Interprocedural Analysis for Automatic Evaluation of Role-Based Access Control Policies

This paper describes an interprocedural-analysis model to represent the °ow of security information in systems that have adopted Role-Based Access Control (RBAC). These systems include Java 2, Enterprise Edition (J2EE) and Microsoft .NET Common Language Run-time (CLR). The model allows:

1. Identifying the roles required to execute an enterprise application
2. Detecting potential inconsistencies caused by principal-delegation policies, which are used to overwrite the roles assigned to a user
3. Reporting if the roles assigned to a user by a given policy are redundant, which would constitute a violation of the Principle of Least Privilege, or insufficient, which would make the application unstable
4. Evaluating logical expressions of roles
5. Distinguishing intercomponent resource accesses (in which authorization is enforced) from intracomponent resource accesses (in which authorization is not enforced)

The algorithms described in this paper have been implemented as part of the Enterprise Security Policy Evaluator (ESPE) tool, built on top of IBM Research's DOMO static analysis engine. This paper presents the results obtained by executing ESPE on several applications.

By: Marco Pistoia; Robert J. Flynn

Published in: Nantes, France in 2006


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .