Automated Certification of Authorisation Policy Resistance

Attribute-based Access Control (ABAC) extends traditional Access Control by considering an access request as a set of pairs attribute name-value, making it particularly useful in the context of open and distributed systems, where security relevant information can be collected from different sources. However, ABAC enables attribute hiding attacks, allowing an attacker to gain some access by withholding information. In this paper, we first introduce the notion of policy resistance to attribute hiding attacks. We then propose the tool ATRAP (Automatic Term Rewriting for Authorisation Policies), based on the recent formal ABAC language PTaCL, which first automatically searches for resistance counter-examples using Maude, and then automatically searches for an Isabelle proof of resistance. We illustrate our approach with two simple examples of policies and propose an evaluation of ATRAP performances.Comment: 20 pages, 4 figures, version including proofs of the paper that will be presented at ESORICS 201

Formalisation and Implementation of the XACML Access Control Mechanism

We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specifica- tion and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development

Transparency in Complex Computational Systems

Scientists depend on complex computational systems that are often ineliminably opaque, to the detriment of our ability to give scientific explanations and detect artifacts. Some philosophers have s..

Policy-based access control from numerical evidence

Increasingly, access to resources needs to be regulated or informed by considerations such as risk, cost, and reputation. We therefore propose a framework for policy languages, based on semi-rings, that aggregate quantitative evidence to support decision-making in access control systems. As aggregation operators \addition", \worst case", and \best case" over non- negative reals are both relevant in practice and amenable to analysis, we study an instance, Peal, of our framework in that setting. Peal is a stand-alone policy language but can also be integrated with existing policy languages. Peal policies can be synthesized into logical formulae that no longer make reference to quantities but capture all policy behavior. Satis ability checking of such formulae can be used to validate and analyze policies in this new evidence-based approach. We discuss a number of applications, including vacuity, redundancy, change-impact and safety analysis. The synthesis algorithm requires a form of subset enumeration, for which we develop bespoke algorithms and demonstrate experimentally that our algorithms work better than generic state exploration methods. We also sketch how our approach extends from non-negative reals to other semi-rings and even to rings such as the real numbers

Towards Modeling Software Quality of Virtual Reality Applications from Users' Perspectives

Virtual Reality (VR) technology has become increasingly popular in recent years as a key enabler of the Metaverse. VR applications have unique characteristics, including the revolutionized human-computer interaction mechanisms, that distinguish them from traditional software. Hence, user expectations for the software quality of VR applications diverge from those for traditional software. Investigating these quality expectations is crucial for the effective development and maintenance of VR applications, which remains an under-explored area in prior research. To bridge the gap, we conduct the first large-scale empirical study to model the software quality of VR applications from users' perspectives. To this end, we analyze 1,132,056 user reviews of 14,150 VR applications across seven app stores through a semiautomatic review mining approach. We construct a taxonomy of 12 software quality attributes that are of major concern to VR users. Our analysis reveals that the VR-specific quality attributes are of utmost importance to users, which are closely related to the most unique properties of VR applications like revolutionized interaction mechanisms and immersive experiences. Our examination of relevant user complaints reveals the major factors impacting user satisfaction with VR-specific quality attributes. We identify that poor design or implementation of the movement mechanisms, control mechanisms, multimedia systems, and physics, can significantly degrade the user experience. Moreover, we discuss the implications of VR quality assurance for both developers and researchers to shed light on future work. For instance, we suggest developers implement sufficient accessibility and comfort options for users with mobility limitations, sensory impairments, and other specific needs to customize the interaction mechanisms. Our datasets and results will be released to facilitate follow-up studies

Modest Praise for Political Deliberation Elogio modesto a la deliberación política

ABSTRACT This text analyzes the relationship between political deliberation and democracy. Its content differs both from a scarcely normative idea of competitive politics, predominant in contemporary Political Science, and from a philosophical defense of the deliberation, founded on an idea of common reasonability or on an ideal of communicative speech. The central argument of the author is that deliberation constitutes a good instrument of improvement of competitive democracy. The reasons he gives are not those held by some contemporary political philosophers, inspired by problematic generalizations about the basic structures of the rationality and reasonability of citizens and their agents. The author stresses instead the capacity of deliberation to strengthen the epistemic and normative basis of the political decisions of the majority. The text discusses different visions of the benefits of political deliberation, some of then centered on their procedural conditions, others on the substantive quality of their results. Besides, this paper analyzes, from a perspective closer to a neo Aristotelian vision than to a modern contractualist tradition, the validity of the consensualist criteria to judge the quality of the deliberative reasons. Finally, the text identifies the democratic deliberation with a critical instance of the justifying discourses of the exercise of political power, within contexts of pluralism and disagreement. Key words: Democracy, Political Deliberation, Political Theory RESUMEN Este texto analiza las relaciones entre la deliberación política y la democracia. El mismo se desmarca tanto de una idea escasamente normativa de la política competitiva, predominante en la Ciencia Política contemporánea, como de una defensa filosófica de la deliberación, fundada en una idea de razonabilidad común o en un ideal de habla comunicativa. El argumento central del autor es que la deliberación constituye un buen instrumento de mejora de la democracia competitiva, pero no por las razones esgrimidas por algunos filósofos políticos contemporáneos, inspirados en problemáticas generalizaciones sobre las estructuras de racionalidad y razonabilidad de los ciudadano

An Information Security Education Initiative for Engineering and Computer Science

This paper puts forward a case for an educational initiative in information security at both the undergraduate and graduate levels. Its focus is on the need for such education, the desired educational outcomes, and how the outcomes may be assessed. A basic thesis of this paper is that the goals, methods, and evaluation techniques of information and computer security are consistent with and supportive of the stated goals of engineering education and the growing movement for outcomes-based assessment in higher education