Embedding role-based access control model in object-oriented systems to protect privacy

The role-based access control (RBAC) approach has been recognized as useful in information security and many RBAC models have been proposed. Current RBAC researches focus on developing new models or enhancing existing models. In our research, we developed an RBAC model that can be embedded in object-oriented systems to control information flows (i.e. to protect privacy) within the systems. This paper proposes the model. The model, which is named OORBAC, is an extension of RBAC96. OORBAC offers the following features: (a) precisely control information flows among objects, (b) control method invocation through argument sensitivity, (c) allow purpose-oriented method invocation and prevent leakage within an object, (d) precisely control write access, and (e) avoid Trojan horses. We implemented a prototype for OORBAC using JAVA as the target language. The implementation resulted in a language named OORBACL, which can be used to implement secure applications. We evaluated OORBAC using experiments. The evaluation results are also shown in this paper. (C) 2002 Elsevier Inc. All rights reserved.