Modularity for Security-Sensitive Workflows

An established trend in software engineering insists on using components (sometimes also called services or packages) to encapsulate a set of related functionalities or data. By defining interfaces specifying what functionalities they provide or use, components can be combined with others to form more complex components. In this way, IT systems can be designed by mostly re-using existing components and developing new ones to provide new functionalities. In this paper, we introduce a notion of component and a combination mechanism for an important class of software artifacts, called security-sensitive workflows. These are business processes in which execution constraints on the tasks are complemented with authorization constraints (e.g., Separation of Duty) and authorization policies (constraining which users can execute which tasks). We show how well-known workflow execution patterns can be simulated by our combination mechanism and how authorization constraints can also be imposed across components. Then, we demonstrate the usefulness of our notion of component by showing (i) the scalability of a technique for the synthesis of run-time monitors for security-sensitive workflows and (ii) the design of a plug-in for the re-use of workflows and related run-time monitors inside an editor for security-sensitive workflows

An Innovative Workspace for The Cherenkov Telescope Array

The Cherenkov Telescope Array (CTA) is an initiative to build the next generation, ground-based gamma-ray observatories. We present a prototype workspace developed at INAF that aims at providing innovative solutions for the CTA community. The workspace leverages open source technologies providing web access to a set of tools widely used by the CTA community. Two different user interaction models, connected to an authentication and authorization infrastructure, have been implemented in this workspace. The first one is a workflow management system accessed via a science gateway (based on the Liferay platform) and the second one is an interactive virtual desktop environment. The integrated workflow system allows to run applications used in astronomy and physics researches into distributed computing infrastructures (ranging from clusters to grids and clouds). The interactive desktop environment allows to use many software packages without any installation on local desktops exploiting their native graphical user interfaces. The science gateway and the interactive desktop environment are connected to the authentication and authorization infrastructure composed by a Shibboleth identity provider and a Grouper authorization solution. The Grouper released attributes are consumed by the science gateway to authorize the access to specific web resources and the role management mechanism in Liferay provides the attribute-role mapping

A Sustainable Model based on the Social Network Service to Support the Research Cycle

Third International Conference on Open Repositories 2008, 1-4 April 2008, Southampton, United KingdomIn this paper, we analyze requirements for institutional repositories from the viewpoint of the research cycle, and find that it is critical any existing repository system has little functions managing social relations of researchers. This leads us to a general model in which an SNS platform is an interface for researchers and an institutional repository is a backyard system. The SNS platform enables researchers to work together with co-workers. In addition to the interface, the SNS platform provides authentication and authorization mechanism for other backyard systems. Due to the mechanism, we can use, for instance, a search engine with the access control. Therefore academic resources not available to the public, such as a manuscript of a paper, can be safely indexed. Managing the authentication and authorization mechanism is done in a sustainable manner, compared to other standard authentication or authorization systems, such as SSO or ACL (Access Control List)

Generic POLCA : a production and materials flow control mechanism for quick response manufacturing

A production and materials flow control mechanism for quick response manufacturing (QRM) is proposed. This is called generic paired-cell overlapping loops of cards with authorization (GPOLCA). It is an adaptation of the POLCA mechanism developed as part of the QRM strategy. GPOLCA implements an input–output control order release strategy based on an inventory of production authorization cards instead of materials. It is best suited for companies that manufacture large variety of products with variable demand. A description of GPOLCA is made together with a comparative study of its performance in relation with other mechanisms namely MRP and POLCA. The results show that GPOLCA attains better performance

PCPT and ACPT: Copyright Protection and Traceability Scheme for DNN Models

Deep neural networks (DNNs) have achieved tremendous success in artificial intelligence (AI) fields. However, DNN models can be easily illegally copied, redistributed, or abused by criminals, seriously damaging the interests of model inventors. The copyright protection of DNN models by neural network watermarking has been studied, but the establishment of a traceability mechanism for determining the authorized users of a leaked model is a new problem driven by the demand for AI services. Because the existing traceability mechanisms are used for models without watermarks, a small number of false-positives are generated. Existing black-box active protection schemes have loose authorization control and are vulnerable to forgery attacks. Therefore, based on the idea of black-box neural network watermarking with the video framing and image perceptual hash algorithm, a passive copyright protection and traceability framework PCPT is proposed that uses an additional class of DNN models, improving the existing traceability mechanism that yields a small number of false-positives. Based on an authorization control strategy and image perceptual hash algorithm, a DNN model active copyright protection and traceability framework ACPT is proposed. This framework uses the authorization control center constructed by the detector and verifier. This approach realizes stricter authorization control, which establishes a strong connection between users and model owners, improves the framework security, and supports traceability verification

Process Driven Access Control and Authorisation Approach

Compliance to regulatory requirements is key to successful collaborative business process execution. The review the EU general data protection regulation (GDPR) brought to the fore the need to comply with data privacy. Access control and authorization mechanisms in workflow management systems based on roles, tasks and attributes do not sufficiently address the current complex and dynamic privacy requirements in collaborative business process environments due to diverse policies. This paper proposes process driven authorization as an alternative approach to data access control and authorization where access is granted based on legitimate need to accomplish a task in the business process. Due to vast sources of regulations, a mechanism to derive and validate a composite set of constraints free of conflicts and contradictions is presented. An extended workflow tree language is also presented to support constraint modeling. An industry case Pick and Pack process is used for illustration

Honeykeys: deception mechanisms in single packet authorization

Single packet authorization is a technique that allows shielding a protected network service from an outside world. The protection is achieved by hiding the respective transport layer port until cryptographically protected packet received by another service authorizes port opening. The technique has a known weakness related to the key leakage. If secret key is known to the attacker, the shield can be removed by one message. The paper proposes to use a novel Honeykeys authorization scheme that is aimed at deceiving the attacker by storing decoy cryptographic keys on both server and client sides along with the actual keys. In such scheme, if keys are compromised it will not lead to the full-scale system compromise. In addition to that, Honeykeys scheme allows establishing segregation of duties in the authorization process and enables early detection of compromised keys. Apart from presenting theoretical concept of Honeykeys the paper shows preliminary implementation results from the pilot project. These results show acceptable authorization delay times imposed by additional security mechanism

Enhanced security architecture for support of credential repository in grid computing.

Grid Computing involves heterogeneous computers and resources, multiple administrative domains and the mechanisms and techniques for establishing and maintaining effective and secure communications between devices and systems. Both authentication and authorization are required. Current authorization models in each domain vary from one system to another, which makes it difficult for users to obtain authorization across multiple domains at one time. We propose an enhanced security architecture to provide support for decentralized authorization based on attribute certificates which may be accessed via the Internet. This allows the administration of privileges to be widely distributed over the Internet in support of autonomy for resource owners and providers. In addition, it provides a uniform approach for authorization which may be used by resource providers from various domains. We combine authentication with the authorization mechanism by using both MyProxy online credential repository and LDAP directory server. In our architecture, we use MyProxy server to store identity certificates for authentication, and utilize an LDAP server-based architecture to store attribute certificates for authorization. Using a standard web browser, a user may connect to a grid portal and allow the portal to retrieve those certificates in order to access grid resources on behalf of the user. Thus, our approach can make use of the online credential repository to integrate authentication, delegation and attribute based access control together to provide enhanced, flexible security for grid system. Paper copy at Leddy Library: Theses & Major Papers - Basement, West Bldg. / Call Number: Thesis2004 .C54. Source: Masters Abstracts International, Volume: 43-01, page: 0231. Adviser: R. D. Kent. Thesis (M.Sc.)--University of Windsor (Canada), 2004