354,896 research outputs found
A Typed Model for Dynamic Authorizations
Security requirements in distributed software systems are inherently dynamic.
In the case of authorization policies, resources are meant to be accessed only
by authorized parties, but the authorization to access a resource may be
dynamically granted/yielded. We describe ongoing work on a model for specifying
communication and dynamic authorization handling. We build upon the pi-calculus
so as to enrich communication-based systems with authorization specification
and delegation; here authorizations regard channel usage and delegation refers
to the act of yielding an authorization to another party. Our model includes:
(i) a novel scoping construct for authorization, which allows to specify
authorization boundaries, and (ii) communication primitives for authorizations,
which allow to pass around authorizations to act on a given channel. An
authorization error may consist in, e.g., performing an action along a name
which is not under an appropriate authorization scope. We introduce a typing
discipline that ensures that processes never reduce to authorization errors,
even when authorizations are dynamically delegated.Comment: In Proceedings PLACES 2015, arXiv:1602.0325
ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware
Billions of users rely on the security of the Android platform to protect
phones, tablets, and many different types of consumer electronics. While
Android's permission model is well studied, the enforcement of the protection
policy has received relatively little attention. Much of this enforcement is
spread across system services, taking the form of hard-coded checks within
their implementations. In this paper, we propose Authorization Check Miner
(ACMiner), a framework for evaluating the correctness of Android's access
control enforcement through consistency analysis of authorization checks.
ACMiner combines program and text analysis techniques to generate a rich set of
authorization checks, mines the corresponding protection policy for each
service entry point, and uses association rule mining at a service granularity
to identify inconsistencies that may correspond to vulnerabilities. We used
ACMiner to study the AOSP version of Android 7.1.1 to identify 28
vulnerabilities relating to missing authorization checks. In doing so, we
demonstrate ACMiner's ability to help domain experts process thousands of
authorization checks scattered across millions of lines of code
Counterfactual quantum certificate authorization
We present a multi-partite protocol in a counterfactual paradigm. In
counterfactual quantum cryptography, secure information is transmitted between
two spatially separated parties even when there is no physical travel of
particles transferring the information between them. We propose here a
tripartite counterfactual quantum protocol for the task of certificate
authorization. Here a trusted third party, Alice, authenticates an entity Bob
(e.g., a bank) that a client Charlie wishes to securely transact with. The
protocol is counterfactual with respect to either Bob or Charlie. We prove its
security against a general incoherent attack, where Eve attacks single
particles.Comment: 6 pages, 2 figures, close to the published versio
Site Authorization Service (SAZ)
In this paper we present a methodology to provide an additional level of
centralized control for the grid resources. This centralized control is applied
to site-wide distribution of various grids and thus providing an upper hand in
the maintenance.Comment: Talk from the 2003 Computing in High Energy and Nuclear Physics
(CHEP03), La Jolla, CA, USA, March 2003, 3 pages, PSN TUBT00
Nexus Authorization Logic (NAL): Logical Results
Nexus Authorization Logic (NAL) [Schneider et al. 2011] is a logic for
reasoning about authorization in distributed systems. A revised version of NAL
is given here, including revised syntax, a revised proof theory using localized
hypotheses, and a new Kripke semantics. The proof theory is proved sound with
respect to the semantics, and that proof is formalized in Coq
Belief Semantics of Authorization Logic
Authorization logics have been used in the theory of computer security to
reason about access control decisions. In this work, a formal belief semantics
for authorization logics is given. The belief semantics is proved to subsume a
standard Kripke semantics. The belief semantics yields a direct representation
of principals' beliefs, without resorting to the technical machinery used in
Kripke semantics. A proof system is given for the logic; that system is proved
sound with respect to the belief and Kripke semantics. The soundness proof for
the belief semantics, and for a variant of the Kripke semantics, is mechanized
in Coq
Endogenous Decentralization in Federal Environmental Policies
Under most federal environmental laws and some health and safety laws, states may apply for "primacy," that is, authority to implement and enforce federal law, through a process known as "authorization." Some observers fear that states use authorization to adopt more lax policies in a regulatory "race to the bottom." This paper presents a simple model of the interaction between the federal and state governments in such a scheme of partial decentralization. Our model suggests that the authorization option may not only increase social welfare but also allow more stringent environmental regulations than would otherwise be feasible. Our model also suggests that the federal government may choose its policies so that states that desire more strict regulation authorize, while other states remain under the federal program. We then test this hypothesis using data on federal regulation of water pollution and of hazardous waste, which are two of the most important environmental programs to allow authorization. We find that states that prefer more environmental protection authorize more quickly under both policies. This evidence suggests that states seek authorization to adopt more strict policies instead of more lax policies compared to federal policies.
- …