A Platform Independent Access Control Metamodel for Web Services

Web services provide platform independent communication through an XML-based standard family. The major software vendors released their own SOA products implementing these standards. However, the configuration of the WS-* protocols differs from product to product. Matching these configurations between different products can be a very tedious task. Security protocols are among the most complicated protocols to configure, especially if access control is also required. Although the XACML standard aims to solve this task, its rules and policies described in XML are not very user friendly, and XACML has a very poor support in the major SOA products. Therefore, we have developed a platform independent metamodel for describing distributed systems of web services. From models described in this metamodel the platform specific configurations and program codes can be easily generated for the various SOA products, increasing the productivity of the development. This article introduces an access control extension to this metamodel

Impact assessment of policy expressivenessof an optimised access control model forsmart sensors

In the incoming internet of things (IoT) applications, smart sensors expose services to interact with them, to be parameterised, managed and maintained. Therefore, fine-grained end-to-end access control enforcement is mandatory to tackle the derived security requirements. However, it is still not feasible in very constrained devices. There is an innovative access control model that conveys an expressive policy language and an optimised codification for tight and flexible access control enforcement in very constrained devices. Such tightness enabled by the expressiveness of the policy language leads to detailed policy instances that might impact on the performance and therefore, in the feasibility and further applicability. In this context, this study assesses how the policy length impacts the performance of the establishment of a security association through the protocol named Hidra proposed by such an adapted access control model. Consequently, the notable results of the performance evaluation prove the feasibility and adequacy of this access control model for the new smart IoT scenarios.Part of this work is funded by the Department of Economic Development and Competitiveness of the Basque Government through the SEKUrtasun TEKnologiak SEKUTEK KK-2017/00044 collaborative research project and by the Spanish Ministry of Economy, Industry and Competitiveness through the State Secretariat for Research, Development and Innovation under the 'Adaptive Management of 5G Services to Support Critical Events in Cities (5G-City)' project TEC2016-76795-C6-5-R

Improving application security with data flow assertions

Resin is a new language runtime that helps prevent security vulnerabilities, by allowing programmers to specify application-level data flow assertions. Resin provides policy objects, which programmers use to specify assertion code and metadata; data tracking, which allows programmers to associate assertions with application data, and to keep track of assertions as the data flow through the application; and filter objects, which programmers use to define data flow boundaries at which assertions are checked. Resin's runtime checks data flow assertions by propagating policy objects along with data, as that data moves through the application, and then invoking filter objects when data crosses a data flow boundary, such as when writing data to the network or a file. Using Resin, Web application programmers can prevent a range of problems, from SQL injection and cross-site scripting, to inadvertent password disclosure and missing access control checks. Adding a Resin assertion to an application requires few changes to the existing application code, and an assertion can reuse existing code and data structures. For instance, 23 lines of code detect and prevent three previously-unknown missing access control vulnerabilities in phpBB, a popular Web forum application. Other assertions comprising tens of lines of code prevent a range of vulnerabilities in Python and PHP applications. A prototype of Resin incurs a 33% CPU overhead running the HotCRP conference management application.Nokia Researc

Expressive policy based authorization model for resource-constrained device sensors.

Los capítulos II, III y IV están sujetos a confidencialidad por el autor 92 p.Upcoming smart scenarios enabled by the Internet of Things (IoT) envision smart objects that expose services that can adapt to user behavior or be managed with the goal of achieving higher productivity, often in multistakeholder applications. In such environments, smart things are cheap sensors (and actuators) and, therefore, constrained devices. However, they are also critical components because of the importance of the provided information. Given that, strong security in general and access control in particular is a must.However, tightness, feasibility and usability of existing access control models do not cope well with the principle of least privilege; they lack both expressiveness and the ability to update the policy to be enforced in the sensors. In fact, (1) traditional access control solutions are not feasible in all constrained devices due their big impact on the performance although they provide the highest effectiveness by means of tightness and flexibility. (2) Recent access control solutions designed for constrained devices can be implemented only in not so constrained ones and lack policy expressiveness in the local authorization enforcement. (3) Access control solutions currently feasible in the most severely constrained devices have been based on authentication and very coarse grained and static policies, scale badly, and lack a feasible policy based access control solution aware of local context of sensors.Therefore, there is a need for a suitable End-to-End (E2E) access control model to provide fine grained authorization services in service oriented open scenarios, where operation and management access is by nature dynamic and that integrate massively deployed constrained but manageable sensors. Precisely, the main contribution of this thesis is the specification of such a highly expressive E2E access control model suitable for all sensors including the most severely constrained ones. Concretely, the proposed E2E access control model consists of three main foundations. (1) A hybrid architecture, which combines advantages of both centralized and distributed architectures to enable multi-step authorization. Fine granularity of the enforcement is enabled by (2) an efficient policy language and codification, which are specifically defined to gain expressiveness in the authorization policies and to ensure viability in very-constrained devices. The policy language definition enables both to make granting decisions based on local context conditions, and to react accordingly to the requests by the execution of additional tasks defined as obligations.The policy evaluation and enforcement is performed not only during the security association establishment but also afterward, while such security association is in use. Moreover, this novel model provides also control over access behavior, since iterative re-evaluation of the policy is enabled during each individual resource access.Finally, (3) the establishment of an E2E security association between two mutually authenticated peers through a security protocol named Hidra. Such Hidra protocol, based on symmetric key cryptography, relies on the hybrid three-party architecture to enable multi-step authorization as well as the instant provisioning of a dynamic security policy in the sensors. Hidra also enables delegated accounting and audit trail. Proposed access control features cope with tightness, feasibility and both dimensions of usability such as scalability and manageability, which are the key unsolved challenges in the foreseen open and dynamic scenarios enabled by IoT. Related to efficiency, the high compression factor of the proposed policy codification and the optimized Hidra security protocol relying on a symmetric cryptographic schema enable the feasibility as it is demonstrated by the validation assessment. Specifically, the security evaluation and both the analytical and experimental performance evaluation demonstrate the feasibility and adequacy of the proposed protocol and access control model.Concretely, the security validation consists of the assessment that the Hidra security protocol meets the security goals of mutual strong authentication, fine-grained authorization, confidentiality and integrity of secret data and accounting. The security analysis of Hidra conveys on the one hand, how the design aspects of the message exchange contribute to the resilience against potential attacks. On the other hand, a formal security validation supported by a software tool named AVISPA ensures the absence of flaws and the correctness of the design of Hidra.The performance validation is based on an analytical performance evaluation and a test-bed implementation of the proposed access control model for the most severely constrained devices. The key performance factor is the length of the policy instance, since it impacts proportionally on the three critical parameters such as the delay, energy consumption, memory footprint and therefore, on the feasibility.Attending to the obtained performance measures, it can be concluded that the proposed policy language keeps such balance since it enables expressive policy instances but always under limited length values. Additionally, the proposed policy codification improves notably the performance of the protocol since it results in the best policy length compression factor compared with currently existing and adopted standards.Therefore, the assessed access control model is the first approach to bring to severely constrained devices a similar expressiveness level for enforcement and accounting as in current Internet. The positive performance evaluation concludes the feasibility and suitability of this access control model, which notably rises the security features on severely constrained devices for the incoming smart scenarios.Additionally, there is no comparable impact assessment of policy expressiveness of any other access control model. That is, the presented analysis models as well as results might be a reference for further analysis and benchmarkingGaur egun darabilzkigun hainbeste gailutan mikroprozesadoreak daude txertatuta, eragiten duten prozesuan neurketak egin eta logika baten ondorioz ekiteko. Horretarako, bai sentsoreak eta baita aktuadoreak erabiltzen dira (hemendik aurrera, komunitatean onartuta dagoenez, sentsoreak esango diegu nahiz eta erabilpen biak izan). Orain arteko erabilpen zabalenetako konekzio motak, banaka edota sare lokaletan konekatuta izan dira. Era honetan, sentsoreak elkarlanean elkarreri eraginez edota zerbitzari nagusi baten agindupean, erakunde baten prozesuak ahalbideratu eta hobetzeko erabili izan dira.Internet of Things (IoT) deritzonak, sentsoreak dituzten gailuak Internet sarearen bidez konektatu eta prozesu zabalagoak eta eraginkorragoak ahalbidetzen ditu. Smartcity, Smartgrid, Smartfactory eta bestelako smart adimendun ekosistemak, gaur egun dauden eta datozen komunikaziorako teknologien aukerak baliatuz, erabilpen berriak ahalbideratu eta eragina areagotzea dute helburu.Era honetan, ekosistema hauek zabalak dira, eremu ezberdinetako erakundeek hartzen dute parte, eta berariazko sentsoreak dituzten gailuen kopurua izugarri handia da. Sentsoreak beraz, berariazkoak, merkeak eta txikiak dira, eta orain arteko lehenengo erabilpen nagusia, magnitude fisikoren bat neurtzea eta neurketa hauek zerbitzari zentralizatu batera bidaltzea izan da. Hau da, inguruan gertatzen direnak neurtu, eta zerbitzari jakin bati neurrien datuak aldiro aldiro edota atari baten baldintzapean igorri. Zerbitzariak logika aplikatu eta sistema osoa adimendun moduan jardungo du. Jokabide honetan, aurretik ezagunak diren entitateen arteko komunikazioen segurtasuna bermatzearen kexka, nahiz eta Internetetik pasatu, hein onargarri batean ebatzita dago gaur egun.Baina adimendun ekosistema aurreratuak sentsoreengandik beste jokabide bat ere aurreikusten dute. Sentsoreek eurekin harremanak izateko moduko zerbitzuak ere eskaintzen dituzte. Erakunde baten prozesuetan, beste jatorri bateko erakundeekin elkarlanean, jokabide honen erabilpen nagusiak bi dira. Batetik, prozesuan parte hartzen duen erabiltzaileak (eta jabeak izan beharrik ez duenak) inguruarekin harremanak izan litzake, eta bere ekintzetan gailuak bere berezitasunetara egokitzearen beharrizana izan litzake. Bestetik, sentsoreen jarduera eta mantenimendua zaintzen duten teknikariek, beroriek egokitzeko zerbitzuen beharrizana izan dezakete.Holako harremanak, sentsoreen eta erabiltzaileen kokalekua zehaztugabea izanik, kasu askotan Internet bidez eta zuzenak (end-to-end) izatea aurreikusten da. Hau da, sentsore txiki asko daude handik hemendik sistemaren adimena ahalbidetuz, eta harreman zuzenetarako zerbitzu ñimiñoak eskainiz. Batetik, zerbitzu zuzena, errazagoa eta eraginkorragoa dena, bestetik erronkak ere baditu. Izan ere, sentsoreak hain txikiak izanik, ezin dituzte gaur egungo protokolo eta mekanismo estandarak gauzatu. Beraz, sare mailatik eta aplikazio mailarainoko berariazko protokoloak sortzen ari dira.Tamalez, protokolo hauek arinak izatea dute helburu eta segurtasuna ez dute behar den moduan aztertu eta gauzatzen. Eta egon badaude berariazko sarbide kontrolerako ereduak baina baliabideen urritasuna dela eta, ez dira ez zorrotzak ez kudeagarriak. Are gehiago, Gartnerren arabera, erabilpen aurreratuetan inbertsioa gaur egun mugatzen duen traba Nagusia segurtasunarekiko mesfidantza da.Eta hauxe da erronka eta tesi honek landu duen gaia: batetik sentsoreak hain txikiak izanik, eta baliabideak hain urriak (10kB RAM, 100 kB Flash eta bateriak, sentsore txikienetarikoetan), eta bestetik Internet sarea hain zabala eta arriskutsua izanik, segurtasuna areagotuko duen sarbide zuzenaren kontrolerako eredu zorrotz, arin eta kudeagarri berri bat zehaztu eta bere erabilgarritasuna aztertu