@PREAMBLE{ {\providecommand{\ac}[1]{\textsc{#1}} } # {\providecommand{\acs}[1]{\textsc{#1}} } # {\providecommand{\acf}[1]{\textsc{#1}} } # {\providecommand{\TAP}{T\kern-.1em\lower-.5ex\hbox{A}\kern-.1em P} } # {\providecommand{\leanTAP}{\mbox{\sf lean\it\TAP}} } # {\providecommand{\holz}{\textsc{hol-z}} } # {\providecommand{\holocl}{\textsc{hol-ocl}} } # {\providecommand{\isbn}{\textsc{isbn}} } # {\providecommand{\Cpp}{C++} } # {\providecommand{\Specsharp}{Spec\#} } # {\providecommand{\doi}[1]{\href{http://dx.doi.org/#1}{doi: {\urlstyle{rm}\nolinkurl{#1}}}}} } @STRING{conf-sacmat="ACM symposium on access control models and technologies (SACMAT)" } @STRING{j-computer="Computer" } @STRING{j-fac = "Formal Aspects of Computing (FAC)" } @STRING{j-stvr = "Software Testing, Verification \& Reliability (STVR)" } @STRING{j-tissec= "ACM Transactions on Information and System Security" } @STRING{proc = "Proceedings of the " } @STRING{pub-acm = {ACM Press} } @STRING{pub-acm:adr={New York, NY USA} } @STRING{pub-elsevier={Elsevier Science Publishers} } @STRING{pub-ieee= {IEEE Computer Society} } @STRING{pub-ieee:adr={Los Alamitos, CA, USA} } @STRING{pub-springer={Springer-Verlag} } @STRING{pub-wiley={John Wiley \& Sons} } @STRING{s-lncs = "Lecture Notes in Computer Science" } @Article{ brucker.ea:formal-fw-testing:2014, abstract = {Firewalls are an important means to secure critical ICT infrastructures. As configurable off-the-shelf prod\-ucts, the effectiveness of a firewall crucially depends on both the correctness of the implementation itself as well as the correct configuration. While testing the implementation can be done once by the manufacturer, the configuration needs to be tested for each application individually. This is particularly challenging as the configuration, implementing a firewall policy, is inherently complex, hard to understand, administrated by different stakeholders and thus difficult to validate. This paper presents a formal model of both stateless and stateful firewalls (packet filters), including NAT, to which a specification-based conformance test case gen\-eration approach is applied. Furthermore, a verified optimisation technique for this approach is presented: starting from a formal model for stateless firewalls, a collection of semantics-preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage of the model are derived. We extend an existing approach that integrates verification and testing, that is, tests and proofs to support conformance testing of network policies. The presented approach is supported by a test framework that allows to test actual firewalls using the test cases generated on the basis of the formal model. Finally, a report on several larger case studies is presented.}, address = {pub-wiley:adr}, author = {Achim D. Brucker and Lukas Br{\"u}gger and Burkhart Wolff}, doi = {10.1002/stvr.1544}, journal = {Software Testing, Verification \& Reliability (STVR)}, keywords = {model-based testing; conformance testing; security testing; firewall; specification-based testing; testing cloud infrastructure, transformation for testability; HOL-TestGen; test and proof; security configuration testing}, language = {USenglish}, pdf = {http://www.brucker.ch/bibliography/download/2014/brucker.ea-formal-fw-testing-2014.pdf} , publisher = {pub-wiley}, title = {Formal Firewall Conformance Testing: An Application of Test and Proof Techniques}, url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-formal-fw-testing-2014} , year = {2014} } @InCollection{ brucker.ea:hol-testgen-fw:2013, abstract = {The HOL-TestGen environment is conceived as a system for modeling and semi-automated test generation with an emphasis on expressive power and generality. However, its underlying technical framework Isabelle/HOL supports the customization as well as the development of highly automated add-ons working in specific application domains.\\\\In this paper, we present HOL-TestGen/fw, an add-on for the test framework HOL-TestGen, that allows for testing the conformance of firewall implementations to high-level security policies. Based on generic theories specifying a security-policy language, we developed specific theories for network data and firewall policies. On top of these firewall specific theories, we provide mechanisms for policy transformations based on derived rules and adapted code-generators producing test drivers. Our empirical evaluations shows that HOL-TestGen/fw is a competitive environment for testing firewalls or high-level policies of local networks.}, address = {Heidelberg}, author = {Achim D. Brucker and Lukas Br{\"u}gger and Burkhart Wolff}, booktitle = {International Colloquium on Theoretical Aspects of Computing (ICTAC)}, doi = {10.1007/978-3-642-39718-9_7}, editor = {Zhiming Liu and Jim Woodcock and Huibiao Zhu}, isbn = {978-3-642-39717-2}, keywords = {symbolic test case generations, black box testing, theorem proving, network security, firewall testing, conformance testing}, language = {USenglish}, location = {Shanghai}, number = {8049}, pages = {112--121}, pdf = {http://www.brucker.ch/bibliography/download/2013/brucker.ea-hol-testgen-fw-2013.pdf} , publisher = {Springer-Verlag}, series = {Lecture Notes in Computer Science}, title = {{HOL-TestGen/FW:} An Environment for Specification-based Firewall Conformance Testing}, url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-hol-testgen-fw-2013} , year = {2013} } @InProceedings{ brucker.ea:model-based:2011, abstract = {We present a generic modular policy modelling framework and instantiate it with a substantial case study for model-based testing of some key security mechanisms of applications and services of the NPfIT. NPfIT, the National Programme for IT, is a very large-scale development project aiming to modernise the IT infrastructure of the NHS in England. Consisting of heterogeneous and distributed applications, it is an ideal target for model-based testing techniques of a large system exhibiting critical security features.\\\\We model the four information governance principles, comprising a role-based access control model, as well as policy rules governing the concepts of patient consent, sealed envelopes and legitimate relationship. The model is given in HOL and processed together with suitable test specifications in the HOL-TestGen system, that generates test sequences according to them. Particular emphasis is put on the modular description of security policies and their generic combination and its consequences for model-based testing.}, address = {New York, NY, USA}, author = {Achim D. Brucker and Lukas Br{\"u}gger and Paul Kearney and Burkhart Wolff}, booktitle = {ACM symposium on access control models and technologies (SACMAT)}, copyright = {ACM}, copyrighturl = {http://dl.acm.org/authorize?431936}, doi = {10.1145/1998441.1998461}, isbn = {978-1-4503-0688-1}, language = {USenglish}, location = {Innsbruck, Austria}, pages = {133--142}, pdf = {http://www.brucker.ch/bibliography/download/2011/brucker.ea-model-based-2011.pdf} , publisher = {ACM Press}, title = {An Approach to Modular and Testable Security Models of Real-world Health-care Applications}, url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-model-based-2011} , year = {2011} } @Article{ brucker.ea:theorem-prover:2012, abstract = {HOL-TestGen is a specification and test case generation environment extending the interactive theorem prover Isabelle/HOL. As such, HOL-TestGen allows for an integrated workflow supporting interactive theorem proving, test case generation, and test data generation.\\\\The HOL-TestGen method is two-staged: first, the original formula is partitioned into test cases by transformation into a normal form called test theorem. Second, the test cases are analyzed for ground instances (the test data) satisfying the constraints of the test cases. Particular emphasis is put on the control of explicit test-hypotheses which can be proven over concrete programs.\\\\Due to the generality of the underlying framework, our system can be used for black-box unit, sequence, reactive sequence and white-box test scenarios. Although based on particularly clean theoretical foundations, the system can be applied for substantial case-studies.}, address = {Heidelberg}, author = {Achim D. Brucker and Burkhart Wolff}, doi = {10.1007/s00165-012-0222-y}, issn = {0934-5043}, journal = {Formal Aspects of Computing}, keywords = {test case generation, domain partitioning, test sequence, theorem proving, HOL-TestGen}, language = {USenglish}, number = {5}, pages = {683--721}, pdf = {http://www.brucker.ch/bibliography/download/2012/brucker.ea-theorem-prover-2012.pdf} , publisher = {Springer-Verlag}, title = {On Theorem Prover-based Testing}, url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-theorem-prover-2012} , volume = {25}, year = {2013} } @PhDThesis{ bruegger:generation:2012, author = {Lukas Br{\"u}gger}, title = {A Framework for Modelling and Testing of Security Policies}, school = {ETH Zurich}, year = {2012}, categories = {holtestgen}, note = {ETH Dissertation No. 20513.}, public = yes, pdf = {http://www.brucker.ch/bibliography/download/bruegger-generation-2012.pdf} , url = {http://www.brucker.ch/bibliography/abstract/bruegger-generation-2012} } @InProceedings{ barker:next:2009, author = {Steve Barker}, title = {The next 700 access control models or a unifying meta-model?}, booktitle = {Proceedings of the 14th ACM symposium on Access control models and technologies}, series = {SACMAT '09}, year = 2009, isbn = {978-1-60558-537-6}, location = {Stresa, Italy}, pages = {187--196}, numpages = 10, doi = {10.1145/1542207.1542238}, acmid = 1542238, publisher = pub-acm, address = pub-acm:adr, keywords = {access control models, access control policies}, abstract = {We address some fundamental questions, which were raised by Atluri and Ferraiolo at SACMAT'08, on the prospects for and benefits of a meta-model of access control. We demonstrate that a meta-model for access control can be defined and that multiple access control models can be derived as special cases. An anticipated consequence of the contribution that we describe is to encourage researchers to adopt a meta-model view of access control rather than them developing the next 700 particular instances of access control models.} } @Article{ sandhu.ea:role-based:1996, author = {Ravi S. Sandhu and Edward J. Coyne and Hal L. Feinstein and Charles E. Youman}, title = {Role-Based Access Control Models}, journal = j-computer, year = 1996, volume = 29, number = 2, address = pub-ieee:adr, publisher = pub-ieee, pages = {38--47}, url = {http://ite.gmu.edu/list/journals/computer/pdf_ver/i94rbac(org).pdf} , abstract = {Abstract This article introduces a family of reference models for rolebased acce ss control (RBAC) in which permissions are associated with roles, and users are made members of appropriate roles. This greatly simplifies management of permiss ions. Roles are closely related to the concept of user groups in access control. However, a role brings together a set of users on one side and a set of permiss ions on the other, whereas user groups are typically defined as a set of users o nly. The basic concepts of RBAC originated with early multi-user computer systems. Th e resurgence of interest in RBAC has been driven by the need for general-purpose customizable facilities for RBAC and the need to manage the administration of R BAC itself. As a consequence RBAC facilities range from simple to complex. This article describes a novel framework of reference models to systematically addres s the diverse components of RBAC, and their interactions.}, issn = {0018-9162}, keywords = {Computational linguistics; Computer control systems; Computer simulation; Computer software; Data abstraction; Database systems; Discretionary access control; Encoding (symbols); Integration; Mandator access control; Role based access control; Semantics; Software encoding; User interfaces}, acknowledgement={none}, bibkey = {sandhu.ea:role-based:1996} } @Article{ wainer.ea:dw-rbac:2007, author = {Jacques Wainer and Akhil Kumar and Paulo Barthelmess}, title = {DW-RBAC: A formal security model of delegation and revocation in workflow systems}, journal = {Inf. Syst.}, year = 2007, volume = 32, number = 3, pages = {365--384}, abstract = {One reason workflow systems have been criticized as being inflexible is that they lack support for delegation. This paper shows how delegation can be introduced in a workflow system by extending the role-based access control (RBAC) model. The current RBAC model is a security mechanism to implement access control in organizations by allowing users to be assigned to roles and privileges to be associated with the roles. Thus, users can perform tasks based on the privileges possessed by their own role or roles they inherit by virtue of their organizational position. However, there is no easy way to handle delegations within this model. This paper tries to treat the issues surrounding delegation in workflow systems in a comprehensive way. We show how delegations can be incorporated into the RBAC model in a simple and straightforward manner. The new extended model is called RBAC with delegation in a workflow context (DW-RBAC). It allows for delegations to be specified from a user to another user, and later revoked when the delegation is no longer required. The implications of such specifications and their subsequent revocations are examined. Several formal definitions for assertion, acceptance, execution and revocation are provided, and proofs are given for the important properties of our delegation framework.}, issn = {0306-4379}, doi = {http://dx.doi.org/10.1016/j.is.2005.11.008}, publisher = pub-elsevier, address = {Oxford, UK, UK}, tags = {ReadingList, SoKNOS}, clearance = {unclassified}, timestap = {2008-05-26} } @InProceedings{ sandhu.ea:nist:2000, author = {Ravi S. Sandhu and David F. Ferraiolo and D. Richard Kuhn}, title = {The NIST model for role-based access control: towards a unified standard}, booktitle = {ACM Workshop on Role-Based Access Control}, year = 2000, pages = {47--63}, doi = {10.1145/344287.344301}, tags = {ReadingList, AccessControl}, clearance = {unclassified}, timestap = {2008-05-26} } @Article{ samuel.ea:context-aware:2008, author = {Samuel, A. and Ghafoor, A. and Bertino, E.}, title = {Context-Aware Adaptation of Access-Control Policies}, journal = {Internet Computing, IEEE}, year = 2008, volume = 12, number = 1, pages = {51--54}, abstract = {Today, public-service delivery mechanisms such as hospitals, police, and fire departments rely on digital generation, storage, and analysis of vital information. To protect critical digital resources, these organizations employ access-control mechanisms, which define rules under which authorized users can access the resources they need to perform organizational tasks. Natural or man-made disasters pose a unique challenge, whereby previously defined constraints can potentially debilitate an organization's ability to act. Here, the authors propose employing contextual parameters - specifically, activity context in the form of emergency warnings - to adapt access-control policies according to a priori configuration.}, keywords = {authorisation, disasters, organisational aspectsaccess-control policy, context-aware adaptation, digital resource protection, natural disaster, organizational task, public-service delivery mechanism}, doi = {10.1109/MIC.2008.6}, issn = {1089-7801}, tags = {ReadingList, AccessControl, SoKNOS}, clearance = {unclassified}, timestap = {2008-05-26} } @Article{ bertino.ea:trbac:2001, author = {Elisa Bertino and Piero Andrea Bonatti and Elena Ferrari}, title = {TRBAC: A temporal role-based access control model}, journal = {ACM Trans. Inf. Syst. Secur.}, volume = 4, number = 3, year = 2001, issn = {1094-9224}, pages = {191--233}, doi = {10.1145/501978.501979}, publisher = pub-acm, address = pub-acm:adr, tags = {noTAG}, clearance = {unclassified}, timestap = {2008-05-29} } @Article{ moyer.ea:generalized:2001, title = {Generalized role-based access control}, author = {Moyer, M.J. and Abamad, M.}, journal = {Distributed Computing Systems, 2001. 21st International Conference on.}, year = 2001, month = {Apr}, pages = {391--398}, keywords = {authorisation, distributed processing, transaction processingGRBAC, JPEG, RBAC, access control, access control decisions, access control models, environment roles, environmental information, expressive power, generalized role based access control, object roles, object type, rich access control policies, security policy, security-relevant characteristics, sensitivity level, subject roles}, doi = {10.1109/ICDSC.2001.918969}, abstract = {Generalized Role-Based Access Control (GRBAC) is a new paradigm for creating and maintaining rich access control policies. GRBAC leverages and extends the power of traditional role based access control (RBAC) by incorporating subject roles, object roles and environment roles into access control decisions. Subject roles are like traditional RBAC roles: they abstract the security-relevant characteristics of subjects into categories that can be used in defining a security policy. Similarly, object roles abstract the various properties of objects, such as object type (e.g., text, JPEG, executable) or sensitivity level (e.g., classified, top secret) into categories. Environment roles capture environmental information, such as time of day or system load so it can be used to mediate access control. Together, these three types of roles offer flexibility and expressive power, as well as a degree of usability not found in current access control models}, tags = {noTAG}, clearance = {unclassified}, timestap = {2008-05-29} } @InProceedings{ bell.ea:secure:1996, author = {D. Elliott Bell and Leonard J. LaPadula}, title = {Secure Computer Systems: A Mathematical Model, Volume {II}}, booktitle = {Journal of Computer Security 4}, year = 1996, pages = {229--263}, note = {An electronic reconstruction of \emph{Secure Computer Systems: Mathematical Foundations}, 1973} } @InProceedings{ bell:looking:2005, title = {Looking Back at the Bell-La Padula Model}, author = {D. Elliott Bell}, journal = proc # { the 21st Annual Computer Security Applications Conference}, year = 2005, isbn = {1063-9527}, doi = {10.1109/CSAC.2005.37}, publisher = {pub-ieee}, address = pub-ieee:adr, pages = {337--351} } @Booklet{ oasis:xacml:2005, title = {{eXtensible Access Control Markup Language (XACML)}, Version 2.0}, year = 2005, url = {http://docs.oasis-open.org/xacml/2.0/XACML-2.0-OS-NORMATIVE.zip} , bibkey = {oasis:xacml:2005}, publisher = {OASIS}, key = {OASIS}, language = {USenglish}, public = {yes} } @InProceedings{ ferreira.ea:how:2009, author = {Ana Ferreira and David Chadwick and Pedro Farinha and Gansen Zhao and Rui Chilro and Ricardo Cruz-Correia and Luis Antunes}, title = {How to securely break into RBAC: the BTG-RBAC model}, booktitle = {Annual Computer Security Applications Conference (ACSAC)}, year = 2009, abstract = {Access control models describe frameworks that dictate how subjects (e.g. users) access resources. In the Role-Based Access Control (RBAC) model access to resources is based on the role the user holds within the organization. Although flexible and easier to manage within large-scale authorization frameworks, RBAC is usually a static model where access control decisions have only two output options: Grant or Deny. Break The Glass (BTG) policies can be provided in order to break or override the access controls within an access control policy but in a controlled and justifiable manner. The main objective of this paper is to integrate BTG within the NIST/ANSI RBAC model in a transparent and secure way so that it can be adopted generically in any domain where unanticipated or emergency situations may occur. The new proposed model, called BTG-RBAC, provides a third decision option BTG. This allows break the glass policies to be implemented in any application without any major changes to either the application or the RBAC authorization infrastructure, apart from the decision engine. Finally, in order to validate the model, we discuss how the BTG-RBAC model is being introduced within a Portuguese healthcare institution where the legislation requires that genetic information must be accessed by a restricted group of healthcare professionals. These professionals, advised by the ethical committee, have required and asked for the implementation of the BTG concept in order to comply with the said legislation.} } @Manual{ ansi:rbac:2004, bibkey = {ansi:rbac:1998}, abstract = {This standard describes RBAC features that have achieved acceptance in the commercial marketplace. It includes a reference model and functional specifications for the RBAC features defined in the reference model. It is intended for (1) software engineers and product development managers who design products incorporating access control features; and (2) managers and procurement officials who seek to acquire computer security products with features that provide access control capabilities in accordance with commonly known and understood terminology and functional specifications.}, note = {ANSI INCITS 359-2004}, title = {American National Standard for Information Technology -- Role Based Access Control}, organization = {ANSI}, year = 2004, month = feb, publisher = {The American National Standards Institute}, address = {New York} } @Article{ li.ea:critique:2007, author = {Ninghui Li and JiWon Byun and Elisa Bertino}, journal = {Security Privacy, IEEE}, title = {A Critique of the ANSI Standard on Role-Based Access Control}, year = 2007, month = {nov.-dec. }, volume = 5, number = 6, pages = {41--49}, abstract = {In 2004, the American National Standards Institute approved the Role-Based Access Control standard to fulfill "a need among government and industry purchasers of information technology products for a consistent and uniform definition of role based access control (RBAC) features". Such uniform definitions give IT product vendors and customers a common and unambiguous terminology for RBAC features, which can lead to wider adoption of RBAC and increased productivity. However, the current ANSI RBAC Standard has several limitations, design flaws, and technical errors that, it unaddressed, could lead to confusions among IT product vendors and customers and to RBAC implementations with different semantics, thus defeating the standard's purpose.}, keywords = {ANSI standard;IT product vendors;role-based access control;DP industry;authorisation;standards;}, doi = {10.1109/MSP.2007.158}, issn = {1540-7993} } @Article{ ardagna.ea:access:2010, title = {Access control for smarter healthcare using policy spaces}, journal = {Computers \& Security}, year = 2010, issn = {0167-4048}, doi = {10.1016/j.cose.2010.07.001}, author = {Claudio A. Ardagna and Sabrina De Capitani di Vimercati and Sara Foresti and Tyrone W. Grandison and Sushil Jajodia and Pierangela Samarati}, keywords = {Access control, Break the glass, Policy spaces, Exceptions, Healthcare systems}, abstract = {A fundamental requirement for the healthcare industry is that the delivery of care comes first and nothing should interfere with it. As a consequence, the access control mechanisms used in healthcare to regulate and restrict the disclosure of data are often bypassed in case of emergencies. This phenomenon, called "break the glass", is a common pattern in healthcare organizations and, though quite useful and mandatory in emergency situations, from a security perspective, it represents a serious system weakness. Malicious users, in fact, can abuse the system by exploiting the break the glass principle to gain unauthorized privileges and accesses. In this paper, we propose an access control solution aimed at better regulating break the glass exceptions that occur in healthcare systems. Our solution is based on the definition of different policy spaces, a language, and a composition algebra to regulate access to patient data and to balance the rigorous nature of traditional access control systems with the "delivery of care comes first" principle.} } @Article{ sandhu.ea:arbac97:1999, author = {Ravi Sandhu and Venkata Bhamidipati and Qamar Munawer}, title = {The ARBAC97 model for role-based administration of roles}, journal = j-tissec, volume = 2, number = 1, year = 1999, issn = {1094-9224}, pages = {105--135}, doi = {10.1145/300830.300839}, address = pub-acm:adr, publisher = pub-acm, abstract = { In role-based access control (RBAC), permissions are associated with roles' and users are made members of roles, thereby acquiring the roles; permissions. RBAC's motivation is to simplify administration of authorizations. An appealing possibility is to use RBAC itself to manage RBAC, to further provide administrative convenience and scalability, especially in decentralizing administrative authority, responsibility, and chores. This paper describes the motivation, intuition, and formal definition of a new role-based model for RBAC administration. This model is called ARBAC97 (administrative RBAC '97) and has three components: URA97 (user-role assignment '97), RPA97 (permission-role assignment '97), and RRA97 (role-role assignment '97) dealing with different aspects of RBAC administration. URA97, PRA97, and an outline of RRA97 were defined in 1997, hence the designation given to the entire model. RRA97 was completed in 1998. ARBAC97 is described completely in this paper for the first time. We also discusses possible extensions of ARBAC97. } } @Article{ becker:information:2007, title = {Information governance in NHS's NPfIT: A case for policy specification}, journal = {International Journal of Medical Informatics}, volume = 76, number = {5-6}, pages = {432--437}, year = 2007, mynote = {"Virtual Biomedical Universities and E-Learning" and "Secure eHealth: Managing Risk to Patient Data" - E-Learning and Secure eHealth Double S.I.}, issn = {1386-5056}, doi = {10.1016/j.ijmedinf.2006.09.008}, author = {Moritz Y. Becker}, keywords = {Access control}, abstract = {Purpose The National Health Service's (NHS's) National Programme for Information Technology (NPfIT) in the UK with its proposed nation-wide online health record service poses serious technical challenges, especially with regard to access control and patient confidentiality. The complexity of the confidentiality requirements and their constantly evolving nature (due to changes in law, guidelines and ethical consensus) make traditional technologies such as role-based access control (RBAC) unsuitable. Furthermore, a more formal approach is also needed for debating about and communicating on information governance, as natural-language descriptions of security policies are inherently ambiguous and incomplete. Our main goal is to convince the reader of the strong benefits of employing formal policy specification in nation-wide electronic health record (EHR) projects.Approach Many difficulties could be alleviated by specifying the requirements in a formal authorisation policy language such as Cassandra. The language is unambiguous, declarative and machine-enforceable, and is based on distributed constrained Datalog. Cassandra is interpreted within a distributed Trust Management environment, where digital credentials are used for establishing mutual trust between strangers.Results To demonstrate how policy specification can be applied to NPfIT, we translate a fragment of natural-language NHS specification into formal Cassandra rules. In particular, we present policy rules pertaining to the management of Clinician Sealed Envelopes, the mechanism by which clinical patient data can be concealed in the nation-wide EHR service. Our case study exposes ambiguities and incompletenesses in the informal NHS documents.Conclusions We strongly recommend the use of trust management and policy specification technology for the implementation of nation-wide EHR infrastructures. Formal policies can be used for automatically enforcing confidentiality requirements, but also for specification and communication purposes. Formalising the requirements also reveals ambiguities and missing details in the currently used informal specification documents.}, publisher = pub-elsevier } @InCollection{ brucker.ea:extending:2009, abstract = {Access control models are usually static, i.e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of access control, i.e., the underlying policy, is needed.\\\\Break-glass is one approach for such a flexible support of policies which helps to prevent system stagnation that could harm lives or otherwise result in losses. Today, break-glass techniques are usually added on top of standard access control solutions in an ad-hoc manner and, therefore, lack an integration into the underlying access control paradigm and the systems' access control enforcement architecture.\\\\We present an approach for integrating, in a fine-grained manner, break-glass strategies into standard access control models and their accompanying enforcement architecture. This integration provides means for specifying break-glass policies precisely and supporting model-driven development techniques based on such policies.}, address = {New York, NY, USA}, author = {Achim D. Brucker and Helmut Petritsch}, booktitle = {ACM symposium on access control models and technologies (SACMAT)}, copyright = {ACM}, copyrighturl = {http://dl.acm.org/authorize?175073}, doi = {10.1145/1542207.1542239}, editor = {Barbara Carminati and James Joshi}, isbn = {978-1-60558-537-6}, keywords = {disaster management, access-control, break-glass, model-driven security}, location = {Stresa, Italy}, pages = {197--206}, pdf = {http://www.brucker.ch/bibliography/download/2009/brucker.ea-extending-2009.pdf}, publisher = {ACM Press}, talk = {talk:brucker.ea:extending:2009}, title = {Extending Access Control Models with Break-glass}, url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-extending-2009}, year = {2009}, }