Static Enforcement of Role-Based Access Control

We propose a new static approach to Role-Based Access Control (RBAC) policy enforcement. The static approach we advocate includes a new design methodology, for applications involving RBAC, which integrates the security requirements into the system's architecture. We apply this new approach to policies restricting calls to methods in Java applications. We present a language to express RBAC policies on calls to methods in Java, a set of design patterns which Java programs must adhere to for the policy to be enforced statically, and a description of the checks made by our static verifier for static enforcement.Comment: In Proceedings WWV 2014, arXiv:1409.229

Event Systems and Access Control

We consider the interpretations of notions of access control (permissions, interdictions, obligations, and user rights) as run-time properties of information systems specified as event systems with fairness. We give proof rules for verifying that an access control policy is enforced in a system, and consider preservation of access control by refinement of event systems. In particular, refinement of user rights is non-trivial; we propose to combine low-level user rights and system obligations to implement high-level user rights

Can the CCPA Access Right Be Saved? Realigning Incentives in Access Request Verification

The California Consumer Privacy Act access right has the potential to give Californians a level of control over their personal information that is unprecedented in the United States. However, consumer privacy interests will be in peril unless the access right is accompanied by an effective access request verification requirement. Requiring companies to respond to access requests when they cannot verify that the requestor is the subject of the requested data puts sensitive personal information at risk. Inversely, allowing companies to shirk their access request responsibilities by claiming that data is unverifiable diminishes consumers’ data control rights. Thus, in the context of access request verification policy, there is an inherent tension between privacy as confidentiality and privacy as control. The success of the access right, and thus all CCPA data control rights, hinges on an access request verification policy that successfully balances these competing privacy interests. The endemic identity theft caused by credit application verification systems demonstrates why such balancing cannot be wholly left to private companies. In the credit context, balancing has been driven by the profit maximization interests of businesses, which currently do not align with consumer privacy interests. Fortunately, several scholars have proposed methods for aligning these divergent interests. The strengths and weaknesses from these proposed solutions to identity theft provide a useful framework for building a system that incentivizes companies to prioritize consumer privacy when developing access request verification systems

Self-Adaptive Role-Based Access Control for Business Processes

© 2017 IEEE. We present an approach for dynamically reconfiguring the role-based access control (RBAC) of information systems running business processes, to protect them against insider threats. The new approach uses business process execution traces and stochastic model checking to establish confidence intervals for key measurable attributes of user behaviour, and thus to identify and adaptively demote users who misuse their access permissions maliciously or accidentally. We implemented and evaluated the approach and its policy specification formalism for a real IT support business process, showing their ability to express and apply a broad range of self-adaptive RBAC policies

Study on Grade Division Policy for Trusted Network

AbstractScholars around the world have carried out extensive research word on architecture, protocols, algorithms and application for trusted network at present, and proposed a variety of network credible verification scheme and control mechanisms. In this paper, a kind of grade division policy for trusted network was provided on the basis of considering both the terminal security and profit of operators. Credible access architecture and certification model were given, and the partition rules of trusted attributes as well as the evaluate methods of grade division were explained in detail. Improved workflow for access to trusted network terminal was provided. Simulations results show that by the proposed framework, not only the safety and reliability of network can be ensured, but also the flexibility of ways to access network was strengthened, and that it can provide support for interoperability of different equipment manufacturers

Access-Network Association Policies for Media Streaming in Heterogeneous Environments

We study the design of media streaming applications in the presence of multiple heterogeneous wireless access methods with different throughputs and costs. Our objective is to analytically characterize the trade-off between the usage cost and the Quality of user Experience (QoE), which is represented by the probability of interruption in media playback and the initial waiting time. We model each access network as a server that provides packets to the user according to a Poisson process with a certain rate and cost. Blocks are coded using random linear codes to alleviate the duplicate packet reception problem. Users must take decisions on how many packets to buffer before playout, and which networks to access during playout. We design, analyze and compare several control policies with a threshold structure. We formulate the problem of finding the optimal control policy as an MDP with a probabilistic constraint. We present the HJB equation for this problem by expanding the state space, and exploit it as a verification method for optimality of the proposed control law.Comment: submitted to CDC 201

Verifying Policy Enforcers

Policy enforcers are sophisticated runtime components that can prevent failures by enforcing the correct behavior of the software. While a single enforcer can be easily designed focusing only on the behavior of the application that must be monitored, the effect of multiple enforcers that enforce different policies might be hard to predict. So far, mechanisms to resolve interferences between enforcers have been based on priority mechanisms and heuristics. Although these methods provide a mechanism to take decisions when multiple enforcers try to affect the execution at a same time, they do not guarantee the lack of interference on the global behavior of the system. In this paper we present a verification strategy that can be exploited to discover interferences between sets of enforcers and thus safely identify a-priori the enforcers that can co-exist at run-time. In our evaluation, we experimented our verification method with several policy enforcers for Android and discovered some incompatibilities.Comment: Oliviero Riganelli, Daniela Micucci, Leonardo Mariani, and Yli\`es Falcone. Verifying Policy Enforcers. Proceedings of 17th International Conference on Runtime Verification (RV), 2017. (to appear

Deep Learning meets Blockchain for Automated and Secure Access Control

Access control is a critical component of computer security, governing access to system resources. However, designing policies and roles in traditional access control can be challenging and difficult to maintain in dynamic and complex systems, which is particularly problematic for organizations with numerous resources. Furthermore, traditional methods suffer from issues such as third-party involvement, inefficiency, and privacy gaps, making transparent and dynamic access control an ongoing research problem. Moreover detecting malicious activities and identifying users who are not behaving appropriately can present notable difficulties. To address these challenges, we propose DLACB, a Deep Learning Based Access Control Using Blockchain, as a solution to decentralized access control. DLACB uses blockchain to provide transparency, traceability, and reliability in various domains such as medicine, finance, and government while taking advantage of deep learning to not rely on predefined policies and eventually automate access control. With the integration of blockchain and deep learning for access control, DLACB can provide a general framework applicable to various domains, enabling transparent and reliable logging of all transactions. As all data is recorded on the blockchain, we have the capability to identify malicious activities. We store a list of malicious activities in the storage system and employ a verification algorithm to cross-reference it with the blockchain. We conduct measurements and comparisons of the smart contract processing time for the deployed access control system in contrast to traditional access control methods, determining the time overhead involved. The processing time of DLBAC demonstrates remarkable stability when exposed to increased request volumes.Comment: arXiv admin note: text overlap with arXiv:2303.1475