发布求助
文献互助 智能选刊 最新文献

Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies最新文献

筛选
英文 中文
State-aware Network Access Management for Software-Defined Networks 软件定义网络的状态感知网络访问管理
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914643
Wonkyu Han, Hongxin Hu, Ziming Zhao, Adam Doupé, Gail-Joon Ahn, Kuang-Ching Wang, Juan Deng
{"title":"State-aware Network Access Management for Software-Defined Networks","authors":"Wonkyu Han, Hongxin Hu, Ziming Zhao, Adam Doupé, Gail-Joon Ahn, Kuang-Ching Wang, Juan Deng","doi":"10.1145/2914642.2914643","DOIUrl":"https://doi.org/10.1145/2914642.2914643","url":null,"abstract":"OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of OpenFlow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27% throughput degradation).","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"83 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126186018","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 16
An Application Restriction System for Bring-Your-Own-Device Scenarios 一种自带设备场景的应用限制系统
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914645
Oyindamola Oluwatimi, E. Bertino
{"title":"An Application Restriction System for Bring-Your-Own-Device Scenarios","authors":"Oyindamola Oluwatimi, E. Bertino","doi":"10.1145/2914642.2914645","DOIUrl":"https://doi.org/10.1145/2914642.2914645","url":null,"abstract":"Different containerization techniques have been developed to ensure the separation of enterprise content and personal data on an end-user's device. Although the enterprise manages the environment in which work-related activities are conducted, referred to as a work persona, third-party applications installed on the mobile devices may make the enterprise content vulnerable to misuse or exfiltration. It is thus critical that enterprises be given the ability to restrict the capabilities of third-party applications that reside in the work persona. In mobile systems, applications typically request to use a list of capabilities on the device prior to being installed on the device, and alll capabilities must be granted in order for the applications to be installed. Our approach, that we refer to as DroidARM, focuses on post-installation application restriction policies. Such policies dynamically restrict the capabilities of mobile applications at run-time. An application restriction policy is configured through our Application Restriction Manager (ARM) Policy Manager that allows one to set different restrictions for each installed application. Adhering to the policy, our ARM system limits the capabilities of an application by restricting access to data and system resources contained within the work persona. Data shadowing is a data and system resource protection technique we have chosen to leverage. We have implemented DroidARM and integrated it into the Android operating system. Our experimental results show that our approach is efficient and effective.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114823005","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
A Context-Aware System to Secure Enterprise Content 保护企业内容的上下文感知系统
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914648
Oyindamola Oluwatimi, Daniele Midi, E. Bertino
{"title":"A Context-Aware System to Secure Enterprise Content","authors":"Oyindamola Oluwatimi, Daniele Midi, E. Bertino","doi":"10.1145/2914642.2914648","DOIUrl":"https://doi.org/10.1145/2914642.2914648","url":null,"abstract":"In this paper, we present an architecture and implementation of a secure, automated, proximity-based access control that we refer to as Context-Aware System to Secure Enterprise Content (CASSEC). Using the pervasive WiFi and Bluetooth wireless devices as components in our underlying positioning infrastructure, CASSEC addresses two proximity-based scenarios often encountered in enterprise environments: Separation of Duty and Absence of Other Users. The first scenario is achieved by using Bluetooth MAC addresses of nearby occupants as authentication tokens. The second scenario exploits the interference of WiFi received signal strength when an occupant crosses the line of sight (LOS). Regardless of the scenario, information about the occupancy of a particular location is periodically extracted to support continuous authentication. To the best of our knowledge, our approach is the first to incorporate WiFi signal interference caused by occupants as part of proximity-based access control system. Our results demonstrate that it is feasible to achieve great accuracy in localization of occupants in a monitored room.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"116 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134512073","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Modular Synthesis of Enforcement Mechanisms for the Workflow Satisfiability Problem: Scalability and Reusability 工作流可满足性问题执行机制的模块化综合:可扩展性和可重用性
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914649
D. R. D. Santos, Serena Elisa Ponta, Silvio Ranise
{"title":"Modular Synthesis of Enforcement Mechanisms for the Workflow Satisfiability Problem: Scalability and Reusability","authors":"D. R. D. Santos, Serena Elisa Ponta, Silvio Ranise","doi":"10.1145/2914642.2914649","DOIUrl":"https://doi.org/10.1145/2914642.2914649","url":null,"abstract":"Modularity is an important concept in the design and enactment of workflows. However, supporting the specification and enforcement of authorization in this setting is not straightforward. In this paper, we introduce a notion of component and a combination mechanism for security-sensitive workflows. These are business processes in which execution constraints on the tasks are complemented with authorization constraints (e.g., Separation of Duty) and authorization policies (specifying which users can execute which tasks). We show how authorization constraints can also be imposed across components and demonstrate the usefulness of our notion of component by showing (i) the scalability of a technique for the synthesis of run-time monitors for security-sensitive workflows; and (ii) the design of a plug-in for the reuse of workflows and related run-time monitors inside an editor for security-sensitive workflows.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128906682","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 8
GemRBAC-DSL: A High-level Specification Language for Role-based Access Control Policies GemRBAC-DSL:基于角色访问控制策略的高级规范语言
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914656
Ameni ben Fadhel, D. Bianculli, L. Briand
{"title":"GemRBAC-DSL: A High-level Specification Language for Role-based Access Control Policies","authors":"Ameni ben Fadhel, D. Bianculli, L. Briand","doi":"10.1145/2914642.2914656","DOIUrl":"https://doi.org/10.1145/2914642.2914656","url":null,"abstract":"A role-based access control (RBAC) policy restricts a user to perform operations based on her role within an organization. Several RBAC models have been proposed to represent different types of RBAC policies. However, the expressiveness of these models has not been matched by specification languages for RBAC policies. Indeed, existing policy specification languages do not support all the types of RBAC policies defined in the literature. In this paper we aim to bridge the gap between highly-expressive RBAC models and policy specification languages, by presenting GemRBAC-DSL, a new specification language designed on top of an existing, generalized conceptual model for RBAC. The language sports a syntax close to natural language, to encourage its adoption among practitioners. We also define semantic checks to detect conflicts and inconsistencies among the policies written in a GemRBAC-DSL specification. We show how the semantics of GemRBAC-DSL can be expressed in terms of an existing formalization of RBAC policies as OCL (Object Constraint Language) constraints on the corresponding RBAC conceptual model. This formalization paves the way to define a model-driven approach for the enforcement of policies written in GemRBAC-DSL.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"75 3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116348679","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 8
Data-Centric Access Control for Cloud Computing 以数据为中心的云计算访问控制
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914662
Thomas Pasquier, J. Bacon, Jatinder Singh, D. Eyers
{"title":"Data-Centric Access Control for Cloud Computing","authors":"Thomas Pasquier, J. Bacon, Jatinder Singh, D. Eyers","doi":"10.1145/2914642.2914662","DOIUrl":"https://doi.org/10.1145/2914642.2914662","url":null,"abstract":"The usual approach to security for cloud-hosted applications is strong separation. However, it is often the case that the same data is used by different applications, particularly given the increase in data-driven (`big data' and IoT) applications. We argue that access control for the cloud should no longer be application-specific but should be data-centric, associated with the data that can flow between applications. Indeed, the data may originate outside cloud services from diverse sources such as medical monitoring, environmental sensing etc. Information Flow Control (IFC) potentially offers data-centric, system-wide data access control. It has been shown that IFC can be provided at operating system level as part of a PaaS offering, with an acceptable overhead. In this paper we consider how IFC can be integrated with application-specific access control, transparently from application developers, while building from simple IFC primitives, access control policies that align with the data management obligations of cloud providers and tenants.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128166774","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 21
Resiliency Policies in Access Control Revisited 访问控制中的弹性策略
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914650
J. Crampton, G. Gutin, Rémi Watrigant
{"title":"Resiliency Policies in Access Control Revisited","authors":"J. Crampton, G. Gutin, Rémi Watrigant","doi":"10.1145/2914642.2914650","DOIUrl":"https://doi.org/10.1145/2914642.2914650","url":null,"abstract":"Resiliency is a relatively new topic in the context of access control. Informally, it refers to the extent to which a multi-user computer system, subject to an authorization policy, is able to continue functioning if a number of authorized users are unavailable. Several interesting problems connected to resiliency were introduced by Li, Wang and Tripunitara [13], many of which were found to be intractable. In this paper, we show that these resiliency problems have unexpected connections with the workflow satisfiability problem (WSP). In particular, we show that an instance of the resiliency checking problem (RCP) may be reduced to an instance of WSP. We then demonstrate that recent advances in our understanding of WSP enable us to develop fixed-parameter tractable algorithms for RCP. Moreover, these algorithms are likely to be useful in practice, given recent experimental work demonstrating the advantages of bespoke algorithms to solve WSP. We also generalize RCP in several different ways, showing in each case how to adapt the reduction to WSP. Li et al also showed that the coexistence of resiliency policies and static separation-of-duty policies gives rise to further interesting questions. We show how our reduction of RCP to WSP may be extended to solve these problems as well and establish that they are also fixed-parameter tractable.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"94 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126414091","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 15
Policy Negotiation for Co-owned Resources in Relationship-Based Access Control 基于关系访问控制的共有资源策略协商
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914652
Pooya Mehregan, Philip W. L. Fong
{"title":"Policy Negotiation for Co-owned Resources in Relationship-Based Access Control","authors":"Pooya Mehregan, Philip W. L. Fong","doi":"10.1145/2914642.2914652","DOIUrl":"https://doi.org/10.1145/2914642.2914652","url":null,"abstract":"The collaborative nature of content development has given rise to the novel problem of multiple ownership in access control, such that a shared resource is administrated simultaneously by co-owners who may have conflicting privacy preferences and/or sharing needs. Prior work has focused on the design of unsupervised conflict resolution mechanisms. Driven by the need for human consent in organizational settings, this paper explores interactive policy negotiation, an approach complementary to that of prior work. Specifically, we propose an extension of Relationship-Based Access Control (ReBAC) to support multiple ownership, in which a policy negotiation protocol is in place for co-owners to come up with and give consent to an access control policy in a structured manner. During negotiation, the draft policy is assessed by formally defined availability criteria: to the second level of the polynomial hierarchy. We devised two algorithms for verifying policy satisfiability, both employing a modern SAT solver for solving subproblems. The performance is found to be adequate for mid-sized organizations.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128521908","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 17
Start Here: Engineering Scalable Access Control Systems 从这里开始:工程可扩展的访问控制系统
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914651
Aaron Elliott, S. Knight
{"title":"Start Here: Engineering Scalable Access Control Systems","authors":"Aaron Elliott, S. Knight","doi":"10.1145/2914642.2914651","DOIUrl":"https://doi.org/10.1145/2914642.2914651","url":null,"abstract":"Role-based Access Control (RBAC) is a popular solution for implementing information security however there is no pervasive methodology used to produce scalable access control systems for large organizations with hundreds or thousands of employees. As a result ten engineers will likely arrive at ten different solutions to the same problem where there is no right or wrong answer but there is both an immediate and long term cost. Moreover, they would have difficulty communicating the important aspects of their design implementations to each other. This is an interesting deficiency because despite their diversity, large organizations are built upon two key concepts, roles and responsibilities, where a role like Departmental Chair is identified and assigned responsibilities. In this paper, our objective is to introduce ORGODEX, a new model and practical methodology for engineering scalable RBAC systems in large organizations where employees require access to information on a need to know basis. First, we motivate the requirement for a new RBAC dichotomy, distinguishing between roles and responsibilities. Next, we introduce our new model for describing and reasoning about RBAC systems with this new dichotomy. Finally, we produce a new iterative methodology for engineering scalable access control systems.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125095355","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Automated Fault Localization of XACML Policies XACML策略的自动故障定位
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914653
Dianxiang Xu, Zhenyu Wang, Shuai Peng, Ning Shen
{"title":"Automated Fault Localization of XACML Policies","authors":"Dianxiang Xu, Zhenyu Wang, Shuai Peng, Ning Shen","doi":"10.1145/2914642.2914653","DOIUrl":"https://doi.org/10.1145/2914642.2914653","url":null,"abstract":"Access control policies in distributed systems, particularly implemented in the XACML standard language, are increasingly complex. Faults may exist in complex policies for various reasons such as misunderstanding of the access control requirements, omissions, and coding errors. These faults, if not removed before deployment, may lead to unauthorized accesses or denial of service. Manual localization of these faults, however, can be a challenging task. Inspired by spectrum-based fault localization for software debugging, this paper presents an approach for automatically localizing the fault(s) in a given XACML policy by exploring test coverage information of the policy elements. We investigate two test coverage criteria (i.e., reachability and firing) of policy elements and 14 scoring methods for ranking policy elements to determine the fault location(s). To evaluate the fault localization methods, we have used real-world policy files with different levels of complexity and a large number of policy mutants with one or two seeded faults. The experiment results show that the firing-based Naish2 and CBI-Inc methods are effective in fault localization of XACML policies.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131181735","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 12
下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信