发布求助
文献互助 智能选刊 最新文献

Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies最新文献

筛选
英文 中文
Formal Comparison of an Attribute Based Access Control Language for RESTful Services with XACML 基于属性的RESTful服务访问控制语言与XACML的形式化比较
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914663
Marc Hüffmeyer, Ulf Schreier
{"title":"Formal Comparison of an Attribute Based Access Control Language for RESTful Services with XACML","authors":"Marc Hüffmeyer, Ulf Schreier","doi":"10.1145/2914642.2914663","DOIUrl":"https://doi.org/10.1145/2914642.2914663","url":null,"abstract":"This work introduces RestACL - an access control language for RESTful Services - and compares it with XACML using formal methods. XACML is a generic approach that targets Attribute Based Access Control (ABAC) in general. RestACL is founded on the ideas of the ABAC model, too, but utilizes the concepts of REST enabling a quicker evaluation of access requests. This work gives a brief introduction over the main ideas of RestACL and proves its evidence by giving transformation rules to translate security policies from RestACL to XACML and vice versa. The formalized transformation descriptions show the expressive strength of RestACL, because they demonstrate that any generic ABAC policy written in XACML can be expressed with RestACL, too. The correctness and completeness of RestACL can be proved with the transformation rules, too.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115378339","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
PolyStream: Cryptographically Enforced Access Controls for Outsourced Data Stream Processing 外包数据流处理的加密强制访问控制
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914660
C. Thoma, Adam J. Lee, Alexandros Labrinidis
{"title":"PolyStream: Cryptographically Enforced Access Controls for Outsourced Data Stream Processing","authors":"C. Thoma, Adam J. Lee, Alexandros Labrinidis","doi":"10.1145/2914642.2914660","DOIUrl":"https://doi.org/10.1145/2914642.2914660","url":null,"abstract":"With data becoming available in larger quantities and at higher rates, new data processing paradigms have been proposed to handle high-volume, fast-moving data. Data Stream Processing is one such paradigm wherein transient data streams flow through sets of continuous queries, only returning results when data is of interest to the querier. To avoid the large costs associated with maintaining the infrastructure required for processing these data streams, many companies will outsource their computation to third-party cloud services. This outsourcing, however, can lead to private data being accessed by parties that a data provider may not trust. The literature offers solutions to this confidentiality and access control problem but they have fallen short of providing a complete solution to these problems, due to either immense overheads or trust requirements placed on these third-party services. To address these issues, we have developed PolyStream, an enhancement to existing data stream management systems that enables data providers to specify attribute-based access control policies that are cryptographically enforced while simultaneously allowing many types of in-network data processing. We detail the access control models and mechanisms used by PolyStream, and describe a novel use of security punctuations that enables flexible, online policy management and key distribution. We detail how queries are submitted and executed using an unmodified Data Stream Management System, and show through an extensive evaluation that PolyStream yields a 550x performance gain versus the state-of-the-art system StreamForce in CODASPY 2014, while providing greater functionality to the querier.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128336764","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 14
Tri-Modularization of Firewall Policies 防火墙策略的三模块化
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914646
Haining Chen, Omar Chowdhury, Ninghui Li, Warut Khern-am-nuai, Suresh Chari, Ian Molloy, Youngja Park
{"title":"Tri-Modularization of Firewall Policies","authors":"Haining Chen, Omar Chowdhury, Ninghui Li, Warut Khern-am-nuai, Suresh Chari, Ian Molloy, Youngja Park","doi":"10.1145/2914642.2914646","DOIUrl":"https://doi.org/10.1145/2914642.2914646","url":null,"abstract":"Firewall policies are notorious for having misconfiguration errors which can defeat its intended purpose of protecting hosts in the network from malicious users. We believe this is because today's firewall policies are mostly monolithic. Inspired by ideas from modular programming and code refactoring, in this work we introduce three kinds of modules: primary, auxiliary, and template, which facilitate the refactoring of a firewall policy into smaller, reusable, comprehensible, and more manageable components. We present algorithms for generating each of the three modules for a given legacy firewall policy. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we were able to identify subtle errors.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"56 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133112350","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
Detecting Privilege Escalation Attacks through Instrumenting Web Application Source Code 通过检测Web应用程序源代码检测特权升级攻击
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914661
Jun Zhu, Bill Chu, H. Lipford
{"title":"Detecting Privilege Escalation Attacks through Instrumenting Web Application Source Code","authors":"Jun Zhu, Bill Chu, H. Lipford","doi":"10.1145/2914642.2914661","DOIUrl":"https://doi.org/10.1145/2914642.2914661","url":null,"abstract":"Privilege Escalation is a common and serious type of security attack. Although experience shows that many applications are vulnerable to such attacks, attackers rarely succeed upon first trial. Their initial probing attempts often fail before a successful breach of access control is achieved. This paper presents an approach to automatically instrument application source code to report events of failed access attempts that may indicate privilege escalation attacks to a run time application protection mechanism. The focus of this paper is primarily on the problem of instrumenting web application source code to detect access control attack events. We evaluated false positives and negatives of our approach using two open source web applications.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127752309","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 8
Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks 软件定义网络中控制器应用的动态访问控制
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914647
Hitesh Padekar, Younghee Park, Hongxin Hu, Sang-Yoon Chang
{"title":"Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks","authors":"Hitesh Padekar, Younghee Park, Hongxin Hu, Sang-Yoon Chang","doi":"10.1145/2914642.2914647","DOIUrl":"https://doi.org/10.1145/2914642.2914647","url":null,"abstract":"Recent findings have shown that network and system attacks in Software-Defined Networks (SDNs) have been caused by malicious network applications that misuse APIs in an SDN controller. Such attacks can both crash the controller and change the internal data structure in the controller, causing serious damage to the infrastructure of SDN-based networks. To address this critical security issue, we introduce a security framework called AEGIS to prevent controller APIs from being misused by malicious network applications. Through the run-time verification of API calls, AEGIS performs a fine-grained access control for important controller APIs that can be misused by malicious applications. The usage of API calls is verified in real time by sophisticated security access rules that are defined based on the relationships between applications and data in the SDN controller. We also present a prototypical implementation of AEGIS and demonstrate its effectiveness and efficiency by performing six different controller attacks including new attacks we have recently discovered.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122137021","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 26
On Completeness in Languages for Attribute-Based Access Control 基于属性的访问控制语言的完备性
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914654
J. Crampton, Conrad Williams
{"title":"On Completeness in Languages for Attribute-Based Access Control","authors":"J. Crampton, Conrad Williams","doi":"10.1145/2914642.2914654","DOIUrl":"https://doi.org/10.1145/2914642.2914654","url":null,"abstract":"Attribute-based access control (ABAC) has attracted considerable interest in recent years, resulting in an extensive literature on the subject, including the standardized XML-based language XACML. ABAC policies written in languages like XACML have a tree-like structure in which leaf nodes are associated with authorization decisions and non-leaf nodes are associated with decision-combining algorithms. In this paper, we consider the expressive power of the rule- and policy-combining algorithms defined by the XACML standard. In particular, we identify unexpected dependencies between the combining algorithms and demonstrate that there exist useful combining algorithms that cannot be expressed by any combination of XACML combining algorithms. We briefly discuss the decision operators defined in the PTaCL language, an abstract language for defining ABAC policies, and the advantages of replacing the XACML combining algorithms with the PTaCL operators. Following this, we review results in the literature on multi-valued logic and introduce the notion of canonically complete policy languages. We discuss important practical advantages of canonically complete policy languages, primarily in simplifying policy specification and providing efficiently enforceable policies. Finally, we propose a new policy authorization language PTaCL which is canonically complete and show it is capable of expressing any arbitrary policy in a normal form and discuss the advantages of using PTaCL over existing policy languages such as XACML and PTaCL.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"87 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115882988","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 6
Boosting GSHADE Capabilities: New Applications and Security in Malicious Setting 增强GSHADE功能:恶意设置中的新应用程序和安全性
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914658
J. Bringer, O. Omri, Constance Morel, H. Chabanne
{"title":"Boosting GSHADE Capabilities: New Applications and Security in Malicious Setting","authors":"J. Bringer, O. Omri, Constance Morel, H. Chabanne","doi":"10.1145/2914642.2914658","DOIUrl":"https://doi.org/10.1145/2914642.2914658","url":null,"abstract":"The secure two-party computation (S2PC) protocols SHADE and GSHADE have been introduced by Bringer et al. in the last two years. The protocol GSHADE permits to compute different distances (Hamming, Euclidean, Mahalanobis) quite efficiently and is one of the most efficient compared to other S2PC methods. Thus this protocol can be used to efficiently compute one-to-many identification for several biometrics data (iris, face, fingerprint). In this paper, we introduce two extensions of GSHADE. The first one enables us to evaluate new multiplicative functions. This way, we show how to apply GSHADE to a classical machine learning algorithm. The second one is a new proposal to secure GSHADE against malicious adversaries following the recent dual execution and cut-and-choose strategies. The additional cost is very small. By preserving the GSHADE's structure, our extensions are very efficient compared to other S2PC methods.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120948735","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Extended ReBAC Administrative Models with Cascading Revocation and Provenance Support 具有级联撤销和来源支持的扩展ReBAC管理模型
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914655
Yuan Cheng, K. Bijon, R. Sandhu
{"title":"Extended ReBAC Administrative Models with Cascading Revocation and Provenance Support","authors":"Yuan Cheng, K. Bijon, R. Sandhu","doi":"10.1145/2914642.2914655","DOIUrl":"https://doi.org/10.1145/2914642.2914655","url":null,"abstract":"Relationship-based access control (ReBAC) has been widely studied and applied in the domain of online social networks, and has since been extended to domains beyond social. Using ReBAC itself to manage ReBAC also becomes a natural research frontier, where we have two ReBAC administrative models proposed recently by Rizvi et al.[30] and Stoller[33]. In this paper, we extend these two ReBAC administrative models in order to apply ReBAC beyond online social networks, particularly where edges can have dependencies with each other and authorization for certain administrative operations requires provenance information. Basically, our policy specifications adopt the concepts of enabling precondition and applicability preconditions from Rizvi et al[30]. Then, we address several issues that need to be considered in order to properly execute operation effects, such as cascading revocation and integrity constraints on the relationship graph. With these extended features, we show that our administrative models can provide the administration capability of the MT-RBAC model originally designed for multi-tenant collaborative cloud systems[34].","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127331238","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
An Empirical Study on User Access Control in Online Social Networks 在线社交网络中用户访问控制的实证研究
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914644
Minyue Ni, Yang Zhang, Weili Han, Jun Pang
{"title":"An Empirical Study on User Access Control in Online Social Networks","authors":"Minyue Ni, Yang Zhang, Weili Han, Jun Pang","doi":"10.1145/2914642.2914644","DOIUrl":"https://doi.org/10.1145/2914642.2914644","url":null,"abstract":"In recent years, access control in online social networks has attracted academia a considerable amount of attention. Previously, researchers mainly studied this topic from a formal perspective. On the other hand, how users actually use access control in their daily social network life is left largely unexplored. This paper presents the first large-scale empirical study on users' access control usage on Twitter and Instagram. Based on the data of 150k users on Twitter and 280k users on Instagram collected consecutively during three months in New York, we have conducted both static and dynamic analysis on users' access control usage. Our findings include: female users, young users and Asian users are more concerned about their privacy; users who enable access control setting are less active and have smaller online social circles; global events and important festivals can influence users to change their access control setting. Furthermore, we exploit machine learning classifiers to perform an access control setting prediction. Through experiments, the predictor achieves a fair performance with the AUC equals to 0.70, indicating whether a user enables her access control setting or not can be predicted to a certain extent.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"297 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134145910","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
A Space-Efficient Data Structure for Fast Access Control in ECM Systems 用于ECM系统快速访问控制的空间高效数据结构
Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI: 10.1145/2914642.2914657
Garfield Zhiping Wu, Frank Wm. Tompa
{"title":"A Space-Efficient Data Structure for Fast Access Control in ECM Systems","authors":"Garfield Zhiping Wu, Frank Wm. Tompa","doi":"10.1145/2914642.2914657","DOIUrl":"https://doi.org/10.1145/2914642.2914657","url":null,"abstract":"An Enterprise Content Management (ECM) system must withstand many queries to its access control subsystem in order to check permissions in support of browsing-oriented operations. This leads us to choose a subject-oriented representation for access control (i.e., maintaining a permissions list for each subject). Additionally, if identifiers (OIDs) are assigned to objects in a breadth-first traversal of the object hierarchy, we will encounter many contiguous OIDs when browsing under one object (e.g., folder). Based on these observations, we present a space-efficient data structure specifically tailored for representing permissions lists in ECM systems. In addition to achieving space efficiency, the operations to check, grant, or revoke a permission are very fast using our data structure. Furthermore, our design supports fast union and intersection of two or more permissions lists (determining the effective permissions inherited from several users' groups or the common permissions among sets of users). Finally, the data structure is scalable to support any increase in the number of objects and subjects. We evaluate our design by comparing it against a compressed (WAH) bitmap-based representation and a hashing-based representation, using both synthetic and real-world data under both random and breadth-first OID numbering schemes.","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127058519","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信