Seamless Secure Development of Systems: From Modeling to Enforcement of Access Control Policies Saeed Parsa, Morteza Damanafshan Department of Computer Engineering Iran University of Science and Technology, Tehran, Iran parsa@iust.ac.ir , morteza_damanafshan@comp.iust.ac.ir Abstract Despite the emphasis on removing gap between software models and implementation code, there has been made little effort to apply software tools to enforce access control models directly into program code. In this paper the design and implementation of an access control policy enforcement environment is described. Within this environment, View-Based Access Control policies defined in XML Metadata Interchange format are translated into View Policy Language. The View Policy Language primitives are then easily translated into Java primitives. At last, these primitives are enforced into Java program code to be secured. Two major benefits of applying the proposed approach for modeling and enforcement of access control policies are rapid development of view-based customized applications and secure enforcement of ordered chain of methods’ executions. 1. Introduction Authorization or access control as one of the foundations of computer security is becoming an important issue in many areas. Traditionally an application was assumed to be secure if it applied cryptography, security protocols and so on. As software technology progresses new security attacks and vulnerabilities [5,14] emerge that cannot be encountered using traditional approaches, and this is why depending solely on such techniques fails [2]. In fact these techniques protect information from unauthorized access on the network only. In addition, the conventional techniques treat programs as black boxes and they are unable to be informed of what goes on inside the programs. Nowadays, security issues, addressed during design and development stages, are not restricted to avoiding lower-level software access control policies, such as memory protection, since most of such policies are enforced automatically via applying safe programming languages such as Java. Today security requirements appear to be different from 10 years before, and this is because of market needs and new advancements made in Information Technology arena which consequently open new issues on access control requirements. To satisfy current needs, computer security scientists think of enforcing security and access control policies in applications’ source code and even higher levels such as applications’ high level design models. In general, securing a program through access control policies is a two-phase process. The first phase is obtaining and modeling access control policies and the second one is enforcing those policies into programs. There are several tools and languages [3,16-20,22- 25,30,32] for modeling access control policies. Also, several approaches have been proposed for enforcement of security and access control code into programs. Some of these approaches enforce access control policies at assembly and bytecode level [28,33], whereas some of the others do their job at higher levels [12,13]. The important thing here is to take both of these phases into consideration. This means that we cannot pay more attention to any of them, while we neglect the other one. If we focus on just modeling access control policies, then taking an inappropriate way of enforcing these policies will put a heavy burden on the secured system execution. Conversely, if we focus on enforcing access control policies and pay a little attention to the modeling issues, another problem arises. Note that, security and access control policies are compromised most often not by breaking the dedicated mechanisms such as encryption or access control, but by exploiting weaknesses in the way they are being used [1]. This usually occurs due to the complexity of access control policies. Modeling these policies at system design stage can mitigate this problem to a great extent. The higher the abstraction level of security policies, the more likely the problems and inconsistencies among them can be revealed and resolved. Thus access control policies cannot be inserted into security-critical systems blindly and the overall system development must take security aspects into account [1]. Indeed, security is now a feature of the system as a whole [4], and it cannot be considered as an add-on feature. Despite many researchers have focused on each of the aforementioned stages (access control policies 799 1-4244-1031-2/07/$25.00©2007 IEEE