114,168 research outputs found
The Authorization Policy Existence Problem
International audienceConstraints such as separation-of-duty are widely used to specify requirements that supplement basic authorization policies. However, the existence of constraints (and authorization policies) may mean that a user is unable to fulfill her/his organizational duties because access to resources is denied. In short, there is a tension between the need to protect resources (using policies and constraints) and the availability of resources. Recent work on workflow satisfiability and resiliency in access control asks whether this tension compromises the ability of an organization to achieve its objectives. In this paper, we develop a new method of specifying constraints which subsumes much related work and allows a wider range of constraints to be specified. The use of such constraints leads naturally to a range of questions related to“policy existence”, where a positive answer means that an organization’s objectives can be realized. We provide an overview of our results establishing that some policy existence questions, notably for those instances that are restricted to user-independent constraints, are fixed-parameter tractable
Valued Authorization Policy Existence Problem:Theory and Experiments
Recent work has shown that many problems of satisfiability and resiliency in
workflows may be viewed as special cases of the authorization policy existence
problem (APEP), which returns an authorization policy if one exists and 'No'
otherwise. However, in many practical settings it would be more useful to
obtain a 'least bad' policy than just a 'No', where 'least bad' is
characterized by some numerical value indicating the extent to which the policy
violates the base authorization relation and constraints. Accordingly, we
introduce the Valued APEP, which returns an authorization policy of minimum
weight, where the (non-negative) weight is determined by the constraints
violated by the returned solution. We then establish a number of results
concerning the parameterized complexity of Valued APEP. We prove that the
problem is fixed-parameter tractable (FPT) if the set of constraints satisfies
two restrictions, but is intractable if only one of these restrictions holds.
(Most constraints known to be of practical use satisfy both restrictions.) We
also introduce a new type of resiliency for workflow satisfiability problem,
show how it can be addressed using Valued APEP and use this to build a set of
benchmark instances for Valued APEP. Following a set of computational
experiments with two mixed integer programming (MIP) formulations, we
demonstrate that the Valued APEP formulation based on the user profile concept
has FPT-like running time and usually significantly outperforms a naive
formulation.Comment: 32 pages, 5 figures. Preliminary version appeared in SACMAT 2021
(https://doi.org/10.1145/3450569.3463571). Some of the theoretical results
(algorithms) have been improved. Computational experiments have been added to
this versio
ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware
Billions of users rely on the security of the Android platform to protect
phones, tablets, and many different types of consumer electronics. While
Android's permission model is well studied, the enforcement of the protection
policy has received relatively little attention. Much of this enforcement is
spread across system services, taking the form of hard-coded checks within
their implementations. In this paper, we propose Authorization Check Miner
(ACMiner), a framework for evaluating the correctness of Android's access
control enforcement through consistency analysis of authorization checks.
ACMiner combines program and text analysis techniques to generate a rich set of
authorization checks, mines the corresponding protection policy for each
service entry point, and uses association rule mining at a service granularity
to identify inconsistencies that may correspond to vulnerabilities. We used
ACMiner to study the AOSP version of Android 7.1.1 to identify 28
vulnerabilities relating to missing authorization checks. In doing so, we
demonstrate ACMiner's ability to help domain experts process thousands of
authorization checks scattered across millions of lines of code
Security-sensitive tackling of obstructed workflow executions
Imposing access control onto workflows considerably reduces the set of users authorized to execute the workflow tasks. Further constraints (e.g. Separation of Duties) as well as unexpected unavailabilty of users may finally obstruct the successful workflow execution. To still complete the execution of an obstructed workflow, we envisage a hybrid
approach. If a log is provided, we partition its traces into “successful” and “obstructed” ones by analysing the given workflow and its authorizations. An obstruction should then be solved by finding its nearest match from the list of successful traces. If no log is provided, we flatten the workflow and its authorizations into a Petri net and encode the obstruction with a corresponding “obstruction marking”. The structural theory of Petri nets shall then be tweaked to provide a minimized Parikh vector, that may violate given firing rules, however reach a complete marking and by that, complete the workflow.Peer ReviewedPostprint (published version
Property Is a Two-Way Street: Personal Copyright Use and Implied Authorization
When we use the Internet, we know that copyright law limits our freedom. We know, for example, that downloading popular music is legally risky. Those who want to get moralistic about it argue that illegal downloading violates a property right of the copyright holder. But what about our property rights in our computers? Even if copyright is a form of property, it maintains a parallel existence as an intrusion upon property rights. This intrusion is increasingly a part of daily life, as copyright\u27s literal scope sweeps broadly enough to threaten a range of everyday activities that social norms rega rd as acceptable. These observations form the basis of a moral critique of copyright law, but they do not figure prominently in modern doctrine. This Article looks to the common law property rights of copyright users to develop a framework for limiting copyright\u27s reach. If we take seriously traditional rules governing the interplay between statutes and preexisting common law rights, courts have room to incorporate user property rights into copyright doctrine. First, the common law provides a baseline against which the Copyright Act should be construed. Courts should be reluctant to interpret the statute in a manner that negates longstanding expectations that personal property may be used in conjunction with copyrighted material for personal purposes. Second, the property rights of copyright users offer a new foundation for implied license doctrine. Instead of looking solely to the conduct of the licensor (i.e., the copyright holder) to determine whether an implied license to use copyrighted content exists, courts should appreciate the reasonable expectations of consumers in their control of personal property used to interact with the protected works. Expanding our conception of implied license in this manner would help address the uneasy status of personal uses of copyrighted work s under modern law
The interplay between societal concerns and the regulatory frame on GM crops in the European Union
Recapitulating how genetic modification technology and its agro-food
products aroused strong societal opposition in the European Union, this
paper demonstrates how this opposition contributed to shape the European
regulatory frame on GM crops. More specifically, it describes how this
opposition contributed to a de facto moratorium on the commercialization of new GM
crop events in the end of the nineties. From this period onwards, the
regulatory frame has been continuously revised in order to slow down further
erosion of public and market confidence. Various scientific and technical
reforms were made to meet societal concerns relating to the safety of GM
crops. In this context, the precautionary principle, environmental
post-market monitoring and traceability were adopted as ways to cope with
scientific uncertainties. Labeling, traceability, co-existence and public
information were installed in an attempt to meet the general public request
for more information about GM agro-food products, and the specific demand to
respect the consumers' and farmers' freedom of choice. Despite these
efforts, today, the explicit role of public participation and/or ethical
consultation during authorization procedures is at best minimal. Moreover,
no legal room was created to progress to an integral sustainability
evaluation during market procedures. It remains to be seen whether the
recent policy shift towards greater transparency about value judgments,
plural viewpoints and scientific uncertainties will be one step forward in
integrating ethical concerns more explicitly in risk analysis. As such, the
regulatory frame stands open for further interpretation, reflecting in
various degrees a continued interplay with societal concerns relating to GM
agro-food products. In this regard, both societal concerns and diversely
interpreted regulatory criteria can be inferred as signaling a request –
and even a quest – to render more explicit the broader-than-scientific
dimension of the actual risk analysis
\u3cem\u3eYoungstown\u3c/em\u3e, \u3cem\u3eHamdan\u3c/em\u3e, and Inherent Emergency Presidential Policymaking Powers
This brief article explores the contribution that Hamdan v Rumsfeld may have made to clarifying what should happen in the large interstices of the rules created by the Youngstown case for determining the validity of claims of Presidential power. It offers its own view of the scope of Presidential powers in extreme emergencies involving the incapacitation of the legislative branch
Security Policy Consistency
With the advent of wide security platforms able to express simultaneously all
the policies comprising an organization's global security policy, the problem
of inconsistencies within security policies become harder and more relevant.
We have defined a tool based on the CHR language which is able to detect
several types of inconsistencies within and between security policies and other
specifications, namely workflow specifications.
Although the problem of security conflicts has been addressed by several
authors, to our knowledge none has addressed the general problem of security
inconsistencies, on its several definitions and target specifications.Comment: To appear in the first CL2000 workshop on Rule-Based Constraint
Reasoning and Programmin
- …