The Authorization Policy Existence Problem

International audienceConstraints such as separation-of-duty are widely used to specify requirements that supplement basic authorization policies. However, the existence of constraints (and authorization policies) may mean that a user is unable to fulfill her/his organizational duties because access to resources is denied. In short, there is a tension between the need to protect resources (using policies and constraints) and the availability of resources. Recent work on workflow satisfiability and resiliency in access control asks whether this tension compromises the ability of an organization to achieve its objectives. In this paper, we develop a new method of specifying constraints which subsumes much related work and allows a wider range of constraints to be specified. The use of such constraints leads naturally to a range of questions related to“policy existence”, where a positive answer means that an organization’s objectives can be realized. We provide an overview of our results establishing that some policy existence questions, notably for those instances that are restricted to user-independent constraints, are fixed-parameter tractable

Valued Authorization Policy Existence Problem:Theory and Experiments

Recent work has shown that many problems of satisfiability and resiliency in workflows may be viewed as special cases of the authorization policy existence problem (APEP), which returns an authorization policy if one exists and 'No' otherwise. However, in many practical settings it would be more useful to obtain a 'least bad' policy than just a 'No', where 'least bad' is characterized by some numerical value indicating the extent to which the policy violates the base authorization relation and constraints. Accordingly, we introduce the Valued APEP, which returns an authorization policy of minimum weight, where the (non-negative) weight is determined by the constraints violated by the returned solution. We then establish a number of results concerning the parameterized complexity of Valued APEP. We prove that the problem is fixed-parameter tractable (FPT) if the set of constraints satisfies two restrictions, but is intractable if only one of these restrictions holds. (Most constraints known to be of practical use satisfy both restrictions.) We also introduce a new type of resiliency for workflow satisfiability problem, show how it can be addressed using Valued APEP and use this to build a set of benchmark instances for Valued APEP. Following a set of computational experiments with two mixed integer programming (MIP) formulations, we demonstrate that the Valued APEP formulation based on the user profile concept has FPT-like running time and usually significantly outperforms a naive formulation.Comment: 32 pages, 5 figures. Preliminary version appeared in SACMAT 2021 (https://doi.org/10.1145/3450569.3463571). Some of the theoretical results (algorithms) have been improved. Computational experiments have been added to this versio

ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware

Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android's permission model is well studied, the enforcement of the protection policy has received relatively little attention. Much of this enforcement is spread across system services, taking the form of hard-coded checks within their implementations. In this paper, we propose Authorization Check Miner (ACMiner), a framework for evaluating the correctness of Android's access control enforcement through consistency analysis of authorization checks. ACMiner combines program and text analysis techniques to generate a rich set of authorization checks, mines the corresponding protection policy for each service entry point, and uses association rule mining at a service granularity to identify inconsistencies that may correspond to vulnerabilities. We used ACMiner to study the AOSP version of Android 7.1.1 to identify 28 vulnerabilities relating to missing authorization checks. In doing so, we demonstrate ACMiner's ability to help domain experts process thousands of authorization checks scattered across millions of lines of code

Security-sensitive tackling of obstructed workflow executions

Imposing access control onto workflows considerably reduces the set of users authorized to execute the workflow tasks. Further constraints (e.g. Separation of Duties) as well as unexpected unavailabilty of users may finally obstruct the successful workflow execution. To still complete the execution of an obstructed workflow, we envisage a hybrid approach. If a log is provided, we partition its traces into “successful” and “obstructed” ones by analysing the given workflow and its authorizations. An obstruction should then be solved by finding its nearest match from the list of successful traces. If no log is provided, we flatten the workflow and its authorizations into a Petri net and encode the obstruction with a corresponding “obstruction marking”. The structural theory of Petri nets shall then be tweaked to provide a minimized Parikh vector, that may violate given firing rules, however reach a complete marking and by that, complete the workflow.Peer ReviewedPostprint (published version

Property Is a Two-Way Street: Personal Copyright Use and Implied Authorization

When we use the Internet, we know that copyright law limits our freedom. We know, for example, that downloading popular music is legally risky. Those who want to get moralistic about it argue that illegal downloading violates a property right of the copyright holder. But what about our property rights in our computers? Even if copyright is a form of property, it maintains a parallel existence as an intrusion upon property rights. This intrusion is increasingly a part of daily life, as copyright\u27s literal scope sweeps broadly enough to threaten a range of everyday activities that social norms rega rd as acceptable. These observations form the basis of a moral critique of copyright law, but they do not figure prominently in modern doctrine. This Article looks to the common law property rights of copyright users to develop a framework for limiting copyright\u27s reach. If we take seriously traditional rules governing the interplay between statutes and preexisting common law rights, courts have room to incorporate user property rights into copyright doctrine. First, the common law provides a baseline against which the Copyright Act should be construed. Courts should be reluctant to interpret the statute in a manner that negates longstanding expectations that personal property may be used in conjunction with copyrighted material for personal purposes. Second, the property rights of copyright users offer a new foundation for implied license doctrine. Instead of looking solely to the conduct of the licensor (i.e., the copyright holder) to determine whether an implied license to use copyrighted content exists, courts should appreciate the reasonable expectations of consumers in their control of personal property used to interact with the protected works. Expanding our conception of implied license in this manner would help address the uneasy status of personal uses of copyrighted work s under modern law

The interplay between societal concerns and the regulatory frame on GM crops in the European Union

Recapitulating how genetic modification technology and its agro-food products aroused strong societal opposition in the European Union, this paper demonstrates how this opposition contributed to shape the European regulatory frame on GM crops. More specifically, it describes how this opposition contributed to a de facto moratorium on the commercialization of new GM crop events in the end of the nineties. From this period onwards, the regulatory frame has been continuously revised in order to slow down further erosion of public and market confidence. Various scientific and technical reforms were made to meet societal concerns relating to the safety of GM crops. In this context, the precautionary principle, environmental post-market monitoring and traceability were adopted as ways to cope with scientific uncertainties. Labeling, traceability, co-existence and public information were installed in an attempt to meet the general public request for more information about GM agro-food products, and the specific demand to respect the consumers' and farmers' freedom of choice. Despite these efforts, today, the explicit role of public participation and/or ethical consultation during authorization procedures is at best minimal. Moreover, no legal room was created to progress to an integral sustainability evaluation during market procedures. It remains to be seen whether the recent policy shift towards greater transparency about value judgments, plural viewpoints and scientific uncertainties will be one step forward in integrating ethical concerns more explicitly in risk analysis. As such, the regulatory frame stands open for further interpretation, reflecting in various degrees a continued interplay with societal concerns relating to GM agro-food products. In this regard, both societal concerns and diversely interpreted regulatory criteria can be inferred as signaling a request – and even a quest – to render more explicit the broader-than-scientific dimension of the actual risk analysis

\u3cem\u3eYoungstown\u3c/em\u3e, \u3cem\u3eHamdan\u3c/em\u3e, and Inherent Emergency Presidential Policymaking Powers

This brief article explores the contribution that Hamdan v Rumsfeld may have made to clarifying what should happen in the large interstices of the rules created by the Youngstown case for determining the validity of claims of Presidential power. It offers its own view of the scope of Presidential powers in extreme emergencies involving the incapacitation of the legislative branch

Security Policy Consistency

With the advent of wide security platforms able to express simultaneously all the policies comprising an organization's global security policy, the problem of inconsistencies within security policies become harder and more relevant. We have defined a tool based on the CHR language which is able to detect several types of inconsistencies within and between security policies and other specifications, namely workflow specifications. Although the problem of security conflicts has been addressed by several authors, to our knowledge none has addressed the general problem of security inconsistencies, on its several definitions and target specifications.Comment: To appear in the first CL2000 workshop on Rule-Based Constraint Reasoning and Programmin