361 research outputs found
Towards Model-Driven Development of Access Control Policies for Web Applications
We introduce a UML-based notation for graphically modeling
systemsâ security aspects in a simple and intuitive
way and a model-driven process that transforms graphical
specifications of access control policies in XACML. These
XACML policies are then translated in FACPL, a policy
language with a formal semantics, and the resulting policies
are evaluated by means of a Java-based software tool
Formalisation and Implementation of the XACML Access Control Mechanism
We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specifica- tion and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis
for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development
On Properties of Policy-Based Specifications
The advent of large-scale, complex computing systems has dramatically
increased the difficulties of securing accesses to systems' resources. To
ensure confidentiality and integrity, the exploitation of access control
mechanisms has thus become a crucial issue in the design of modern computing
systems. Among the different access control approaches proposed in the last
decades, the policy-based one permits to capture, by resorting to the concept
of attribute, all systems' security-relevant information and to be, at the same
time, sufficiently flexible and expressive to represent the other approaches.
In this paper, we move a step further to understand the effectiveness of
policy-based specifications by studying how they permit to enforce traditional
security properties. To support system designers in developing and maintaining
policy-based specifications, we formalise also some relevant properties
regarding the structure of policies. By means of a case study from the banking
domain, we present real instances of such properties and outline an approach
towards their automatised verification.Comment: In Proceedings WWV 2015, arXiv:1508.0338
Implementing a Secure Annotation Service
Annotation systems enable "value-adding" to digital resources by the attachment of additional data in the form of comments, explanations, references, reviews, corrections and other types of external, subjective remarks. They facilitate group discourse and capture collective intelligence by enabling communities to attach and share their views on particular data and documents accessible over the Web. Annotation systems vary greatly with regard to the types of content they annotate, the extent of collaboration and sharing they allow and the communities which they serve. However within many applications, there is a need to restrict access to the annotations to a particular group of trusted users - in order to protect intellectual property rights or personal privacy. This paper describes a secure, open source annotation system that we have developed that uses Shibboleth and XACML to identify and authenticate users and restrict their access to annotations stored on an Annotea server
Enforcing RFID data visibility restrictions using XACML security policies
Radio Frequency Identification (RFID) technology allows automatic data capture from tagged objects moving in a supply chain. This data can be very useful if it is used to answer traceability queries, however it is distributed across many different repositories, owned by different companies. Discovery Services (DS) are designed to assist in retrieving the RFID data relevant for traceability queries while enforcing sharing policies that are defined and required by participating companies to prevent sensitive data from being exposed. In this paper we define an interface for Supply Chain Authorization (SC-Az) and describe the implementation of two visibility restriction mechanisms based on Access Control Lists (ACLs) and Capabilities. Both approaches were converted to the standard eXtensible Access Control Markup Language (XACML) and their correctness and performance was evaluated for supply chains with increasing size
Authorization schema for electronic health-care records: for Uganda
This thesis discusses how to design an authorization schema focused on ensuring each patient's data privacy within a hospital information system
- âŠ