Access Control in a Distributed Decentralized Network: An XML Approach to Network Security using XACML and SAML

The development of eXtensible Distributed Access Control (XDAC) systems is influenced by the transference of data access and storage from the local computer to the network. In this distributed system, access control is determined by independent components which transmit requests and decisions over a network, utilizing XML signing capabilities found in the Security Assertion Markup Language (SAML). All resources in the XDAC system are protected by the first component, a Policy Enforcement Point (PEP), which acts as the main divider between the requesting entity and the requested resource. The PEP grants access to a resource only if the second component, a Policy Decision Point (PDP), returns a permit response after consulting a set of applicable policies based on the requester\u27s attributes, the resource, the action that the requester desires to apply to that resource, and optionally the environment. With Sun\u27s eXtensible Access Control Markup Language (XACML), the XML encoded policies can be combined among multiple nodes across a network using XACML rules and algorithms to formulate a single decision based on an XACML request. In this thesis project, I build a secure and efficient XDAC System based on XACML, implement an extension to the SAML Assertion design by including XACML Attributes and Results, describe in-detail about the many features that a XDAC System should embody, and show how a XDAC System would be effectively used in modern day computing

Distributed Access Control for Web and Business Processes

Middleware influenced the research community in developing a number of systems for controlling access to distributed resources. Nowadays a new paradigm for the lightweight integration of business resources from different partners is starting to take hold – Web Services and Business Processes for Web Services. Security and access control policies for Web Services protocols and distributed systems are well studied and almost standardized, but there is not yet a comprehensive proposal for an access control architecture for business processes. So, it is worth looking at the available approaches to distributed authorization as a starting point for a better understanding of what they already have and what they still need to address the security challenges for business processes

Data protection of RFID-Based distributed storage

Radio Frequency Identification (RFID) has been emerged as one of the most promising technologies used as an automatic data collection and information storage technology in vast number of applications. One of the biggest hindrances in the wide adoption of this technology is the challenge in security. There have been extensive studies on RFID security, in particular authentication and privacy issues. In most protocols, the discussions focus on scenarios that RFID tags are used mainly for tracing or identification, and the access to data stored on RFID is enforced through authentication. Recently, there is a rise in interests of using RFID tags as distributed storage, e.g., storing floor plans which can be used by fire fighters during emergencies. In this new type of applications, quite often, XML (eXtensible Markup Language) is employed since it has been considered as a de-facto standard to store and exchange information on the Internet and through other means. This research proposes to securely and efficiently store data on RFID tags in XML format. We introduce a framework using cryptography that ensures data confidentiality and integrity; we employ multi-level encryption together with role-based access control on the data stored on an RFID tag. In the given framework, a user is assigned with a certain role and can only access the part of data that she is authorized according to her role and the Access Control Policy (ACP). In addition, a more profound and accurate definition of simple and complex XACL (XML Access Control Policies) is given and a workable cryptographic solution is provided to handle complex policies. Furthermore, two different encryption methods are introduced to minimize the size of a file encrypted using XML encryption specifications. The research also extends the current technique of populating RFID tag memory with BIM (Building Information Model) database information in Facilities Management System (FMS) applications, by adding roles and different security levels. To explore the technical feasibility of the proposed approach, a case study in facilities management with different roles and security permissions has been implemented and tested at Concordia University. In this case study, we apply the proposed framework and encryption scheme to provide fine-grained access to data stored on RFID tags. To the best of our knowledge, it is the first work that addresses security issues in this new type of RFID-based distributed storage application

A Query Integrator and Manager for the Query Web

We introduce two concepts: the Query Web as a layer of interconnected queries over the document web and the semantic web, and a Query Web Integrator and Manager (QI) that enables the Query Web to evolve. QI permits users to write, save and reuse queries over any web accessible source, including other queries saved in other installations of QI. The saved queries may be in any language (e.g. SPARQL, XQuery); the only condition for interconnection is that the queries return their results in some form of XML. This condition allows queries to chain off each other, and to be written in whatever language is appropriate for the task. We illustrate the potential use of QI for several biomedical use cases, including ontology view generation using a combination of graph-based and logical approaches, value set generation for clinical data management, image annotation using terminology obtained from an ontology web service, ontology-driven brain imaging data integration, small-scale clinical data integration, and wider-scale clinical data integration. Such use cases illustrate the current range of applications of QI and lead us to speculate about the potential evolution from smaller groups of interconnected queries into a larger query network that layers over the document and semantic web. The resulting Query Web could greatly aid researchers and others who now have to manually navigate through multiple information sources in order to answer specific questions

Linking design and manufacturing domains via web-based and enterprise integration technologies

The manufacturing industry faces many challenges such as reducing time-to-market and cutting costs. In order to meet these increasing demands, effective methods are need to support the early product development stages by bridging the gap of communicating early design ideas and the evaluation of manufacturing performance. This paper introduces methods of linking design and manufacturing domains using disparate technologies. The combined technologies include knowledge management supporting for product lifecycle management (PLM) systems, enterprise resource planning (ERP) systems, aggregate process planning systems, workflow management and data exchange formats. A case study has been used to demonstrate the use of these technologies, illustrated by adding manufacturing knowledge to generate alternative early process plan which are in turn used by an ERP system to obtain and optimise a rough-cut capacity plan

An artefact repository to support distributed software engineering

The Open Source Component Artefact Repository (OSCAR) system is a component of the GENESIS platform designed to non-invasively inter-operate with work-flow management systems, development tools and existing repository systems to support a distributed software engineering team working collaboratively. Every artefact possesses a collection of associated meta-data, both standard and domain-specific presented as an XML document. Within OSCAR, artefacts are made aware of changes to related artefacts using notifications, allowing them to modify their own meta-data actively in contrast to other software repositories where users must perform all and any modifications, however trivial. This recording of events, including user interactions provides a complete picture of an artefact's life from creation to (eventual) retirement with the intention of supporting collaboration both amongst the members of the software engineering team and agents acting on their behalf

Ensuring Cyber-Security in Smart Railway Surveillance with SHIELD

Modern railways feature increasingly complex embedded computing systems for surveillance, that are moving towards fully wireless smart-sensors. Those systems are aimed at monitoring system status from a physical-security viewpoint, in order to detect intrusions and other environmental anomalies. However, the same systems used for physical-security surveillance are vulnerable to cyber-security threats, since they feature distributed hardware and software architectures often interconnected by ‘open networks’, like wireless channels and the Internet. In this paper, we show how the integrated approach to Security, Privacy and Dependability (SPD) in embedded systems provided by the SHIELD framework (developed within the EU funded pSHIELD and nSHIELD research projects) can be applied to railway surveillance systems in order to measure and improve their SPD level. SHIELD implements a layered architecture (node, network, middleware and overlay) and orchestrates SPD mechanisms based on ontology models, appropriate metrics and composability. The results of prototypical application to a real-world demonstrator show the effectiveness of SHIELD and justify its practical applicability in industrial settings

A collaborative platform for integrating and optimising Computational Fluid Dynamics analysis requests

A Virtual Integration Platform (VIP) is described which provides support for the integration of Computer-Aided Design (CAD) and Computational Fluid Dynamics (CFD) analysis tools into an environment that supports the use of these tools in a distributed collaborative manner. The VIP has evolved through previous EU research conducted within the VRShips-ROPAX 2000 (VRShips) project and the current version discussed here was developed predominantly within the VIRTUE project but also within the SAFEDOR project. The VIP is described with respect to the support it provides to designers and analysts in coordinating and optimising CFD analysis requests. Two case studies are provided that illustrate the application of the VIP within HSVA: the use of a panel code for the evaluation of geometry variations in order to improve propeller efficiency; and, the use of a dedicated maritime RANS code (FreSCo) to improve the wake distribution for the VIRTUE tanker. A discussion is included detailing the background, application and results from the use of the VIP within these two case studies as well as how the platform was of benefit during the development and a consideration of how it can benefit HSVA in the future