conﬂicts. In this respect, a natural candidate is UML due to its current wide use in the industrial practice. In this paper we show how to model check policies expressed in UML to verify whether they are free of conﬂicts: we deﬁne a correspondence between APPEL policies and UML state machines and use UMC as a model checker. We validate the approach with examples taken from the literature. Keywords. Policy conﬂict, UML, Model checking Introduction Policies have been recognized as a convenient means to add ﬂexibility to software sys- tems, since they allow adapting the behaviour at run-time. They were originally intro- duced in telecommunication systems [1] and have been traditionally applied to access- and usage- control [2,3] and to system management [4,5,6,7]. Recently, policies are be- ing introduced in new domains, like in the control of smart houses [8] and in the au- tomation of business rules in business process management [9]. As a consequence of the broader usage, nowadays policies are created in great numbers by many different actors, ranging from system administrators to lay-users, making worse than ever a problem that has been recognized since the beginnings and termed policy conﬂict, i.e. the fact that policies may be inconsistent and contradict each other. The issues related to policy conﬂicts, i.e. conﬂict deﬁnition, detection and resolution are receiving much attention. In particular, a recent trend exploits the current advances in formal static analysis by theorem proving and model checking, applying these tech- 1 All the authors are partially supported by the EU project SENSORIA IST-2005-16004. The ﬁrst two authors are also funded by the MIUR–PRIN 2007 project D-ASAP. 2 Corresponding Author: Laura Semini. Email: semini@di.unipi.it.