97 research outputs found
The Conflict Notion and its Static Detection: a Formal Survey
The notion of policy is widely used to enable a flexible control of many systems: access control, privacy, accountability, data base, service, contract , network configuration, and so on. One important feature is to be able to check these policies against contradictions before the enforcement step. This is the problem of the conflict detection which can be done at different steps and with different approaches. This paper presents a review of the principles for conflict detection in related security policy languages. The policy languages, the notions of conflict and the means to detect conflicts are various, hence it is difficult to compare the different principles. We propose an analysis and a comparison of the five static detection principles we found in reviewing more than forty papers of the literature. To make the comparison easier we develop a logical model with four syntactic types of systems covering most of the literature examples. We provide a semantic classification of the conflict notions and thus, we are able to relate the detection principles, the syntactic types and the semantic classification. Our comparison shows the exact link between logical consistency and the conflict notions, and that some detection principles are subject to weaknesses if not used with the right conditions
Approaches for Testing and Evaluation of XACML Policies
Security services are provided through: The applications, operating systems, databases, and the network. There are many proposals to use policies to define, implement and evaluate security services. We discussed a full test automation framework to test XACML based policies. Using policies as input the developed tool can generate test cases based on the policy and the general XACML model. We evaluated a large dataset of policy implementations. The collection includes more than 200 test cases that represent instances of policies. Policies are executed and verified, using requests and responses generated for each instance of policies. WSO2 platform is used to perform different testing activities on evaluated policies
On Properties of Policy-Based Specifications
The advent of large-scale, complex computing systems has dramatically
increased the difficulties of securing accesses to systems' resources. To
ensure confidentiality and integrity, the exploitation of access control
mechanisms has thus become a crucial issue in the design of modern computing
systems. Among the different access control approaches proposed in the last
decades, the policy-based one permits to capture, by resorting to the concept
of attribute, all systems' security-relevant information and to be, at the same
time, sufficiently flexible and expressive to represent the other approaches.
In this paper, we move a step further to understand the effectiveness of
policy-based specifications by studying how they permit to enforce traditional
security properties. To support system designers in developing and maintaining
policy-based specifications, we formalise also some relevant properties
regarding the structure of policies. By means of a case study from the banking
domain, we present real instances of such properties and outline an approach
towards their automatised verification.Comment: In Proceedings WWV 2015, arXiv:1508.0338
DETECTING AND RESOVING ANOMALIES USER ANALYSIS ON FIREWALL POLICY IN SENSOR NETWORKS
The coming of arising figuring innovations, for example, administration situated engineering and distributed computing has empowered us to perform business benefits all the more proficiently and adequately. Nonetheless, we actually experience the ill effects of unintended security spillages by unapproved activities in business administrations. Firewalls are the most generally conveyed security system to guarantee the security of private organizations in many organizations and establishments. The adequacy of security assurance gave by a firewall basically relies upon the nature of strategy designed in the firewall. Lamentably, planning and overseeing firewall approaches are regularly mistake inclined because of the perplexing idea of firewall arrangements just as the absence of deliberate examination instruments and devices. In this paper, we speak to a creative approach inconsistency the executiveâs structure for firewalls, embracing a standard based division strategy to recognize strategy oddities and infer powerful oddity goals. Specifically, we articulate a matrix based portrayal method, giving an instinctive psychological sense about arrangement inconsistency. We additionally talk about a proof-of-idea execution of a perception based firewall strategy examination device called Firewall Anomaly Management Environment (FAME). Likewise, we exhibit how proficiently our methodology can find and resolve inconsistencies in firewall approaches through thorough tests
Policy inconsistency detection bassed on RBAC model in cross-organizational collaboration
Policy integration and conflict resolutions among various organizations still remain a major challenge.Moreover, policy inconsistency
detection approach with logical reasoning techniques which considers integration requirements from collaboration parties has not been well studied.In this paper, we proposed a model to detect inconsistencies based on role-based access control (RBAC) that considers role hierarchy (RH) and temporal and spatial constraints.A model to prune and collect only the
required policies based on access control requirements from different organizations is designed.Policy inconsistency detection should be
enhanced with logical-based analysis in order to develop security policy integration.We believe this work could provide manner to filter a large
amount of unrelated policies and only return potential collaboration policies for conflict resolution
Recommended from our members
The National Transport Data Framework
Report by Professor Peter Landshoff (Cambridge University) and
Professor John Polak (Imperial College London) on a project for
the Department for Transport.
emails: [email protected] [email protected] NTDF is designed to be a resource for data owners to deposit descriptions
into a central catalogue, so that people can search for data and find data
and understand their characteristics. The value of this is to individuals, to
commercial organizations, and to public bodies. For example, services that
provide better information to travellers will help to make their journey
less stressful and persuade them to make more use of public transport.
Transport operators need very diverse information to help them
plan developments to their services: demographic, geographical, economic etc.
And policy makers need a similar range of information to help them decide
how to divide their budget and afterwards to evaluate how valuable it has
been.This work was supported by the Department for Transport (DfT)
An Effective Modality Conflict Model for Identifying Applicable Policies During Policy Evaluation
Policy evaluation is a process to determine whether a request submitted by a user satisfies the access control policies defined by an organization. Modality conflict is one of the main issues in policy evaluation. Existing modality conflict detection approaches do not consider complex condition attributes such as spatial and temporal constraints. An effective authorization propagation rule is needed to detect the modality conflicts that occur among the applicable policies. This work proposes a modality conflict detection model to identify the applicable policies during policy evaluation, which supports an authorization propagation rule to investigate the class-subclass relationships of a subject, resource, action, and location of a request and a policy. The comparison with previous work is conducted, and findings show the solution which considers the condition attribute (i.e. spatial and temporal constraints) can affect the decision as to whether the applicable policies should be retrieved or not which further affect the accuracy of the modality conflict detection process. Whereas the applicable policies which are retrieved for a request can influence the detection of modality conflict among the applicable policies. In conclusion, our proposed solution is more effective in identifying the applicable policies and detecting modality conflict than the previous work
- âŠ