ConXsense - Automated Context Classification for Context-Aware Access Control

We present ConXsense, the first framework for context-aware access control on mobile devices based on context classification. Previous context-aware access control systems often require users to laboriously specify detailed policies or they rely on pre-defined policies not adequately reflecting the true preferences of users. We present the design and implementation of a context-aware framework that uses a probabilistic approach to overcome these deficiencies. The framework utilizes context sensing and machine learning to automatically classify contexts according to their security and privacy-related properties. We apply the framework to two important smartphone-related use cases: protection against device misuse using a dynamic device lock and protection against sensory malware. We ground our analysis on a sociological survey examining the perceptions and concerns of users related to contextual smartphone security and analyze the effectiveness of our approach with real-world context data. We also demonstrate the integration of our framework with the FlaskDroid architecture for fine-grained access control enforcement on the Android platform.Comment: Recipient of the Best Paper Awar

Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

PEP4Django - A Policy Enforcement Point for Python Web Applications

Traditionally, access control mechanisms have been hard-coded into application components. Such approach is error-prone, mixing business logic with access control concerns, and affecting the flexibility of security policies, as is the case with IFRN SUAP Django-based system. The externalization of access control rules allows their decoupling from business logic, through the use of authorization servers where access control policies are stored and queried for computing access decisions. In this context, this paper presents an approach that allows a Django Web application to delegate access control decisions to an external authorization server. The approach has been integrated into an enterprise level system, which has been used for experimentation. The results obtained indicate a negligible overhead, while allowing the modification of access control policies without interrupting the system

Security in networks of unmanned aerial vehicles for surveillance with an agent-based approach inspired by the principles of blockchain

Unmanned aerial vehicles (UAVs) can support surveillance even in areas without network infrastructure. However, UAV networks raise security challenges because of its dynamic topology. This paper proposes a technique for maintaining security in UAV networks in the context of surveillance, by corroborating information about events from different sources. In this way, UAV networks can conform peer-to-peer information inspired by the principles of blockchain, and detect compromised UAVs based on trust policies. The proposed technique uses a secure asymmetric encryption with a pre-shared list of official UAVs. Using this technique, the wrong information can be detected when an official UAV is physically hijacked. The novel agent based simulator ABS-SecurityUAV is used to validate the proposed approach. In our experiments, around 90% of UAVs were able to corroborate information about a person walking in a controlled area, while none of the UAVs corroborated fake information coming from a hijacked UAV

Automated Certification of Authorisation Policy Resistance

Attribute-based Access Control (ABAC) extends traditional Access Control by considering an access request as a set of pairs attribute name-value, making it particularly useful in the context of open and distributed systems, where security relevant information can be collected from different sources. However, ABAC enables attribute hiding attacks, allowing an attacker to gain some access by withholding information. In this paper, we first introduce the notion of policy resistance to attribute hiding attacks. We then propose the tool ATRAP (Automatic Term Rewriting for Authorisation Policies), based on the recent formal ABAC language PTaCL, which first automatically searches for resistance counter-examples using Maude, and then automatically searches for an Isabelle proof of resistance. We illustrate our approach with two simple examples of policies and propose an evaluation of ATRAP performances.Comment: 20 pages, 4 figures, version including proofs of the paper that will be presented at ESORICS 201

Gestion contextualisée de la sécurité : implémentation MDS@Runtime avec FraSCAti

National audienceThe development of security policies for information systems is usually based on a systematic risks analysis, reducing them by adopting appropriate countermeasures. These risks analysis approaches are complex and designed for well-known and static environments. To overcome this limit, we propose to extend the Model Driven Security (MDS) approach to a MDS@Runtime vision to set a Security as a Service component. Plugged on the FraSCAti middleware, our security component selects, composes and orchestrates the security services depending on the execution context to avoid both under and over protection

Supporting personalization in a web-based course through the definition of role-based access policies

Role-based access policies model the users domain by means of complex structures where roles, which represent jobs or responsibilities assumed by users, are specialized into more concrete subroles which inherit properties and authorizations from their parents. Such an approach can be applied within the context of educational applications, where different roles are easily identified each of which has different views of the same information items and different capabilities to modify them. Moreover, even though this approach, has only been oriented towards modeling security requirements, it can be extended to support personalized access to the information. In this paper, we describe how to combine the basic principles of RBAC policies and adaptation with a view of providing personalized access to the different types of users of a web-based course. Moreover, we also present Courba, a platform to generate personalized web-based courses using XML to support the definition of access policies.Role-based access policies model the users domain by means of complex structures where roles, which represent jobs or responsibilities assumed by users, are specialized into more concrete subroles which inherit properties and authorizations from their parents. Such an approach can be applied within the context of educational applications, where different roles are easily identified each of which has different views of the same information items and different capabilities to modify them. Moreover, even though this approach, has only been oriented towards modeling security requirements, it can be extended to support personalized access to the information. In this paper, we describe how to combine the basic principles of RBAC policies and adaptation with a view of providing personalized access to the different types of users of a web-based course. Moreover, we also present Courba, a platform to generate personalized web-based courses using XML to support the definition of access policies