Runtime Support for Rule-Based Access-Control Evaluation through Model-Transformation
Access-control policies, often the mechanism of choice to implement the security requirements of confidentiality and integrity, can be found in a wide range of application scenarios. Although there are standard languages for access-control and a plethora of works devoted to assure the well-formedness of access-control policies, little attention has been paid to the problem of providing robust and adaptable runtime evaluation engines for the integration of access-control in new DSL's and platforms. Indeed, the integration of access-control requires the development of critical infrastructure facilities around it, so that the policies can be: 1) analyzed and validated and 2) efficiently evaluated against run-time access requests.
In order to solve this problem, this paper explores the use of the already mature model transformation frameworks as modern, application-independent infrastructures for access-control languages i.e., following the Policy Enforcement Point(PEP)-Policy Decision Point(PDP) architecture. More specifically, we show how model-driven engineering and the ATL model-transformation framework can be used to lift the infrastructure development burden from developers by providing a robust, flexible and re-usable runtime evaluation engine for rule-based access-control policies.