ARTICLE IN PRESS JID: INFSOF [m5G;August 10, 2017;19:56] Information and Software Technology 000 (2017) 1–21 Contents lists available at ScienceDirect Information and Software Technology journal homepage: www.elsevier.com/locate/infsof A formal approach to derive an aspect oriented programming-based implementation of a secure access control filter Amel Mammar a,∗ , Thi Mai Nguyen a , Régine Laleau b a SAMOVAR, Télécom SudParis, CNRS, Université Paris-Saclay, 9 rue Charles Fourier 91011 EVRY, France b Université Paris-Est, LACL, UPEC, IUT Sénart Fontainebleau, France a r t i c l e i n f o Article history: Received 8 November 2016 Revised 3 July 2017 Accepted 7 August 2017 Available online xxx a b s t r a c t Context: Nowadays, Information Systems (IS) are at the heart of most companies and constitute then a critical element that needs an adequate attention regarding security issues of sensitive data it manages. Objective: This paper presents a formal approach for the development of a filter to secure access to sen- sitive resources of information systems. Method: The proposed approach consists of three complementary steps. Designers start by modeling the functionalities of the system and its security requirements using dedicated UML diagrams. These dia- grams are then automatically translated into a formal B specification suitable not only for reasoning about data integrity checking but also for the derivation of a trustworthy implementation. Indeed, a formal re- finement process is applied on the generated B specification to obtain a relational-like B implementation which is then translated into an AspectJ implementation, connected to a SQL Server (release 2014) relational database system. Such a generation is performed following the aspect oriented programming paradigm which permits a separation of concerns by making a clear distinction between functional and security aspects. Results: A systematic formal approach to derive a secure filter that regulates access to the sensitive data of an information system. The filter considers both static and dynamic access rules. A tool that supports the proposed approach is also provided. Conclusion: The approach has been applied on several case studies that demonstrate that the development of a tool permits to free the developers from tedious and error-prone tasks since they have just to push a button to generate the AspectJ code of an application. © 2017 Elsevier B.V. All rights reserved. 1. Introduction An Information System (IS) is the part of an organization re- sponsible for collecting and manipulating all its relevant and sen- sitive data. Nowadays, it is at the heart of most companies and constitutes then a critical element that needs an adequate atten- tion regarding security issues. Indeed, an information system often interacts with humans or other systems by exchanging information and any security breach may cause serious and even irreversible consequences. To avoid such risks, a common way is to control access to information systems by defining security rules. Roughly speaking, a security rule specifies, for an authenticated user, which actions are allowed/forbidden according to his/her current role and context. ∗ Corresponding author. E-mail addresses: amel.mammar@telecom-sudparis.eu, amel.mammar@gmail. com (A. Mammar), thimai.nguyen@telecom-sudparis.eu (T.M. Nguyen), laleau@ u-pec.fr (R. Laleau). To ensure the security of a system, many types of access rules may be required. These rules can be classified into two main classes: static and dynamic. Static access rules refer to a given sin- gle moment of the system (i.e., the values of the data are taken at the same moment) whereas dynamic access ones require to take the execution history of the system into account, that is the ac- tions already performed in the system in general or by a given user in particular. For example in a hospital, a static access rule can be “only a person with the role Doctor can make a diagnosis”, whereas a dynamic access rule can be “the person who performs a laboratory test cannot validate it”. In addition to these kinds of rules, usual functional constraints, like for instance the maximum number of patients each doctor can treat, need to be considered. In this paper, we propose to use three UML-based languages: a class diagram to describe the structure of the data manipulated in the system to- gether with their functional constraints, SecureUML [6,28] to deal with static access rules and adapted UML activity diagrams [42] for dynamic access ones. http://dx.doi.org/10.1016/j.infsof.2017.08.001 0950-5849/© 2017 Elsevier B.V. All rights reserved. Please cite this article as: A. Mammar et al., A formal approach to derive an aspect oriented programming-based implementation of a secure access control filter, Information and Software Technology (2017), http://dx.doi.org/10.1016/j.infsof.2017.08.001