JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.

ORG

61

Security Analysis of CARBAC Model in Pervasive Computing Environment Using Colored Petri Net
S. Tafkiki Alamdari 1, S. Pashazadeh 2, and H. Mirzamohammadzadeh 3
Abstract With the rapid growth in computing technology, we are moving toward era of pervasive computing. Accuracy of access control
mechanisms is a big challenge in these environments. A pervasive computing application commonly collects data from wide spectrum of resources, then processes them and distribute between different users. The major parts of traded data are so important that must be protected. Till now, different models for user access control in pervasive computing are proposed and their features are being optimized every day. At this article, we model and verify security of a context aware role based access control (CARBAC) policy using Colored Petri Net. Our main purpose is to prove the accuracy and integrity of CARBAC and detecting the conflicts among its features. Users time and location are environmental contexts that were involved in some decision-makings like user to roles assign, permissions to roles assign, permissions and roles hierarchy, and in separation of duties. We applied this model in design of universitys pervasive computing environment and then we created some queries in ML programming language for integrity analysis and verification of our model. Index Terms Context Aware Role Based Access Control (CARBAC), Pervasive Computing Environment, Access Control Graph, Colored Petri Net, State Space Analysis.

1 INTRODUCTION
Information about resources and entities that will be available and answers to questions like: Which entities will be in interaction with each other? Which data are allowed for transferring to entities? How data that is used or created by entities must be protected? Which entities can be reliable and this reliability how would change during the time? Security and privacy preservation are basic concerns in these applications. Let assume that a heart patient lives in a smart home. Gathered data from sensors that are located in environment, are being send to an observation system. In the cases of emergency condition, system must make suitable decisions. In this kind of scenarios, preventing wrong data from being send to observation systems seems essential.

ervasive computing that is named as ubiquitous, invisible computing, hidden computing and also called silent computing, is a phrase that is said to combination of computing in environment. It means that objects around us contains embeded computers which do the computing instead of visible desktop computers [1]. Technology that is used in a pervasive computing environment are divided into four major parts: 1) Devices (input devices, output devices, mobile wireless devices, smart devices), 2) Networks(combination of telecommunication technologies such as wired/wireless, fixed/mobile, and even worldwide internet), 3) Middleware and 4) Applications. Pervasive computing offer its different services based on the knowledge that it gains from environment, and therefore it is counted as a new era at computing [2]. Usage of these environments will include some cases that cause different organizations interact with complicated and unlimited manners. These unlimited interactions may be having some effects such as violation of privacy and consequently decreasing the security. Hence, at designing of applications for these environments, sufficient information from following cases must be gained:

Existing policies and mechanisms in common applications, are deficit for using in pervasive computing environment due to following reasons [3]: 1. Applications of pervasive computing environment have nondeterministic issues. It means that, entities in a system will communicate with resources that they may have some former knowledge about them.

1. Salar Tafkiki Alamdari is with the Electrical and Computer Engineering Department, Islamic Azad University, Zanjan Branch, Zanjan, Iran. 2. Saied Pashazadeh is with the Faculty of Electrical and Computer Engineering, University of Tabriz, Tabriz, Iran. 3. Hamed Mirzamohammadzadeh is with the Faculty of Multimedia and Information Thechnology, CQ University, Sydney, Australia.

2. These applications are dynamic in nature because entities change in time. Resources need to be protected in such dynamic environments and entitys access to resources, may be differs many times during the program run.

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

62

Pervasive computing applications use knowledge about their physical environment. For example, accessing to a resource may depend on location and time of access. This context information can be used for deduction of users activities and therefor it can be considered as a privacy violation and this kind of information must be protected. In systems development, ignoring some interactive patterns on design time may face the system with problems at implementation. Modeling is a means that helps us to simplifiying the complicated facts of a system and by using that we can check accuracy of system and debugging of it before implementation and development of complete system [4]. Access control models that are suitable for pervasive computing environments, supports various features like hierarchy structure, separation of duties, being role based, context awareness and etc. In these models, the models different characteristics may be in conflict with each other. So, analyzing and understanding of these models before their wide development looks very essential. Users in the form of series of roles have access to permissions for performing their needed operation. These accesses are granted when they meet spatio-temporal constraints. Entities include users, roles and permissionss. Relation between these entities is declared with an access control graph. Different concepts like user to roles assign, permissions to roles assign, permissions and roles hierarchy, separation of duties between roles and permissions, and concept of delegation are visible at this graph. In current article we model a context aware role based access control (CARBAC) policy based on colored petri net using CPNTools. State space analysis presents very useful information about the features of the model and finally by model checking of that features, we can proof the accuracy of desired access control policy. We define an infeasible path as an invalid access path i.e. an access path that cannot grant the authorization of any permission to user. The aim of the infeasible paths is conditions on system that users do not allow in the form of special roles to do some operations. Main reason of modeling access control policy is to find an answer for this question that, in a specific access control policy, is there are wrong infeasible paths for the users or not?

2 RELATED WORKS
Researchers use a formal logic for describing the policies of permission granting and they analyze the model by help of it. In this part of paper, we focus on describing major methods that is used for analyzing of access control models with emphasizing on RBAC extensions. Z modeling language was used in some researches [5]. Z modeling language represents the features and limitations of RBAC in a formal method, but it havent any tool that could automatically formalize the models. In other research, a new extension of Unified Modeling Language

(UML) is used for visualizing attributes of RBAC [6]. This method does not have required capabilities for automatic analysis of the model. Some researchers used Alloy for modeling features of their proposed RBAC model. By the help of Alloy, we can be model the RBACs basic attributes such as roles hierarchy and static task separation. However, Alloy has the capability of automatic analyzing, but presents the analysis on limited dimensions and hence it is not suitable for pervasive computing [7]. Smart et al. show the type of GTRBAC features analyzing by the help of Timed Automata (TA) [8]. They tried to represent a method for conversion of GTRBAC model to state transfer model. Obtained model draws the GTRBAC elements behavior like users, roles, and permissions. Help of TA creation shows different behaviors of elements. Process of authentication and validation is performing automatically and by using a tool named Uppaal. Knorr [9] uses Petri nets to make dynamic access control in workflow systems. Instead of using a global static access control matrix to grant subjects rights to data items for the whole system, he proposes assigning a local matrix to each transition to grant rights to subjects (that will execute the transition) only to data being consumed or produced by the transition. In a subsequent work [10], Knorr shows how to use Petri nets in order to analyze the information flow in a workflow system where authorizations are granted based on Bell-LaPadulas model. Varadharajan [11] proposes an extended Petri net formalism called Information Flow Security net (IFS) to provide a way of modeling information flow security policies expressed through the Petri net structure Shafiq et al. [12] present a verification framework using Colored Petri nets based on GTRBAC. They only consider some interesting constraints without including explicitly the temporal dimension. Moreover, the authors do not use any tool and do not take advantage of the high modeling power of Colored Petri nets to represent e.g. user-role assignment and seniority relationships. Zhang et al. [13] presented an approach for modeling Chinese Wall Policy using CP-nets. In a subsequent work, Zhang et al. [14] also used CP-nets for systematically analyzing the information flow under the strict integrity policy like Bibas model. In [15], Atluri and Huangs work has been refined to present a role-based authorization model using CP-net formalism. Authors in [15] propose to associate legitimate roles with each task so that only members of the legitimate roles can be authorized to perform the task. However, they create a place for each role, whereas all roles could be grouped in a unique place and could be distinguished by colors. Colored Petri net is powerful tools for modeling and formal analysis of wide range of systems [16,17].

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

63

3 PRELIMINARIES
3.1. CARBAC and its features Context-awareness is central aspect in applications of pervasive computing that characterizes their ability to adapt and perform tasks based on ambient context conditions. Integrating context information as part of an access control system is a challenging task due to several reasons. 1) Acquiring appropriate context information requires interfacing of the access control system with various kinds of ambient sensors. Integrity and authenticity of this information is paramount because it may be used in making access control decisions. 2) Certain aspects of the context information may be inherently dynamic in nature. During execution of a contextdependent task, it is possible for the related context condition to become false. For certain applications, it may be important that permissions of a member of role to execute that task are revoked when such context changes occurs. 3) Context-based constraints may restrict the resources and services that may be dynamically interfaced with a pervasive computing application. We propose a graph-theoretic representation that accurately reflects the semantics of the model. Our graphtheoretic representation was inspired by the work of Chen and Crampton [18]. However, we adapt this model to better reflecting our semantics. The set of vertices = corresponds to the RBAC entities: Users (U), Roles (R), and Permissions (P). The relationships of context aware role-based access control model constitute the edges = 2 where consists of: User-Role Assignment (UA) = U R Permission-Role Assignment (PA) = RP Permission-Usage Hierarchy or permission inheritance hierarchy (PUH) = RR Separation of Duty () = ( ) ( ) which can be categorized into:

static separation of duty for user- role assignments (RSSoD)

static separation of duty for permission-role assignment (PSSoD) Role to Role Permission Delegation (R2RPD) = RP

We define function , on the edges of the graph. represents the spatio-temporal constraints associated with all the edges in the graph and is defined as: 2D where D denotes the spatio-temporal domain. For = (, ) , , denotes the set of spatio-temporal points at which the association between v and is enabled. In the next parts, we describe all types of edges in this graph.

3.2. Colored Petri Nets Colored Petri Nets introduced by Jensen [4] that extends petri nets by allowing tokens to be associated with colors. In CPN, the states of the system are represented by a set of circles or ellipses called places and their containing tokens that are called marking of system. The events that cause changes between states are represented as rectangles called transitions. Places and transitions are connected with labeled directed arcs. Each place has a color set that specifies type of tokens in that place. A marking is the set of colored tokens that reside in all Petri net places. A transition is enabled if all input places of the transition have a specified required set of colored tokens. The firing of an enabled transition causes the removal of specified colored tokens from the input places and the creation of specified colored tokens in output places. The behavior of the CP-net may be variable depending on which tokens are consumed and produced when a transition fires at the same Petri net marking. A CPN is a nine-tuple of the form (, , , , , , , , 0 ) P is a finite set of places. T is a finite set of transitions. is a finite set of types, called color sets. Each color set is finite. V is a finite set of typed variables such that Type[v] for all variables v V. C P PowerSet(). C(p) is a finite set which specifies the set of allowed values (or colors) for any token of place p. Let CT be the set of all possible colored tokens, i.e. CT = {(p, c)|p P c C(p)}. G is a guard function, mapping each transition to an expression of Boolean type. All variables in G must have types that belongs to , i.e.: t T: [Type(G(t)) = B Type(Var(G(t))) ], B = {true, false}. is a set of directed arcs from places to transitions and from transitions to places. E is an expression function, mapping each arc into an expression which must be of type C(p)MS (multi-set over C(p)) where p is a place belonging to a given arc. All variables in such expressions must also be of C(p) type (evaluation of the arc expressions indicate what token is to be taken from the transitions input place as well as what token is to be placed in the output place), i.e.: a A : [Type(E(a)) = C(p(a))MS Type(Var(E(a))) ]. M0 is the initial marking, 0 (CT) MS.
By creating a model, we can investigate a new system and its bahaviours before we construct it. This is an obvious advantage, in particular for systems where design errors may jeopardize security or be expensive to correct. CP-net also allows the modeling of complex systems and data flows. Furthermore, the behavior of a CP-net model can be analyzed, either by means of simulation or by means of more formal analysis methods.

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

64

CARABC IN UNIVERSITYS PERVASIVE COMPUTING ENVIRONMENT

Based on the assigned roles to users they get access to some permission to do their operations. Accesses permissions will be done if the location and time limitations meet. The locations and times which can be defined in university environment are based on the Table 1. Users, roles, and permissions are respectively specified at this table. The relation between these entities is represented by an access control graph as is shown in figure 1.
Unit Selection Examination days Always a b c Times Usual days(class) Conference days Seminar presentation d e f Dept. Weekly Session Groups Session Dept. General Session Universe Library General Session Room Group Room g h i

Class Room Corridor Head of Group Room Professor Room Dept. General Session Room Tafkiki Keshvari Shakiba Mohammadi Dr. Pashazadeh Professor Student Head of Group Class Agent

A B C D M

Locations Laboratory E Video Conf. F Room Employees Room G Amphitheater H

I J K L

U1 U2 U3 U4 U5 R1 R2 R3

Users Dr. Balafar Dr. daie Dr. karimiyan Nematinejad Zarandi Roles Employee Librarian Head of Dept.

and due to their location and time and existing limitations, allocations done on table 2. It is supposed that users are been recognized through diagnosing sensors which installed in locations. This recognition can be through behavioral patterns (like people walking pattern), face detection, detecting by cell phone ID number or serial number, laptop, or based on RFID. Merging of existing wireless network in environment with above concepts would have interesting scenarios. For example: a. Suppose that teacher for presenting a lecture requires some slides which are on his or her email inbox, on another hand, there isnt enough time to download and transfer them to a flash memory. The user in a role of teacher could start downloading where he is and before finishing the download move trough class room. The system automatically, after finishing the download process can be transfer the data through the wireless network to video projector in class room and upon the teacher attended in class room, the slide are ready on screen. b. Before teacher come to class, the absence of students will be available and teacher by using a PDA which has with himself will be inform of results in his or her room or during the going out of the room or even in college corridors.

U6 U7 U8 U9 U10 R4 R5 R6

Azami Asgharian Dr. Seyyedi Zare Saharnejad Dept. Edu. Assistant Dept. Research Assistant Guest Student

U11 U12 U13 U14 U15 R7 R8 R9

R10 Lab. Responsible R11 Permission Access to Internet P1 Access to a personal device P7 such as printer Access to automation system P2 Run an application on P8 personal device Access to video projector P3 Access to files in personal P9 computer Send and receive file via the P4 Employees control P10 wireless network Attendance/absence control of P5 Access to library manage- P11 students ment system Access to SAMA system P6

Table 1: System Entities

Different concepts such as user to roles assign, permissions to roles assign, permissions and roles hierarchy, separation of duties between roles and permissions and concept of delegation is illustrated in this graph. Their constraint i.e. existing location and time limitations ( ) are brought at Table 2. University users always are changing their location

Fig. 1: Partial drawing of Access Control Graph.

ACCESS CONTROL GRAPH

In our system, users must be assigned to roles for getting defined permissions by access control policy to do

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

65

desired operations. Various types of relations between entities are as follows: A. Assignment of Users to Roles User must appear in specific rule to have permission to do required actions. Assignment of a user to a role is specified with User-Role Assignment (UA) label as is shown in Table 2. Constraints of each assignment is in the form of an ordered pair [, ]. It means that one user at the time and locations have that specified role. For example in first row of first column in table 2 a user with name Tafkiki only in usual days (d) and in classroom (A) can be in class agent role. B. Assignment of Permissions to Roles In Role-Based access control mechanisms, permissions do not directly grant to users, but permissions assign to roles. Samples of assignment of permissions to roles are as shown in Table 2 and is specified with label Permission-Role Assignment (PA). Constraint of each assignment is in the form[, ]. It means that, permission at time and locations can be granted to that role. For example in row number 22 of first column in table 2 (highlighted), a person with students rule (R2) can access to internet (P1) with time constraints, unit selection times (a) or usual days (d) or conference dayes (e) and location constraints in corridors (B) or laboratory (E) or library (J).

Edge Name Desc. (U1, R10) UA (U2, R2) (U3, R2) (U4, R9) (U14, R2) (U14, R1) (U6, R1) (U5, R3) (U7, R6) (U8, R7) (U13, R8) (U11, R11) (U9, R4) (U12, R4) (U12, R2) (U15, R1) (U15, R4) (U10, R5) (R9, P3) (R9, P1) (R2, P4) (R2, P1) (R2, P3) (R2, P6) (R2, P11) (R1, P6) (R1, P5) (R1, P2) (R1, P11) UA UA UA UA UA UA UA UA UA UA UA UA UA UA UA UA UA PA PA PA PA PA PA PA PA PA PA PA

[d, A] [c, I] [c, I] [de, DFH] [c, I] [c, I] [c, I] [c, I] [c, I] [c, I] [c, I] [c, E] [c, G] [c, G] [c, I] [c, I] [c, G] [c, J] [f, F] [d, D] [ef, BFH] [ade, BEJ] [def, FH] [ab, BC] [d, BEJ] [ab, I] [d, I]

Name (R1, P4) (R1, P3) (R1, P1) (R1, P9) (R1, P7) (R1, P8) (R6, P10( (R11, P2) (R11, P7) (R11, P11) (R4, P2) (R4, P7) (R4, P9) (R5, P2) (R5, P7) (R5, P11) (R10, R2) (R3, R1) (R6, R7) (R6, R8) (R7, R3) (R8, R3) (R10, P5) (R7, P10) (R9, R2) (R6, R7) (R6, R8)

Desc. PA PA PA PA PA PA PA PA PA PA PA PA PA PA PA PA PUH PUH PUH PUH PUH PUH R2RPD R2RPD RSSoD RSSoD RSSoD

[c, I] [deghi , I] [c, I] [c, I] [c, I] [c, I] [c, I] [c, BEJ] [c, BEJ] [c, BEJ] [c, BG] [c, BGC] [c, BGCM] [c, BJ] [c, BJ] [c, BJ] [c, I] [c, I] [c, I] [c, I] [c, I] [c, I] [d, A] [c, I] [c, I] [c, I] [c, I] [c, I] [f, F]

C. Permissions and Roles Hierarchy Relation between roles can be modeled as a hierarchy. Higher roles on hierarchy are called senior roles and lower roles are called junior roles. Senior roles can heritages junior roles permissions and so there is no need to separate assignment of same permissions related to all members of hierarchy. This hierarchy is specified at Table 2 as Permission-Usage Hierarchy (PUH). Constraint of these rules is in the form of [X, Y] and represents the locations and times constraints like above mentioned rules that senior role can heritage the junior roles. For example in row number 18 of second column of table 2 (highlighted), a user that have head of group role in all locations (I) and all times (c) can heritage professor roles. D. Role to Role Permission Delegation Upon delegation policy, an entity on system can grants its privileges temporarily and under special circumstances to other entity. A delegation policy that used at university pervasive environment is a role permission delegation to another role. This delegation at Table 2 specified as R2R Permission Delegation (R2RPD). [X,Y] limitation on this delegation policy represents that at times(X) and locations (Y ) that delegation is allowed. For example in row number 18 of second column of table 2, students attendance/absence control permission in usual days (d) and only at classroom (A) can delegate to class agent. This assignment in access control graph is shown as a directed dotted arc from R10 to P5.

[c, BCDG (R6, R3) RSSoD KLMN] [abcdef, (P1, P3) PSSoD ABCD E FHJ] Table 2: Edges Specifications.

E. Separation of Duties This feature is used to prevent from intentional scams and sabotages. Generally separation of duties limitation is divided to two parts. The first is role task separation or relationship of mutual exclusivity between roles (Role Static SoD (RSSoD)) and the other is mutual exclusivity between permissions (Permission Static SoD (PSSoD)). Let assume a tasks separation with [X, Y] constraint. A user cannot simultaneously have two or more roles that are in conflict with each other at time X and location Y based on the tasks separation. Due to permission tasks separation with [X, Y] constraint, any role couldnot have simultaneously two or more permissions that are in conflict with each other in time X and location Y. This access control feature in the graph is shown with a bidirectional dotted arc. For example in row number 25 of second column of table 2, a user cannot simultaneously appear in both the student (R2) and guest student (R9) roles. This is shown in Figure 1 with a dotted edge between vertexes R2 and R9.

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

66

MODELING

An access path (1 ,2, . . ., ) allows user 1 to access permission . A user u is authorized for permission p through role r iff there exists a valid access path which contains u, r, and p. We define an infeasible path as an invalid access path i.e. an access path which cannot grant the authorization of any permission to user. For detecting the infeasible path, Let assume that we store all source vertices in a list. Each member in the list maintains its own depth-first search (DFS) tree. To generate these trees, we perform DFS from each source. While performing the DFS, we check if there is any spatio-temporal conflict between edges. If there is any conflict, then there exists an infeasible path. The spatio-temporal constraints may be specified in such a manner that it may not be possible for u to invoke p resulting in an infeasible path. After the process we will have set of the initial DFS trees which are all consists of feasible paths.

according to that, the user 4 can appear in times e and d and locations D, F and H in the role of R9. Vertex and Depth Color set in the end of product is used to respectively specify delegator and depth of delegation. In all of the edge types except the delegation edges that we use in our model, the values for Vertex and Depth at the end of Edge color set, respectively is, 0 and "" (empty string). Since the represents the spatio-temporal constraints associated with all the edges in depth first search path, its color set must be product of Duration and Location color sets.

7.2. Places All variables are defined as the set of above color sets are seen in Figure 2. Note, next is a global variable that its initial value is true. This variable will be explained in the next sections. Our CPN model has seven places. Places features such as color set, initial marking, are as described follows:
Users: In this place maintains the existing users of the the system. Users color set is of type User and initial marking of it is defined value AllUsers, i.e. all users that are introduced in Table1 (U1... U15). Authorization Edges: This place maintains edges of the access control graph. Its color set is Edge and its initial marking equals to AllAuthEdges. This value is equal to the entire edges of access control graph except the edges in the type of SoD. Note that SoD Edges are not involved in the infeasible paths analysis. Current Vertex: Current vertex of the access path that is used to extract the next edge will be stored in this place. Its color set is of type Vertex and its Initial marking is empty. Auth Path: This place contains tokens that represent edges of the access path which are results of depth first search on access control graph. Its color set is of type Edge and it has empty initial marking. Current Edge: This place contains tokens that represent current edge of the access path that used to calculate the function. Its color set is of type Edge and has empty initial marking. Current Mu: Value of function that is calculated until the current access path will be stored in this place. Its color set is of type MU and its initial marking is empty, But with start of each depth first search, Get Initial User transition sets its marking to an ordered pair (all places, all times). Infeasible: Each time that based on depth first search, model checks a path of access control graph, if one of the components of function has been empty then an infeasible path will be detected and a token with value true is placed in this place. Its color set is of type Bool (true or false) and has no initial markings.

NET STRUCTURE AND DECLARATIONS

Figure 2 shows the CPN model that is used for modeling user access control and detection of infeasible paths. This model performs a depth first search on the access control graph and calculates the function of each access path. If there is an access path that the function equals to empty set, then this access path is an infeasible path.

7.1. Color Sets of the Model In this section, color sets and variables that was used in our CPN model is presened. Color sets that were used in the model are as listed follows: colset Duration= list STRING; colset Location=list STRING; colset Vertex=string; colset EdgeType=string; colset Depth=int; colset Edge=product Vertex*Vertex*EdgeType *Duration*Location*Vertex*Depth; colset User= string; colset MU=product Duration*Location; Users can perform operations According to spatiotemporal constraints that are shown in Table 2. Spatial and temporal constraints are implemented with string lists. We specified every existing node on access control graph with vertex color set that is of string type. Color set Edgetype is of type string and is defined for representting type of each edge of the access control graph. Five types of edges is defined in our model that their full description presented in section 5. Depth Color set is defined to determine the depth of delegation in access control policies. Edge color sets is defined for representing edges of the graph and is defined in the form of product of above mentioned color sets. Places where labeled with Edge color set must comply mentioned product. For example, a token in the form of 1`("U4","R9","UA",["d","e"], ["D","F","H"],"",0) means that this edge is the type of User-Role Assignment and

7.3. Transitions Our proposed model contains 4 transitions with the names: Get Initial User, Retrieve Edge, Calculate Mu and

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

67

Fig. 2: CPN Model for Infeasible Path Detection

Infeasible Path. In this section, we describe input/output arcs and guard conditions of each transition. Get Initial User: By firing, this transition first user from Users location begins the first depth search. The Next global variable used in the guard causes the current path started in the analysis, does not search another paths starting from the other user. Upon firing the transition this global variable value will be false and it will stop the new path analysis. Also by firing this transition, initial marking of Current Mu place will be (all places, all times) for starting calculation of function. In implementation, we use this value as follow: (["a","b","d","e","f","g","h","i"], ["A","B","C","D","E","F","G","H","J","K","L","M"]) Retrieve Edge: Let assume vertex Vi is in place Current Vertex, and token (Vi, Vj, etype, D1, L1, dtr, depth) is the corresponding edge that start with Vi and is placed in place Authorization Edges. By firing this transition, this edge is removed from Authorization Edges place and sends it to output places of this transition that is shown in Figure 2. Infeasible Path: When a token appears in place Current Mu that one the component of that token be empty, then transition becomes enabled and after firing it sends true token to the place Infeasible. This means that finding an infeasible path in the access control graph is occured. Calculate Mu: This transition calculates the function at each point of the path. It gets the current and current edge from defined input places and calculates new by intersection operation as New = ((intersection (L1, L2)), (intersection (D1, D2))), then puts result in Current MU place. When this transition fires, it calculates the next vertex of the path by calling getcurrentvertex function and sends it to Current Vertex place.

MODEL CHECKING

We produced state space graph of our model using CPN Tools. A state space analysis is an analysis of all possible occurrence paths in the model. Report of state space generation of the model is as follows: Statistics ---------------------------------State Space Nodes: 334 Arcs: 333 Secs: 0 Status: Full Scc Graph Nodes: 334 Arcs: 333 Secs: 0 According to the report, state space of model contains 334 nodes (states) and 333 arcs. This number of states can

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

68

increases according to number of users, roles and permissions. In part of report, we see that there are states where infeasible place has token with true color. We conclude that there are infeasible paths in access control graph. Note that, if there is any 1`true token in infeasible place then this policy has infeasible path. Thus, we can prove correctness of this policy in term of infeasible paths. In this section, we extract states of state space that contains true token in its infeasible place. In these states, all of tokens that are in Auth Path place displays infeasible path in access control graph. At the end, we modified access control policy for eliminating infeasible paths.

8.2. Modification If spatio-temporal constraints of two edges U4> R9 and R9> P3 modify as follows then infeasible path in state 205 will be removed:
("U4","R9","UA",["d","e","f"], ["D","F","H"],"",0) ("R9","P3","PA",["d","f"], ["D","F"],"",0) For eliminate infeasible paths in states 250, 249, 248, 247, 246 we must just eliminate R10 > R2 edge from access con-

trol graph and add an assign edge U1 > R2 to this graph.

9 CONCLUSION AND FUTURE WORKS

We created a model to find infeasible paths in CARBAC model for universitys pervasive computing environment. Then, state space of model is produced using CPNTools. We wrote queries using ML language for model checking and finding infeasible pathes. We recognized infeasible paths in access control graph and proposed modifications for policy to eliminate infeasible paths. In this article, the access policy is investigated only in term of infeasible path. We will study other aspects of access control policies in future works.

8.1. ML Codes for State Space Analysis We are looking for states that 1`true token appeared in infeasible place of them. Following ML code extracts these states:
SearchNodes (EntireGraph, fn n => (Mark.Infeasible_path'Infeasible 1 n) = 1`true , NoLimit , fn n=>n , [], op ::) Output of this ML code in state space graph of case study model is as follow: Val it = [250, 249, 248, 247, 246, 205] : Node list Each of the above states contains an infeasible path. Now, we consider each of these states to obtain infeasible path. For example, following code get tokens that are in Auth Path place in state number 250. Mark.Infeasible_path'Auth_Path 1 205 Output of this ML code is as follow:
Val it = [1`("R10","R2","PUH",["a","b","d","e","f","g","h","i"], ["A","B","C","D","E","F","G","H","J","K","L","M"],"",0), 1`("R2","P4","PA",["e","f"], ["B","F","H"],"",0)] : Edges ms

REFERENCES
[1] M. Weiser, The computer for the 21st century, SIGMOBILE Mobile Computing and Communications Review, 3(3):311, July 1999. [2] D. Saha and A. Mukherjee, Pervasive Computing: A Paradigm for the 21st Century, Journal Computer in IEEE Computer Society, Volume 36 Issue 3, pp. 2531, March 2003. [3] E. Magkos, P. Kotzanikolaou, Achieving Privacy and Access Control in Pervasive Computing Environments, Security & Communication Networks, Wiley, 2010. [4] K. Jensen and M. Kristiansen, Colored Petri Nets: Modeling and Validation of Concurrent Systems, Springer, 2009. [5] Ch. Yuan, Y. He, J. He, and Zh. Zhou, A Verifiable Formal Specification for RBAC Model with Constraints of Separation of Duty, In Proceedings of the 2 nd Conference on Information Security and Cryptology, pp. 196210, Beijing, China, November 2006. [6] I. Ray, N. Li, R. France, and D. Kim, Using UML to Visualize Role-Based Access Control Constraints, In Proceedings of the 9 th ACM symposium on Access Control Models and Technologies, pp. 115124, Yorktown Heights, NY, USA, June 2004. [7] Arjmand Samuel, Arif Ghafoor, and Elisa Bettina, A Framework for Specification and Verification of Generalized Spatio-Temporal Role Based Access Control Model, Technical report, Purdue University, February 2007. [8] S. Mondal, Sh. Sural, and V. Atluri, Towards Formal Security Analysis of GTRBAC using Timed Automata, In Proc. of the 14th ACM Symposium on Access control Models and Technologies, pp. 33 42, Stresa, Italy, June 2009. [9] K. Knorr, Dynamic access control through petri net workflows, Proc. of the 16th Annual Computer Security Applications Conference

Thus, there is an infeasible path in the form of R10 > R2 > P4. It means that users that are assigned to role R10 cannot access to permission P4 via inheritance of role R2, while this action is permitted in the system. Other extracted infeasible paths are as follow: R10 > R2 > P6 R10 > R2 > P1 R10 > R2 > P3 R10 > R2 > P11 R10 > R2 > P6 U4> R9 > P3

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 7, JULY 2012, ISSN (Online) 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

69

(ACSAC), p. 159, 2000. [10] K. Knorr, Multilevel security and information flow in petri net workflows, Proc. of the 9th International Conference on Telecommunication Systems, Modeling and Analysis, 2001. [11] V. Varadharajan, Hook-up property for information flow secure nets, Proceedings of Computer Security Foundations Workshop IV, pp. 154175, 1991. [12] B. Shafiq, A. Masood, J. Joshi, A. Ghafoor, A role-based access control policy verification framework for real-time systems, Proceedings of the 10th IEEE International Workshop, pp. 1320, Washington, 2005. [13] Z.L. Zhang, F. Hong, J.G. Liao, Modeling chinese wall policy using colored petri nets. Proceedings of the Sixth IEEE International Conference on Computer and Information Technology, IEEE Computer Society, p. 162, Washington, 2006. [14] Z.L. Zhang, F. Hong, H.J. Xiao, Verification of strict integrity policy via petri nets, Proc. of International Conference on Systems and Networks Communication, IEEE Computer Society, p. 23, Washington, 2006. [15] Z. Yong, Z. Weinong, Modeling and analyzing of workflow authorization management, Journal of Network System Management, pp. 507535, 2004. [16] S. Pashazadeh, "Modeling and Verification of Deadlock Potentials of a Concurrency Control Mechanism in Distributed Databases Using Hierarchical Colored Petri Net," International Journal of Information and Education Technology, vol. 2, no. 2, pp. 77-82, April 2012. [17] S. Pashazadeh, Modeling a Resource Management Method Using Hierarchical Colored Petri Nets, Proc. International eConference on Computer and Knowledge Engineering (ICCKE2011), 2011. [18] L. Chen and J. Crampton, On Spatio-Temporal Constraints and Inheritance in Role-Based Access Control, Proc. 2008 ACM Symposium on Information, Computer and Communications Security, pp. 205216, Tokyo, Japan, March 2008. Salar Tafkiki Alamdari is M.Sc. student of Software Engineering in Islamic Azad University of Zanjan Branch in Iran. He received his B.Sc. in Software Engineering from Islamic Azad University in 2008. He works as invited lecturer in Islamic Azad University and Payam Noor University in Iran from 2009. His research interests include information system security, modeling and formal verification in pervasive computing systems and access control polices. Saeid Pashazadeh is Assistant Professor of Software Engineering and chair of Information Technology Department at Faculty of Electrical and Computer Engineering in University of Tabriz in Iran. He received his B.Sc. in Computer Engineering from Sharif Technical University of Iran in 1995. He obtained M.Sc. and Ph.D. in Computer Engineering from Iran University of Science and Technology in 1998 and 2010 respectively. He was Lecturer in Faculty of Electrical Engineering in Sahand University of Technology in Iran from 1999 until 2004. His main interest is in the development, modeling and formal verification of distributed systems, computer security and wireless sensor/actor networks. He is member of IEEE and senior member of IACSIT and Member of editorial board of journal of electrical engineering of University of Tabriz in Iran.

2012 Journal of Computing Press, NY, USA, ISSN 2151-9617 http://sites.google.com/site/journalofcomputing/