QuickFeed Security: Redesigned Authentication and Authorization Architecture.

QuickFeed (former Autograder) is a software project developed at the University of Stavanger. The application performs automated grading of coding assignments and provides nearly instant feedback to the students in programming courses. Authentication (establishing the identity of a user) and authorization (defining what types of data a user can access or modify) comprise an essential part of any web-based application. QuickFeed went through multiple reworks and updates, but the authentication module remained unchanged. As a result, it is necessary to keep extra steps to ensure interoperability between the authentication module and the rest of the application. This makes the affected parts of the QuickFeed codebase unnecessary complex, somewhat redundant, and hard to understand and maintain. This thesis work is dedicated to redesigning the authentication and authorization architecture of Quickfeed in order to enhance security and improve maintainability and scalability of the project

The Abacus: A New Architecture for Policy-based Authorization

Modern authorization architectures using role-based, policy-based, and even custom solutions have numerous flaws and challenges. A new design for authorization architecture is presented called the Abacus. This paper discusses the architecture that the Abacus utilizes to overcome the issues inherent in other proprietary and open-source authorization solutions. Specifically, the Abacus respects domain boundaries, is less complex than existing systems, and does not require direct connections to domain data stores

Clarens Client and Server Applications

Several applications have been implemented with access via the Clarens web service infrastructure, including virtual organization management, JetMET physics data analysis using relational databases, and Storage Resource Broker (SRB) access. This functionality is accessible transparently from Python scripts, the Root analysis framework and from Java applications and browser applets.Comment: Talk from the 2003 Computing in High Energy and Nuclear Physics (CHEP03), La Jolla, Ca, USA, March 2003, 4 pages, LaTeX, no figures, PSN TUCT00

Authorization Framework for the Internet-of-Things

This paper describes a framework that allows fine-grained and flexible access control to connected devices with very limited processing power and memory. We propose a set of security and performance requirements for this setting and derive an authorization framework distributing processing costs between constrained devices and less constrained back-end servers while keeping message exchanges with the constrained devices at a minimum. As a proof of concept we present performance results from a prototype implementing the device part of the framework

Secure Management of Personal Health Records by Applying Attribute-Based Encryption

The confidentiality of personal health records is a major problem when patients use commercial Web-based systems to store their health data. Traditional access control mechanisms, such as Role-Based Access Control, have several limitations with respect to enforcing access control policies and ensuring data confidentiality. In particular, the data has to be stored on a central server locked by the access control mechanism, and the data owner loses control on the data from the moment when the data is sent to the requester. Therefore, these mechanisms do not fulfil the requirements of data outsourcing scenarios where the third party storing the data should not have access to the plain data, and it is not trusted to enforce access control policies. In this paper, we describe a new approach which enables secure storage and controlled sharing of patient’s health records in the aforementioned scenarios. A new variant of a ciphertext-policy attribute-based encryption scheme is proposed to enforce patient/organizational access control policies such that everyone can download the encrypted data but only authorized users from the social domain (e.g. family, friends, or fellow patients) or authorized users from the professional\ud domain (e.g. doctors or nurses) are allowed to decrypt it