Abstract Databases are considered as one of the most compromised assets according to 2014-2016 Verizon Data Breach Reports. The reason is that databases are at the heart of Information Systems (IS) and store confidential business or private records. Ensuring the integrity of sensitive records is highly required and even vital in critical systems (e-health, clouds, e- government, big data, e-commerce, etc.,). The access control is a key mechanism for ensuring the integrity and preserving the privacy in large scale and critical infrastructures. Nonetheless, excessive, unused and abused access privileges are identified as most critical threats in the top ten database security threats according to 2013-2015 Imperva Application Defense Center reports. To address this issue, we focus in this paper on the analysis of the integrity of access control policies within relational databases. We propose a rigorous and complete solution to help security architects verifying the correspondence between the security planning and its concrete implementation. We define a formal framework for detecting non-compliance anomalies in concrete Role Based Access Control (RBAC) policies. We rely on an example to illustrate the relevance of our contribution.

References

[1] Abrial J., The B-Book: Assigning Programs to Meanings, Press Syndicate of the University of Cambridge, 1996.

[2] Ahmed A. and Arputharaj K., “XML Access Control: Mapping XACML Policies to Relational Database Tables,” The International Arab Journal of Information Technology, vol. 11, no. 6, pp. 532-539, 2014.

[3] Baldwin R., “Naming and Grouping Privileges to Simplify Security Management in Large Databases,” in Proceedings of IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, pp. 116-132, 1990.

[4] Basin D., Clavel M., Doser J., and Egea M., “Automated Analysis of Security-Design Models,” Information and Software Technology, vol. 51, no. 5, 815-831, 2009.

[5] Bertino E., Ghinita G., and Kamra A., Access Control for Databases: Concepts and Systems, Foundations and Trends, 2011.

[6] Ghadi A., Modèle hiérarchique de contrôle d'accès d'UNIX basé sur un graphe de roles, PhD Theses, 2010.

[7] Hansen F. and Oleshchuk V., “Conformance Checking of RBAC Policy and Its Implementation,” in Proceedings of Information Security Practice and Experience Conference, Singapore, pp. 144-155, 2005.

[8] Huang C., Sun J., Wang X., and Si Y., “Security Policy Management for Systems Employing Role Based Access Control Model,” Information Technology Journal, vol. 8, pp. 726-734, 2009.

[9] Idani A., Ledru Y., Richier J., Labiadh M., Qamar N., Gervais F., Laleau R., Milhau J., and Frappier M., “Principles of the coupling between UML and formal notations,” PhD Thesis, 2011.

[10] Jaïdi F. and Ayachi F., “An Approach to Formally Validate and Verify the Compliance of Low Level Access Control Policies,” in Proceedings of 13th International Symposium on Pervasive Systems, Algorithms, and Networks, Chengdu, pp. 1550-1557, 2014.

[11] Jaïdi F. and Ayachi F., “The Problem of Integrity in RBAC-Based Policies within Relational Databases: Synthesis and Problem Study,” in Proceedings of the ACM IMCOM 9th International Conference on Ubiquitous Information Management and Communication, Bali, pp. 1-8, 2015.

[12] Jaïdi F. and Ayachi F., “To Summarize the Problem of Non-Conformity in Concrete RBAC- Based Policies: Synthesis, System Proposal and Future Directives,” NNGT International Journal of Information Security, vol. 2, pp. 1-12, 2015.

[13] Jaïdi F. and Ayachi F., International Conference on Computational Intelligence in Security for Information Systems, Springer International Publishing Switzerland, 2015.

[14] Jaïdi F. and Ayachi F., “A Reverse Engineering and Model Transformation Approach for RBAC- Administered Databases,” in Proceedings of 13th International Conference on High Performance Computing and Simulation, Amsterdam, pp. 115- 122, 2015.

[15] Koch M., Mancini L., and Parisi-Presicce F., “A Graph-Based Formalism for RBAC,” ACM Transactions on Information and System Security, vol. 5, no. 3, pp. 332-335, 2002.

[16] Lampson B., “Protection,” ACM SIGOPS Operating Systems Review, vol. 8, no. 1, pp. 18- 24, 1974.

[17] Ledru Y., Idani A., Milhau J., Qamar N., Laleau R., Richier J., and Labiadh M., “Taking into Account Functional Models in the Validation of IS Security Policies,” in Proceedings of Advanced Information Systems Engineering Workshops, London, pp. 592-606, 2011.

[18] Lodderstedt T., Basin D., and Doser J., “SecureUML: A UML-based Modeling Language for Model-Driven Security,” in Proceedings of 5th International Conference on the Unified Modeling Language, San Francisco, pp. 426-441, 2002.

[19] Nyanchama M. and Osborn S., “The Role Graph Model and Conflict of Interest,” ACM Transactions on Information and System Security, vol. 1, no. 2, pp. 3-33, 1999.

[20] Rozenberg G., Handbook of Graph Grammars and Computing by Graph Transformations, World Scientific, 1997.

[21] Sandhu R., Coynek E., Feinsteink H., and Youmank C., “Role-Based Access Control Models',” IEEE Computer, vol. 29, no. 2, pp. 38- 47, 1996.

[22] Thion R. and Coulondre S., “A Relational Database Integrity Framework for Access Control Policies',” Journal of Intelligent Information Systems, vol. 38, no.1, pp. 131-159, 2012. Advanced Analysis of the Integrity of Access Control Policies: the Specific ... 815 Faouzi Jaidi received the engineering degree in computer science with Distinction from EABA in 2005. He received his Master’s degree in computer science with Distinction from the Faculty of Science, Mathematics, Physics and Natural of Tunis in 2010. He received a PhD degree in ICT with Distinction from the Higher School of Communication of Tunis (Sup’Com), in 2016. Faouzi JAIDI is currently an Assistant Professor at ESPRIT School of Engineering, Tunis, Tunisia. His professional experience from 2005 till now concerns mainly information systems and software security, networks administration and security, formal methods, databases, etc. Actually, he is a member of the Digital Security Research Lab (DSRL) at Sup’Com and a member of MINOS research group at ESPRIT. He is also a member of the Tunisian Society for Digital Security. Faten Ayachi received in 1987 the Diploma degree in computer management with Distinction from the Higher Institute of Management of Tunis (Tunisia). In 1988, she received a Master’s degree and in 1992 a PhD degree with Distinction from UNSA, University of Nice Sophia Antipolis (France). Faten is currently an Assistant Professor at the Sup’Com Engineering School of Telecommunications in Tunisia. She is a member of the Digital Security Research Lab (DSRL) and member of the Tunisian Society for Digital Security. Her main research areas are Information System Security and databases. Adel Bouhoula received in 1990 the Diploma degree in computer engineering with Distinction from the University of Tunis (Tunisia). In 1991, he received a Master’s degree, in 1994 a PhD degree with Distinction and in 1998 the Habilitation degree all in computer science from Henri Poincare University in Nancy (France). Adel BOUHOULA is currently a Professor at the Sup’Com Engineering School of Telecommunications in Tunisia and a Visiting Professor at Tsukuba University in Japan. He is the Founder and Head of the Digital Security Research Lab, the Founder and President of the Tunisian Society for Digital Security.