Possibilistic Information Flow Control for Workflow Management Systems

In workflows and business processes, there are often security requirements on both the data, i.e. confidentiality and integrity, and the process, e.g. separation of duty. Graphical notations exist for specifying both workflows and associated security requirements. We present an approach for formally verifying that a workflow satisfies such security requirements. For this purpose, we define the semantics of a workflow as a state-event system and formalise security properties in a trace-based way, i.e. on an abstract level without depending on details of enforcement mechanisms such as Role-Based Access Control (RBAC). This formal model then allows us to build upon well-known verification techniques for information flow control. We describe how a compositional verification methodology for possibilistic information flow can be adapted to verify that a specification of a distributed workflow management system satisfies security requirements on both data and processes.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

SafeWeb: A Middleware for Securing Ruby-Based Web Applications

Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a “safety net” to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming language to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS)

The Obama Administration and the Press: Leak Investigations and Surveillance in Post-9/11 America

U.S. President Barack Obama came into office pledging open government, but he has fallen short of his promise. Journalists and transparency advocates say the White House curbs routine disclosure of information and deploys its own media to evade scrutiny by the press. Aggressive prosecution of leakers of classified information and broad electronic surveillance programs deter government sources from speaking to journalists

SIRU Development. Volume 4: Accelerometer Module

No abstract availabl

The Classified Information Procedures Act in the Age of Terrorism: Remodeling CIPA in an Offense-Specific Manner

The Classified Information Procedures Act (CIPA) sets the balancing point between the government’s interest in preventing disclosure of classified information with a criminal defendant’s right to exculpatory material. Although CIPA was originally drafted with espionage cases in mind, the statute has become more commonly associated with terrorism prosecutions. This contextual shift has disrupted CIPA’s interest-balancing formulation by altering the governmental interests at stake. CIPA’s discovery burdens on the defendant are ordinarily constitutionally justified by the strong countervailing state interest in preserving vital national-security information. This concern is less salient with terrorism defendants, who are unlikely to possess state secrets. Accordingly, those defendants may require further reciprocity in discovery procedures to keep the statute within constitutional parameters. This Note examines the ill effects of CIPA’s contextual shift and proposes a set of amendments to alleviate those concerns. Chiefly, this Note suggests an offense-specific CIPA, whereby the procedural mechanisms of the statute are tailored to the offense charged. The three core recommendations of this Note are (1) inclusion of defense counsel in the discovery process and clearer standards to govern discoverability; (2) a limited and qualified declassification requirement in select Foreign Intelligence Surveillance Act cases; and (3) bifurcation of admissibility hearings