Proceedings of the 28th ACM Symposium on Access Control Models and Technologies最新文献

{"title":"Synthesizing and Analyzing Attribute-Based Access Control Model Generated from Natural Language Policy Statements","authors":"Mahmoud Abdelgawad, I. Ray, Saja Alqurashi, Videep Venkatesha, Hosein Shirazi","doi":"10.1145/3589608.3593844","DOIUrl":"https://doi.org/10.1145/3589608.3593844","url":null,"abstract":"Access control policies (ACPs) are natural language statements that describe criteria under which users can access resources. We focus on constructing NIST Next Generation Access Control (NGAC) ABAC model from ACP statements. NGAC is more complex than RBAC or XACML ABAC as it supports dynamic, event-based policies, as well as prohibitions. We provide algorithms that use spaCy, a NLP library, to extract entities and relations from ACP sentences and convert them into the NGAC model. We then convert this NGAC model into Neo4j representation for the purpose of analysis. We apply the approach to various real-world ACP datasets to demonstrate the feasibility and assess scalability. We demonstrate that the approach is scalable and effectively extracts the NGAC ABAC model from large ACP datasets. We also show that redundancies and inconsistencies of ACP sentences are often found in unclean datasets.","PeriodicalId":124020,"journal":{"name":"Proceedings of the 28th ACM Symposium on Access Control Models and Technologies","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122568386","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Access Control Vulnerabilities in Network Protocol Implementations: How Attackers Exploit Them and What To Do About It","authors":"Daniel Ricardo dos Santos","doi":"10.1145/3589608.3593817","DOIUrl":"https://doi.org/10.1145/3589608.3593817","url":null,"abstract":"Authentication and access control mechanisms should verify the identity of users of a system and ensure that these users only act within their intended permissions. These mechanisms, alongside audit or intrusion detection, have been called the \"foundation for information and system security'' [8]. There has been a large amount of research proposing authentication and authorization mechanisms for network protocols and devices used in Operational Technology (OT) and the Internet of Things (IoT) [7]. Although these devices run our critical infrastructure, most of them still rely on simple password-based mechanisms to prevent unauthorized operations [1]. More worryingly, even these simple mechanisms often have flawed implementations, allowing malicious actors to bypass them [6]. this talk, I will discuss several findings from our research into vulnerabilities in network protocol implementations of IoT, OT and IT systems, giving special attention to those stemming from flawed authentication and access control implementations. Examples include buffer overflows when processing user credentials, use of weak cryptography, credentials transmitted in plaintext, hardcoded credentials, authentication bypasses via MAC or IP spoofing, client-side authentication, missing critical steps in authentication, insufficient session expiration and message parsing before establishing a peer's identity. These issues were identified in implementations as diverse as embedded TCP/IP stacks [2,3], routing suites and engineering protocols for OT devices from major vendors [9]. This type of vulnerability enables attackers to take devices offline, manipulate their operational parameters, and in many cases execute arbitrary code. I will also present statistics from a set of OT- and IoT-specific honeypots about attacks exploiting authentication bypasses, brute forcing passwords and leaking credentials. These statistics show that the most common initial access technique for these systems consist of the exploitation of remote management protocols by guessing or leaking either generic or application-specific credentials [4]. Finally, I will discuss the importance of collaborative threat intelligence and modern network access control as methods to prevent, detect and respond to such attacks [5].","PeriodicalId":124020,"journal":{"name":"Proceedings of the 28th ACM Symposium on Access Control Models and Technologies","volume":"90 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130439966","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Privacy-Preserving Multi-Party Access Control for Third-Party UAV Services","authors":"Dominik Roy George, Savio Sciancalepore, Nicola Zannone","doi":"10.1145/3589608.3593837","DOIUrl":"https://doi.org/10.1145/3589608.3593837","url":null,"abstract":"Third-Party Unmanned Aerial Vehicle (UAV) Services, a.k.a. Drone-as-a-Service (DaaS), are an increasingly adopted business model, which enables possibly unskilled users, with no background knowledge, to operate drones and run automated drone-based tasks. Although these services provide significant advantages, the resources provided by drones are typically owned by multiple parties. Thus, Third-Party UAV services require adopting multi-party access control solutions. In this context, the leakage of the access control policies specified by the data owners might disclose confidential information and, thus, they should be protected as well. In this work, we propose a privacy-preserving multi-party access control solution tailored to the application scenarios of Third-Party UAV Services. Our solution advances an existing privacy-preserving multi-party access control framework based on Secure Function Evaluation to fit the distributed and heterogeneous nature of drone deployments. Through an extensive experimental evaluation, we demonstrate our solution can perform private policy evaluation on constrained devices in a reasonable time while requiring limited communication, memory, and energy overhead.","PeriodicalId":124020,"journal":{"name":"Proceedings of the 28th ACM Symposium on Access Control Models and Technologies","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123040214","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SEAL: Capability-Based Access Control for Data-Analytic Scenarios","authors":"H. Rasifard, Rahul Gopinath, M. Backes, Hamed Nemati","doi":"10.1145/3589608.3593838","DOIUrl":"https://doi.org/10.1145/3589608.3593838","url":null,"abstract":"Data science is the basis for various disciplines in the Big-Data era. Due to the high volume, velocity, and variety of big data, data owners often store their data in data servers. Past few years, many computation techniques have emerged to protect the security and privacy of such shared data while enabling analysis thereon. Hence, access-control systems must provide a fine-grained, multi-layer mechanism to protect data. However, the existing systems and frameworks fail to satisfy all these requirements and resolve the trust issue between data owners and analysts. In this paper, we propose SEAL as a framework to protect the security and privacy of shared data. SEAL enables computations on shared data while they remain under the complete control of data owners through pre-defined policies. Our framework employs the capability-object model to define flexible access policies. SEAL's access-control system supports delegating and revoking access privileges and other access-control customizations. In addition, SEAL can assign security labels to privacy-sensitive data and track them to enable data owners to define where and when a data analyst can access their data. We demonstrate the practicability of our approach by presenting a prototype implementation of SEAL. Furthermore, we display the flexibility of our framework by implementing multiple data-analytic scenarios, which cover different applications.","PeriodicalId":124020,"journal":{"name":"Proceedings of the 28th ACM Symposium on Access Control Models and Technologies","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132419958","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Poster: Integrating Spatio-temporal Authorization with Generic Cloud-based Software Architecture for Internet of Things Devices","authors":"Marshal Moncivais, Mustafa Al Lail","doi":"10.1145/3589608.3595082","DOIUrl":"https://doi.org/10.1145/3589608.3595082","url":null,"abstract":"The significant rise in the usage of IoT devices and their security issues has created a demand for improved security for these systems. Unfortunately, no standard IoT architecture exists, making the development of security solutions for IoT systems difficult. Towards this end, we leverage an IoT framework to create a generic IoT software architecture and integrate it with an extension of the RBAC model incorporating the time and location of users to determine access to different IoT resources. We provide a prototype implementation of the integrated architecture to show its feasibility.","PeriodicalId":124020,"journal":{"name":"Proceedings of the 28th ACM Symposium on Access Control Models and Technologies","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128913253","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Poster: Non-repudiable Secure Logging System for the Web","authors":"Kosei Akama, Seki Makino, Masaaki Sato, K. Uehara","doi":"10.1145/3589608.3595080","DOIUrl":"https://doi.org/10.1145/3589608.3595080","url":null,"abstract":"To resolve disputes between servicers providing web services and their users, non-repudiable evidence is crucial because it allows one party to dismiss the denial of facts or false allegations. We propose a logger that securely records web requests and responses in a Trusted Execution Environment (TEE) to generate non-repudiable evidence for web services, which we call LogNEWT: Logger for Non-rEpudiation of Web with TEE. LogNEWT solves security issues in deploying LibSEAL to practical web services, i.e., logger-bypassing, undefined user management, and complex logger verification. In addition, LogNEWT can be transparently deployed to the existing web services.","PeriodicalId":124020,"journal":{"name":"Proceedings of the 28th ACM Symposium on Access Control Models and Technologies","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116121119","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Proceedings of the 28th ACM Symposium on Access Control Models and Technologies","authors":"","doi":"10.1145/3589608","DOIUrl":"https://doi.org/10.1145/3589608","url":null,"abstract":"","PeriodicalId":124020,"journal":{"name":"Proceedings of the 28th ACM Symposium on Access Control Models and Technologies","volume":"57 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130743420","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}