109

urn:lsid:arphahub.com:pub:3dc5f44e-8666-58db-bc76-a455210e8891

JUCS - Journal of Universal Computer Science

jucs

0948-695X 0948-6968

Journal of Universal Computer Science

10.3217/jucs-013-08-1073

28837

Research Article

D.2.4 - Software/Program Verification F.3.1 - Specifying and Verifying and Reasoning about Programs

Specification and Refinement of Access Control

Méry

Dominique

dominique.mery@loria.fr 1 Merz

Stephan

Nancy University & LORIA, Nancy, France

Nancy University & LORIA

Nancy

France 2

INRIA Nancy & LORIA, Nancy, France

INRIA Nancy & LORIA

Nancy

France

Corresponding author: Dominique Méry (dominique.mery@loria.fr).

Academic editor:

2007

28 08 2007

13 8 1073 1093 B8C7B6CE-23C9-51B2-9EBB-CCCADEF469F4 6999900

Dominique Méry, Stephan Merz

This article is freely available under the J.UCS Open Content License.

Abstract

We consider the extension of fair event system specifications by concepts of access control (prohibitions, user rights, and obligations). We give proof rules for verifying that an access control policy is correctly implemented in a system, and consider preservation of access control by refinement of event systems. Prohibitions and obligations are expressed as properties of traces and are preserved by standard refinement notions of event systems. Preservation of user rights is not guaranteed by construction; we propose to combine implementation-level user rights and obligations to implement high-level user rights.