A Declarative Framework for Specifying and Enforcing Purpose-aware Policies

Purpose is crucial for privacy protection as it makes users confident that their personal data are processed as intended. Available proposals for the specification and enforcement of purpose-aware policies are unsatisfactory for their ambiguous semantics of purposes and/or lack of support to the run-time enforcement of policies. In this paper, we propose a declarative framework based on a first-order temporal logic that allows us to give a precise semantics to purpose-aware policies and to reuse algorithms for the design of a run-time monitor enforcing purpose-aware policies. We also show the complexity of the generation and use of the monitor which, to the best of our knowledge, is the first such a result in literature on purpose-aware policies.Comment: Extended version of the paper accepted at the 11th International Workshop on Security and Trust Management (STM 2015

Evaluating Leniency with Missing Information on Undetected Cartels: Exploring Time-Varying Policy Impacts on Cartel Duration

This paper examines the effects of European Commission’s (EC) new leniency program on the EC’s capabilities in detecting and deterring cartels. As a supplementary analysis, the US leniency is studied. I discuss a dynamic model of cartel formation and dissolution to illustrate how changes in antitrust policies and economic conditions might affect cartel duration. Comparative statics results are then corroborated with empirical estimates of hazard functions adjusted to account for both the heterogeneity of cartels and the time-varying policy impacts suggested by theory. Contrary to earlier studies, my statistical tests are consistent with the theoretic predictions that following an efficacious leniency program, the average duration of discovered cartels rises in the short run and falls in the long run. The results shed light on the design of enforcement programs against cartels and other forms of conspiracy

Evaluating Leniency with Missing Information on Undetected Cartels: Exploring Time-Varying Policy Impacts on Cartel Duration

This paper examines the effects of European Commission’s (EC) new leniency program on the EC’s capabilities in detecting and deterring cartels. As a supplementary analysis, the US leniency is studied. I discuss a dynamic model of cartel formation and dissolution to illustrate how changes in antitrust policies and economic conditions might affect cartel duration. Comparative statics results are then corroborated with empirical estimates of hazard functions adjusted to account for both the heterogeneity of cartels and the time-varying policy impacts suggested by theory. Contrary to earlier studies, my statistical tests are consistent with the theoretic predictions that following an efficacious leniency program, the average duration of discovered cartels rises in the short run and falls in the long run. The results shed light on the design of enforcement programs against cartels and other forms of conspiracy.

A Generic Framework for Enforcing Security in Distributed Systems

A large extent of today's computer programs is distributed. For instance, services for backups, file storage, and cooperative work are now typically managed by distributed programs. The last two decades also brought a variety of services establishing social networks, from exchanging short messages to sharing personal information to dating. In each of the services, distributed programs process and store sensitive information about their users or the corporations their users work for. Secure processing of the sensitive information is essential for service providers. For instance, businesses are bound by law to take security measures against conflicts of interest. Beyond legal regulations, service providers are also pressed by users to satisfy their demands for security, such as the privacy of their profiles and messages in online social networks. In both instances, the prospect of security violations by a service provider constitutes a serious disadvantage and deters potential users from using the service. The focus of this thesis is on enabling service providers to secure their distributed programs by means of run-time enforcement mechanisms. Run-time enforcement mechanisms enforce security in a given program by monitoring, at run-time, the behavior of the program and by intervening when security violations are about to occur. Enforcing security in a distributed program includes securing the behavior of the individual agents of the distributed program as well as securing the joint behavior of all the agents. We present a framework for enforcing security in distributed programs. The framework combines tools and techniques for the specification, enforcement, and verification of security policies for distributed programs. For the specification of security policies, the framework provides the policy language CoDSPL. For generating run-time enforcement mechanisms from given security policies and applying these mechanisms to given distributed programs, the framework includes the tool CliSeAu. For the verification of generated enforcement mechanisms, the framework provides a formal model in the process algebra CSP. All three, the policy language, the tool, and the formal model allow for the distributed units of enforcement mechanisms to cooperate with each other. For supporting the specification of cooperating units, the framework provides two techniques as extensions of CoDSPL: a technique for specifying cooperation in a modular fashion and a technique for effectively cooperating in presence of race conditions. Finally, with the cross-lining technique of the framework, we devise a general approach for instrumenting distributed programs to apply an enforcement mechanism whose units can cooperate. The particular novelty of the presented framework is that the cooperation to be performed can be specified by the security policies and can take place even when the agents of the distributed program do not interact. This distinguishing feature of the framework enables one to specify and enforce security policies that employ a form of cooperation that suits the application scenario: Cooperation can be used when one's security requirements cannot be enforced in a fully decentralized fashion; but the overhead of cooperation can be avoided when no cooperation is needed. The case studies described in this thesis provide evidence that our framework is suited for enforcing custom security requirements in services based on third-party programs. In the case studies, we use the framework for developing two run-time enforcement mechanisms: one for enforcing a policy against conflicts of interest in a storage service and one for enforcing users' privacy policies in online social networks with respect to the sharing and re-sharing of messages. In both case studies, we experimentally verify the enforcement mechanisms to be effective and efficient, with an overhead in the range of milliseconds

Lightweight verification of control flow policies on Java bytecode

This paper presents the enforcement of control flow policies for Java bytecode devoted to open and constrained devices. On-device enforcement of security policies mostly relies on run-time monitoring or inline checking code, which is not appropriate for strongly constrained devices such as mobile phones and smart-cards. We present a proof-carrying code approach with on-device lightweight verification of control flow policies statically at loading- time. Our approach is suitable for evolving, open and constrained Java-based systems as it is compositional, to avoid re-verification of already verified bytecode upon loading of new bytecode, and it is regressive, to cleanly support bytecode unloading.Ce rapport présente l'application de politiques de flot de contrôle sur du bytecode Java pour les petits systèmes ouverts. La plupart du temps, l'application de ce type de politiques de sécurité est réalisée par l'observation du système ou l'insertion de code pour assuré en assurer le respect, ce qui n'est pas approprié pour les petits systèmes fortement contraints tels que les téléphones mobiles ou les cartes à puce. Nous présentons une méthode basée sur le proof-carrying code pour faire appliquer ce type de politiques avec une vérification embarquée réalisée au chargement. Notre approche est bien adaptée aux petits systèmes ouverts évolutifs car elle est compositionnelle, pour éviter la revérification du code déjà chargé, et régressive, afin de traiter proprement le déchargement de code déjà installé et vérifié

Policy Enforcement with Proactive Libraries

Software libraries implement APIs that deliver reusable functionalities. To correctly use these functionalities, software applications must satisfy certain correctness policies, for instance policies about the order some API methods can be invoked and about the values that can be used for the parameters. If these policies are violated, applications may produce misbehaviors and failures at runtime. Although this problem is general, applications that incorrectly use API methods are more frequent in certain contexts. For instance, Android provides a rich and rapidly evolving set of APIs that might be used incorrectly by app developers who often implement and publish faulty apps in the marketplaces. To mitigate this problem, we introduce the novel notion of proactive library, which augments classic libraries with the capability of proactively detecting and healing misuses at run- time. Proactive libraries blend libraries with multiple proactive modules that collect data, check the correctness policies of the libraries, and heal executions as soon as the violation of a correctness policy is detected. The proactive modules can be activated or deactivated at runtime by the users and can be implemented without requiring any change to the original library and any knowledge about the applications that may use the library. We evaluated proactive libraries in the context of the Android ecosystem. Results show that proactive libraries can automati- cally overcome several problems related to bad resource usage at the cost of a small overhead.Comment: O. Riganelli, D. Micucci and L. Mariani, "Policy Enforcement with Proactive Libraries" 2017 IEEE/ACM 12th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), Buenos Aires, Argentina, 2017, pp. 182-19

There are Two Sides to Every Question - Controller Versus Attacker.

We investigate security enforcement mechanisms that run in parallel with a system; the aim is to check and modify the run-time behaviour of a possible attacker in order to guarantee that the system satisfies some security policies. We focus on a CSP-like quantitative process-algebra to model such processes. Weights on actions are modelled with semirings, which represent a parametric structure where to cast different metrics. The basic tools are represented by a quantitative logic and a model checking function. First, the behaviour of the system is removed from the parallel computation with respect to some security property to be satisfied. Secondly, what remains is refined in two formulas with respect to the given operator executed by a controller. The result describes what a controller has to do to prevent a given attack

The Role of Market Power in Agricultural Contracts

I study the economic consequences of shifting bargaining power in relational contracts through interventions such as the formation of a Bargaining Group (BG) for the side of sellers in a market where buyers traditionally hold significant market power. Existing theories of relational contracts predict that such a power transfer will have no impact on market efficiency. In contexts where enforcement institutions are weak, a standard assumption from existing theories of relational contracts - the existence of an enforceable base payment - may not hold. In this case, I show that a transfer of bargaining power can erode market efficiency in a dynamic relational contracting environment, which contradicts findings from existing models of relational contracting. When buyers hold significant market power, they forgo short-term opportunistic behavior by honoring promised performance bonuses in order to keep sellers engaged in trade over time and to accumulate surplus over many periods. With market power eroded by interventions such as the BG, buyers’ long-run gains to trade shirk. When this is coupled with the absence of an enforceable base payment, short-term opportunistic behavior becomes more appealing and trade is more likely to break down. The results here provide policy-makers insight into the economic consequences of enacting policies attempting to balance market power within a framework of fully informal contract enforcement.contracts, incomplete enforcement, bargaining group, distribution, institutions, Agribusiness, Agricultural and Food Policy, Industrial Organization, Institutional and Behavioral Economics, International Development, D86, K12, L14, O12, Q13.,

Comprehensive Specification and Efficient Enforcement of Role-based Access Control Policies using a Model-driven Approach

Prohibiting unauthorized access to critical resources and data has become a major requirement for enterprises. Access control (AC) mechanisms manage requests from users to access system resources; the access is granted or denied based on the authorization policies defined within the enterprise. One of the most used AC paradigms is role-based access control (RBAC), in which access rights are determined based on the user’s role. In this dissertation, we focus on the problems of modeling, specifying and enforcing complex RBAC policies, by making the following contributions: 1. the GemRBAC+CTX conceptual model, a UML extension of the RBAC model that includes all the entities required to express the various types of RBAC policies found in the literature, with a specific emphasis on contextual policies. For each type of policy, we provided the corresponding formalization using the Object Constraint Language (OCL) to operationalize the access decision for a user’s request using model-driven technologies. 2. the GemRBAC-DSL language, a domain-specific language for RBAC policies designed on top of the GemRBAC+CTX model. The language is characterized by a syntax close to natural language, which does not require any mathematical background for expressing RBAC policies. The language supports all the authorization policies captured by the GemRBAC+CTX model. 3. MORRO, a model-driven framework for the run-time enforcement of RBAC policies expressed in GemRBAC-DSL, built on top of the GemRBAC+CTX model. MORRO provides policy enforcement for both access and usage control. 4. three tools (an editor for GemRBAC-DSL, a model transformation tool for GemRBAC-DSL, a run-time enforcement framework) have been implemented and released as part of this work. The GemRBAC+CTX model and the GemRBAC-DSL language have been adopted by our industrial partner for the specification of the access control policies of a Web application in the domain of disaster reliefintervention. We have extensively evaluated the applicability and the scalability of MORRO on this Web application. The experimental results show that an access decision can be made on average, in less than 107 ms and that the time for processing a notification of an AC-related event is less than 512ms. Furthermore, both the access decision time and the execution time for processing a notification of an AC-related event scale—in the majority of the cases—linearly with respect to the parameters characterizing AC configurations; in the remaining cases, the access decision time is constant

Who Should Learn What From the Failure and Delayed Bailout of the ODGF?

In March 1985, the failure of the Ohio Deposit Guarantee Fund (the ODGF) sent shock waves reverberating through the financial world. This episode is popularly interpreted as evidence of the dangers of both private deposit insurance and continuing financial deregulation. This paper argues that policies of financial deregulation played little role in the ODGF insolvency. The failure of the ODGF was instead a failure of government regulation, rooted in inadequacies in the OGDF information and enforcement systems. The ODGF may be conceived as the Federal Savings and Loan Insurance Corporation writ small. Both agencies share many of the same structural imbalances: large unresolved losses, explicitly mispriced and underreserved services, inadequate information and monitoring systems, insufficient disciplinary powers, and a susceptibility to political pressures to forbear. Doctors perform autopsies on dead patients to improve their ability to protect living ones. This paper's autopsy of the institutional corpse of the ODGF focuses on identifying the kinds of disturbances that transform structural imbalances into a full-fledged crisis. Our research underscores the way that deceptive accounting and underfinanced insurance funds contain crisis pressures in the short run by setting the stage for more severe problems down the line. As financial markets approach more and more closely the perfect and complete markets beloved by finance theorists, the amount of time that can be bought by policies that merely defer crisis pressures is shrinking and becoming hard to use productively.