An Approach to Modular and Testable Security Models of Real-world Health-care Applications

by Achim D. Brucker, Lukas Brügger, Paul Kearney, and Burkhart Wolff

Cover for brucker.ea:model-based:2011.We present a generic modular policy modelling framework and instantiate it with a substantial case study for model-based testing of some key security mechanisms of applications and services of the NPfIT. NPfIT, the National Programme for IT, is a very large-scale development project aiming to modernise the IT infrastructure of the NHS in England. Consisting of heterogeneous and distributed applications, it is an ideal target for model-based testing techniques of a large system exhibiting critical security features.

We model the four information governance principles, comprising a role-based access control model, as well as policy rules governing the concepts of patient consent, sealed envelopes and legitimate relationship. The model is given in HOL and processed together with suitable test specifications in the HOL-TestGen system, that generates test sequences according to them. Particular emphasis is put on the modular description of security policies and their generic combination and its consequences for model-based testing.

Keywords:
Categories: ,
Documents: (full text as PDF file)

QR Code for brucker.ea:model-based:2011.Please cite this article as follows:
Achim D. Brucker, Lukas Brügger, Paul Kearney, and Burkhart Wolff. An Approach to Modular and Testable Security Models of Real-world Health-care Applications. In ACM symposium on access control models and technologies (SACMAT). , pages 133-142, ACM Press, 2011.
(full text as PDF file) (BibTeX) (Endnote) (RIS) (Word) (doi:10.1145/1998441.1998461) (ACM) (Share article on LinkedIn. Share article on CiteULike. )

BibTeX
@InProceedings{ brucker.ea:model-based:2011,
abstract = {We present a generic modular policy modelling framework and instantiate it with a substantial case study for model-based testing of some key security mechanisms of applications and services of the NPfIT. NPfIT, the National Programme for IT, is a very large-scale development project aiming to modernise the IT infrastructure of the NHS in England. Consisting of heterogeneous and distributed applications, it is an ideal target for model-based testing techniques of a large system exhibiting critical security features.\\\\We model the four information governance principles, comprising a role-based access control model, as well as policy rules governing the concepts of patient consent, sealed envelopes and legitimate relationship. The model is given in HOL and processed together with suitable test specifications in the HOL-TestGen system, that generates test sequences according to them. Particular emphasis is put on the modular description of security policies and their generic combination and its consequences for model-based testing.},
address = {New York, NY, USA},
author = {Achim D. Brucker and Lukas Br{\"u}gger and Paul Kearney and Burkhart Wolff},
booktitle = {ACM symposium on access control models and technologies (SACMAT)},
copyright = {ACM},
copyrighturl = {http://dl.acm.org/authorize?431936},
doi = {10.1145/1998441.1998461},
isbn = {978-1-4503-0688-1},
language = {USenglish},
location = {Innsbruck, Austria},
pages = {133--142},
pdf = {https://www.brucker.ch/bibliography/download/2011/brucker.ea-model-based-2011.pdf},
publisher = {ACM Press},
title = {An Approach to Modular and Testable Security Models of Real-world Health-care Applications},
url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-model-based-2011},
year = {2011},
}