Common Representation of Information Flows for Dynamic Coalitions

We propose a formal foundation for reasoning about access control policies within a Dynamic Coalition, defining an abstraction over existing access control models and providing mechanisms for translation of those models into information-flow domain. The abstracted information-flow domain model, called a Common Representation, can then be used for defining a way to control the evolution of Dynamic Coalitions with respect to information flow

A survey on cyber security for smart grid communications

A smart grid is a new form of electricity network with high fidelity power-flow control, self-healing, and energy reliability and energy security using digital communications and control technology. To upgrade an existing power grid into a smart grid, it requires significant dependence on intelligent and secure communication infrastructures. It requires security frameworks for distributed communications, pervasive computing and sensing technologies in smart grid. However, as many of the communication technologies currently recommended to use by a smart grid is vulnerable in cyber security, it could lead to unreliable system operations, causing unnecessary expenditure, even consequential disaster to both utilities and consumers. In this paper, we summarize the cyber security requirements and the possible vulnerabilities in smart grid communications and survey the current solutions on cyber security for smart grid communications. © 2012 IEEE

Policy based roles for distributed systems security

Distributed systems are increasingly being used in commercial environments necessitating the development of trustworthy and reliable security mechanisms. There is often no clear informal or formal specification of enterprise authorisation policies and no tools to translate policy specifications to access control implementation mechanisms such as capabilities or Access Control Lists. It is thus difficult to analyse the policy to detect conflicts or flaws and it is difficult to verify that the implementation corresponds to the policy specification. We present in this paper a framework for the specification of management policies. We are concerned with two types of policies: obligations which specify what activities a manager or agent must or must not perform on a set of target objects and authorisations which specify what activities a subject (manager or agent) can or can not perform on the set of target objects. Management policies are then grouped into roles reflecting the organisation..

Practical assessment of Biba integrity for TCG-enabled platforms

Checking the integrity of an application is necessary to determine if the latter will behave as expected. The method defined by the Trusted Computing Group consists in evaluating the fingerprints of the platform hardware and software components required for the proper functioning of the application to be assessed. However, this only ensures that a process was working correctly at load-time but not for its whole life-cycle. Policy-Reduced Integrity Measurement Architecture (PRIMA) addresses this problem by enforcing a security policy that denies information flows from potentially malicious processes to an application target of the evaluation and its dependencies (requirement introduced by CW-Lite, an evolution of the Biba integrity model). Given the difficulty of deploying PRIMA (as platform administrators have to tune their security policies to satisfy the CW-Lite requirements) we propose in this paper Enhanced IMA, an extended version of the Integrity Measurement Architecture (IMA) that, unlike PRIMA, works almost out of the box and just reports information flows instead of enforcing them. In addition, we introduce a model to evaluate the information reported by Enhanced IMA with existing technique

Beyond the Hype: On Using Blockchains in Trust Management for Authentication

Trust Management (TM) systems for authentication are vital to the security of online interactions, which are ubiquitous in our everyday lives. Various systems, like the Web PKI (X.509) and PGP's Web of Trust are used to manage trust in this setting. In recent years, blockchain technology has been introduced as a panacea to our security problems, including that of authentication, without sufficient reasoning, as to its merits.In this work, we investigate the merits of using open distributed ledgers (ODLs), such as the one implemented by blockchain technology, for securing TM systems for authentication. We formally model such systems, and explore how blockchain can help mitigate attacks against them. After formal argumentation, we conclude that in the context of Trust Management for authentication, blockchain technology, and ODLs in general, can offer considerable advantages compared to previous approaches. Our analysis is, to the best of our knowledge, the first to formally model and argue about the security of TM systems for authentication, based on blockchain technology. To achieve this result, we first provide an abstract model for TM systems for authentication. Then, we show how this model can be conceptually encoded in a blockchain, by expressing it as a series of state transitions. As a next step, we examine five prevalent attacks on TM systems, and provide evidence that blockchain-based solutions can be beneficial to the security of such systems, by mitigating, or completely negating such attacks.Comment: A version of this paper was published in IEEE Trustcom. http://ieeexplore.ieee.org/document/8029486

Promissory Estoppel and the Protection of Interpersonal Trust

This paper examines the role of trust in promissory estoppel and the extent to which the law should protect trust when a promise is made. Part II of this Article summarizes some of the scholarship discussing the nature and role of trust. In particular, it discusses the role of trust in a market economy, and the related role of trust in Contracts law. Part III examines whether there is a difference between trust and reliance, and whether it matters. Part III further asserts that a separate discussion of trust is beneficial because it has the potential to guide and inform internal decision-making in a way that is not possible by simply focusing on outward reliance. Part IV of this Article discusses the role of trust in the doctrine of promissory estoppel. Part V sets forth why the law should promote an optimal level of trust, as opposed to a maximum protection of trust no matter what. It discusses the need for promisees to exercise self-reliance and self-protection in order to avoid overreliance. Part VI identifies the types of cases where trust should be protected. Such cases include ones where the promisee is engaged in a transaction that she cannot avoid, where she has no control over the structure of the transaction, and where she has no choice but to trust the promisor (or more accurately, trust the legal system to enforce the promise). Part VII presents the polar end of the spectrum where trust should not be protected. Part VIII concludes the Article

Advances in Information Security and Privacy

With the recent pandemic emergency, many people are spending their days in smart working and have increased their use of digital resources for both work and entertainment. The result is that the amount of digital information handled online is dramatically increased, and we can observe a significant increase in the number of attacks, breaches, and hacks. This Special Issue aims to establish the state of the art in protecting information by mitigating information risks. This objective is reached by presenting both surveys on specific topics and original approaches and solutions to specific problems. In total, 16 papers have been published in this Special Issue