On Properties of Policy-Based Specifications

The advent of large-scale, complex computing systems has dramatically increased the difficulties of securing accesses to systems' resources. To ensure confidentiality and integrity, the exploitation of access control mechanisms has thus become a crucial issue in the design of modern computing systems. Among the different access control approaches proposed in the last decades, the policy-based one permits to capture, by resorting to the concept of attribute, all systems' security-relevant information and to be, at the same time, sufficiently flexible and expressive to represent the other approaches. In this paper, we move a step further to understand the effectiveness of policy-based specifications by studying how they permit to enforce traditional security properties. To support system designers in developing and maintaining policy-based specifications, we formalise also some relevant properties regarding the structure of policies. By means of a case study from the banking domain, we present real instances of such properties and outline an approach towards their automatised verification.Comment: In Proceedings WWV 2015, arXiv:1508.0338

Dynamic User Role Assignment in Remote Access Control

The Role-Based Access Control (RBAC) model has been widely applied to a single domain in which users are known to the administrative unit of that domain, beforehand. However, the application of the conventional RBAC model for remote access control scenarios is not straightforward. In such scenarios, the access requestor is outside of the provider domain and thus, the user population is heterogeneous and dynamic. Here, the main challenge is to automatically assign users to appropriate roles of the provider domain. Trust management has been proposed as a supporting technique to solve the problem of remote access control. The key idea is to establish a mutual trust between the requestor and provider based on credentials they exchange. However, a credential doesn't convey any information about the behavior of its holder during the time it is being used. Furthermore, in terms of privileges granted to the requestor, existing trust management systems are either too restrictive or not restrictive enough. In this paper, we propose a new dynamic user-role assignment approach for remote access control, where a stranger requests for access from a provider domain. Our approach has two advantages compared to the existing dynamic user-role assignment techniques. Firstly, it addresses the principle of least privilege without degrading the efficiency of the access control system. Secondly, it takes into account both credentials and the past behavior of the requestor in such a way that he cannot compensate for the lack of necessary credentials by having a good past behavior

Our Very Privileged Executive: Why the Judiciary Can (and Should) Fix the State Secrets Privilege

This paper was first presented at the Temple Law Review Symposium on Executive Power. In Reynolds v. United States, the Supreme Court shaped the state secrets privilege (the Privilege) as one akin to that against self-incrimination. In recent litigation, the government has asserted the Privilege in motions for pre-discovery dismissal, thus transforming the Privilege into a form of executive immunity. This Paper argues that courts must step in to return the Privilege to a scope more in keeping with its status as a form of evidentiary privilege. After reviewing the doctrinal origins of the Privilege, the Paper explores three types of issues implicated by the government\u27s invocation of the Privilege. The government, in calling for judicial deference to executive assertions of the Privilege, often realies on (1) separation of powers arguments or on (2) arguments sounding in institutional competence. Courts are often swayed by such arguments and thus give relatively little consideration to the (3) conflict of interest inherent in the government\u27s assertion of the Privilege and the impact of the successful invocation of the Privilege on the rights of individual litigants. The Paper then proceeds to address arguments that Congress can provide a check on executive abuse of the Privilege. The Paper argues that, assuming that Congress has constitutional authority, it lacks the will or the institutional competence to provide a proper solution to the problems raised by the Privilege. Instead, the Paper contends that, since courts created the Privilege, courts are best positioned to rein it in. The final section of the Paper provides examples drawn from case law illustrating mechanisms whereby courts can protect state secrets while also giving litigants adverse to the government their day in court

ESCUDO: A Fine-grained Protection Model for Web Browsers

Web applications are no longer simple hyperlinked documents. They have progressively evolved to become highly complex---web pages combine content from several sources (with varying levels of trustworthiness), and incorporate significant portions of client-side code. However, the prevailing web protection model, the same-origin policy, has not adequately evolved to manage the security consequences of this additional complexity. As a result, web applications have become attractive targets of exploitation. We argue that this disconnection between the protection needs of modern web applications and the protection models used by web browsers that manage those applications amounts to a failure of access control. In this paper, we present Escudo, a new web browser protection model designed based on established principles of mandatory access control. We describe our implementation of a prototype of Escudo in the Lobo web browser, and illustrate how web applications can use Escudo for securing their resources. Our evaluation results indicate that Escudo incurs low overhead. To support backwards compatibility, Escudo defaults to the same-origin policy for legacy applications

Practical Fine-grained Privilege Separation in Multithreaded Applications

An inherent security limitation with the classic multithreaded programming model is that all the threads share the same address space and, therefore, are implicitly assumed to be mutually trusted. This assumption, however, does not take into consideration of many modern multithreaded applications that involve multiple principals which do not fully trust each other. It remains challenging to retrofit the classic multithreaded programming model so that the security and privilege separation in multi-principal applications can be resolved. This paper proposes ARBITER, a run-time system and a set of security primitives, aimed at fine-grained and data-centric privilege separation in multithreaded applications. While enforcing effective isolation among principals, ARBITER still allows flexible sharing and communication between threads so that the multithreaded programming paradigm can be preserved. To realize controlled sharing in a fine-grained manner, we created a novel abstraction named ARBITER Secure Memory Segment (ASMS) and corresponding OS support. Programmers express security policies by labeling data and principals via ARBITER's API following a unified model. We ported a widely-used, in-memory database application (memcached) to ARBITER system, changing only around 100 LOC. Experiments indicate that only an average runtime overhead of 5.6% is induced to this security enhanced version of application

DyVOSE project: experiences in applying privilege management infrastructures

Privilege Management Infrastructures (PMI) are emerging as a necessary alternative to authorization through Access Control Lists (ACL) as the need for finer grained security on the Grid increases in numerous domains. The 2-year JISC funded DyVOSE Project has investigated applying PMIs within an e-Science education context. This has involved establishing a Grid Computing module as part of Glasgow University’s Advanced MSc degree in Computing Science. A laboratory infrastructure was built for the students realising a PMI with the PERMIS software, to protect Grid Services they created. The first year of the course centered on building a static PMI at Glasgow. The second year extended this to allow dynamic attribute delegation between Glasgow and Edinburgh to support dynamic establishment of fine grained authorization based virtual organizations across multiple institutions. This dynamic delegation was implemented using the DIS (Delegation Issuing) Web Service supplied by the University of Kent. This paper describes the experiences and lessons learned from setting up and applying the advanced Grid authorization infrastructure within the Grid Computing course, focusing primarily on the second year and the dynamic virtual organisation setup between Glasgow and Edinburgh

Protection Models for Web Applications

Early web applications were a set of static web pages connected to one another. In contrast, modern applications are full-featured programs that are nearly equivalent to desktop applications in functionality. However, web servers and web browsers, which were initially designed for static web pages, have not updated their protection models to deal with the security consequences of these full-featured programs. This mismatch has been the source of several security problems in web applications. This dissertation proposes new protection models for web applications. The design and implementation of prototypes of these protection models in a web server and a web browser are also described. Experiments are used to demonstrate the improvements in security and performance from using these protection models. Finally, this dissertation also describes systematic design methods to support the security of web applications