Security analysis of GTRBAC and its variants using model checking Samrat Mondal a, *, Shamik Sural b , Vijayalakshmi Atluri c a Information and Communication Technology, DAIICT Gandhinagar, India b School of Information Technology, IIT, Kharagpur, India c MSIS Department and CIMIC, Rutgers University, USA article info Article history: Received 1 April 2010 Received in revised form 20 August 2010 Accepted 10 September 2010 Keywords: Computation tree logic GTRBAC Timed automata Verification Safety property Liveness property abstract Security analysis is a formal verification technique to ascertain certain desirable guarantees on the access control policy specification. Given a set of access control policies, a general safety requirement in such a system is to determine whether a desirable property is satisfied in all the reachable states. Such an analysis calls for the use of formal verification techniques. While formal analysis on traditional Role Based Access Control (RBAC) has been done to some extent, recent extensions to RBAC lack such an analysis. In this paper, we consider the temporal RBAC extensions and propose a formal technique using timed automata to perform security analysis by analyzing both safety and liveness properties. Using safety properties one ensures that something bad never happens while liveness properties show that some good state is also achieved. GTRBAC is a well accepted generalized temporal RBAC model which can handle a wide range of temporal constraints while specifying different access control policies. Analysis of such a model involves a process of mapping a GTRBAC based system into a state transition system. Different reduction rules are proposed to simplify the modeling process depending upon the constraints supported by the system. The effect of different constraints on the modeling process is also studied. ª 2010 Elsevier Ltd. All rights reserved. 1. Introduction In a multiuser environment, access control is required for controlled sharing and protection of resources. Over the past few decades, many access control models have been proposed to specify the different access control policies. These primarily include Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role Based Access Control (RBAC). Among these, RBAC has gained considerable attention due to its flex- ibility, ease of administration and intuitiveness. RBAC can be viewed as a state transition system where state changes occur via administrative operations. With the proliferation of wireless technology and mobile networking several new access control requirements have come up. The traditional RBAC model is not capable of handling such requirements. Today, for instance, it is often required that access to a particular resource is given on the basis of the current time or location of the subject making the request. Due to such growing requirements, the RBAC model has been extended in various dimensions. These extensions offer flexibility in specifying a variety of security policies. In the temporal domain two significant access control models have been proposed. Bertino et al. (2001) introduced TRBAC, which is an extension of RBAC in which a user may activate a role only during certain time intervals. In TRBAC, only temporal constraints on role activation and temporal depen- dencies among roles are considered. As a result, only a limited number of temporal policies can be specified using this model. * Corresponding author. E-mail addresses: samrat_mondal@daiict.ac.in (S. Mondal), shamik@cse.iitkgp.ernet.in (S. Sural), atluri@rutgers.edu (V. Atluri). available at www.sciencedirect.com journal homepage: www.elsevier.com/locate/cose computers & security 30 (2011) 128 e147 0167-4048/$ e see front matter ª 2010 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2010.09.002