Self-Protecting Access Control: On Mitigating Privacy Violations with Fault Tolerance

Self-protecting access control mechanisms can be described as an approach to enforcing security in a manner that automatically protects against violations of access control rules. In this chapter, we present a comparative analysis of standard Cryptographic Access Control (CAC) schemes in relation to privacy enforcement on the Web. We postulate that to mitigate privacy violations, self-protecting CAC mechanisms need to be supported by fault-tolerance. As an example of how one might to do this, we present two solutions that are inspired by the autonomic computing paradigm1. Our solutions are centered on how CAC schemes can be extended to protect against privacy violations that might arise from key updates and collusion attacks

Federated Access Management for Collaborative Environments

abstract: Access control has been historically recognized as an effective technique for ensuring that computer systems preserve important security properties. Recently, attribute-based access control (ABAC) has emerged as a new paradigm to provide access mediation by leveraging the concept of attributes: observable properties that become relevant under a certain security context and are exhibited by the entities normally involved in the mediation process, namely, end-users and protected resources. Also recently, independently-run organizations from the private and public sectors have recognized the benefits of engaging in multi-disciplinary research collaborations that involve sharing sensitive proprietary resources such as scientific data, networking capabilities and computation time and have recognized ABAC as the paradigm that suits their needs for restricting the way such resources are to be shared with each other. In such a setting, a robust yet flexible access mediation scheme is crucial to guarantee participants are granted access to such resources in a safe and secure manner. However, no consensus exists either in the literature with respect to a formal model that clearly defines the way the components depicted in ABAC should interact with each other, so that the rigorous study of security properties to be effectively pursued. This dissertation proposes an approach tailored to provide a well-defined and formal definition of ABAC, including a description on how attributes exhibited by different independent organizations are to be leveraged for mediating access to shared resources, by allowing for collaborating parties to engage in federations for the specification, discovery, evaluation and communication of attributes, policies, and access mediation decisions. In addition, a software assurance framework is introduced to support the correct construction of enforcement mechanisms implementing our approach by leveraging validation and verification techniques based on software assertions, namely, design by contract (DBC) and behavioral interface specification languages (BISL). Finally, this dissertation also proposes a distributed trust framework that allows for exchanging recommendations on the perceived reputations of members of our proposed federations, in such a way that the level of trust of previously-unknown participants can be properly assessed for the purposes of access mediation.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Consistance et protection des données dans les systèmes collaboratifs par les méthodes formelles

Le développement de logiciels complexes ou de contenus multimédias implique de nos jours plusieurs personnes de plus en plus géographiquement dispersées à travers le monde qui collaborent à travers des systèmes d’édition collaborative. Le but principal de cette collaboration est l’amélioration de la productivité et la réduction du temps et des coûts de développement. L’un des défis majeurs de ces outils d’édition collaborative est d’assurer la convergence et la fiabilité des données partagées. Pour répondre à ce défi, plusieurs approches existent dans la littérature parmi lesquelles, nous avons l’approche multiversions (MV), l’approche des types de données commutatives répliquées (CRDT) et l’approche de la transformée opérationnelle (OT). La première se base sur le principe du copier, modifier et fusionner et utilise un serveur central chargé de la fusion des différentes copies provenant des sites participant à la collaboration. Les modifications effectuées par chaque site sur sa copie ne sont fusionnées à la copie centrale qu’à la demande de l’utilisateur. La difficulté majeure de cette approche est le coût lié au stockage des diverses versions sur le serveur, l’utilisation d’estampilles pour ordonner les opérations lors de la fusion. Ce qui la rend difficilement utilisable dans un contexte d’environnement distribué. La deuxième approche considère que toutes les opérations sont commutatives donc pouvant être exécutées dans un ordre quelconque. Quant à la dernière approche, elle s’appuie sur une transformation des opérations reçues des sites distants par rapport à celles qui leur sont concurrentes. Dans cette approche, un algorithme de transformation inclusive (IT) est utilisé afin d’assurer la convergence des copies, mais la plupart des algorithmes proposés dans la littérature ne satisfont pas les critères de convergence. En plus de la cohérence, la fiabilité des données reste un autre défi dans les systèmes collaboratifs. Pour faire face à ce défi, plusieurs applications encapsulent, dans leur code source, des fonctionnalités transverses telles que celles de sécurité afin de répondre aux exigences de confidentialité et d’intégrité des données. Dans la littérature, la programmation orientée aspect (AOP) est l’une des approches utilisées afin d’assurer la modularité, la maintenabilité et la réutilisation des composants d’un logiciel. Une des difficultés de ce paradigme de programmation est l’assurance qu’une propriété de sécurité reste satisfaite après le tissage entre le programme de base et tous les aspects encapsulant les préoccupations transverses. Ce qui implique de trouver des techniques automatiques de vérification des propriétés de sécurité une fois le tissage fait. Dans le registre de la fiabilité des données, le contrôle d’accès joue un rôle prépondérant. Ainsi, en ce qui concerne le partage de contenus multimédias publiés sur le Web, il est nécessaire de collaborer pour les alimenter, mais un des défis majeurs est de les rendre fiables.----------ABSTRACT: Complex software and Web content development involve nowadays multiple programmers located in different areas working together on the same development project using collaborative systems in order to achieve efficiency, improve productivity and reduce development time. One of the key challenge in such a development environment is ensuring the convergence and the reliability of the shared data or content. In the literature, many approaches have been proposed to face this challenge. Among those approaches, we have multi-version (MV), commutative replication data type (CRDT) and operational transformation (OT) approach. The first approach is based on the "copy, modify and merge" principle and uses a central server to merge the updates from the different sites participating in the collaboration. The local updates of a specific site are merged only on demand. The key drawback of this approach is the storage cost of the various versions on the server and the overhead due to the generation of stamps for the operations ordering. Thus, this drawback makes this approach difficult to use in the context of a distributed collaborative environment. The second approach preconizes that all the operations are commutative so that they can be executed in any given order. The latter approach is based on the transformation of all the operations received from the remote sites against their concurrent operations before being merged. In this approach, an inclusive transformation algorithm is used in order to ensure the convergence criteria. Unfortunately, most of the proposed algorithms in the literature do not satisfy the convergence criteria. Beside the convergence, the reliability of the data remains another challenge in the collaborative systems. In order to face this challenge, many programs encapsulate crosscutting concerns (e.g. security, logging) for data confidentiality and integrity purposes. In the literature, aspect-oriented programming (AOP) is one the approaches used to better modularize the separation of concerns in order to make easier the maintenance and the reuse of the software components. However, one challenge of this paradigm is the insurance that a given property such as security one remains satisfied after the weaving of the base program and the aspects. Thus, we may find automated way to verify such security properties in the woven program. Concerning data reliability, access control is one of the major piece of the puzzle. Thus, in the Web content publication, one challenge is to collaborate in order to produce them and the other key challenge is to make them reliable

Adding Privacy Protection to Policy Based Authorisation Systems

An authorisation system determines who is authorised to do what i.e. it assigns privileges to users and provides a decision on whether someone is allowed to perform a requested action on a resource. A traditional authorisation decision system, which is simply called authorisation system or system in the rest of the thesis, provides the decision based on a policy which is usually written by the system administrator. Such a traditional authorisation system is not sufficient to protect privacy of personal data, since users (the data subjects) are usually given a take it or leave it choice to accept the controlling organisation’s policy. Privacy is the ability of the owners or subjects of personal data to control the flow of data about themselves, according to their own preferences. This thesis describes the design of an authorisation system that will provide privacy for personal data by including sticky authorisation policies from the issuers and data subjects, to supplement the authorisation policy of the controlling organisation. As personal data moves from controlling system to controlling system, the sticky policies travel with the data. A number of data protection laws and regulations have been formulated to protect the privacy of individuals. The rights and prohibitions provided by the law need to be enforced by the authorisation system. Hence, the designed authorisation system also includes the authorisation rules from the legislation. This thesis describes the conversion of rules from the EU Data Protection Directive into machine executable rules. Due to the nature of the legislative rules, not all of them could be converted into deterministic machine executable rules, as in several cases human intervention or human judgement is required. This is catered for by allowing the machine rules to be configurable. Since the system includes independent policies from various authorities (law, issuer, data subject and controller) conflicts may arise among the decisions provided by them. Consequently, this thesis describes a dynamic, automated conflict resolution mechanism. Different conflict resolution algorithms are chosen based on the request contexts. As the EU Data Protection Directive allows processing of personal data based on contracts, we designed and implemented a component, Contract Validation Service (ConVS) that can validate an XML based digital contract to allow processing of personal data based on a contract. The authorisation system has been implemented as a web service and the performance of the system is measured, by first deploying it in a single computer and then in a cloud server. Finally the validity of the design and implementation are tested against a number of use cases based on scenarios involving accessing medical data in a health service provider’s system and accessing personal data such as CVs and degree certificates in an employment service provider’s system. The machine computed authorisation decisions are compared to the theoretical decisions to ensure that the system returns the correct decisions