Formalisation and Implementation of the XACML Access Control Mechanism

We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specifica- tion and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development

Disclosure quality and stock returns in the UK

The purpose of this paper is to update and re-examine the role of corporate narrative reporting in improving investors’ ability to better forecast future earnings change. We also construct a risk factor for disclosure quality (DQ) and test whether such a factor is useful in explaining the time-series variation of UK stock returns. Our paper contributes to the market based accounting research in three crucial ways. Firstly, it offers updated evidence on the usefulness of corporate narrative reporting to investors. Secondly, it offers evidence that the DQ factor is a significant risk factor in the UK. Thirdly, and finally, it finds that the Fama-French factors might contain DQ related information

F3ildCrypt: End-to-End Protection of Sensitive Information in Web Services

Abstract. The frequency and severity of a number of recent intrusions involving data theft and leakages has shown that online users ’ trust, voluntary or not, in the ability of third parties to protect their sensitive data is often unfounded. Data may be exposed anywhere along a corporation’s web pipeline, from the outward-facing web servers to the back-end databases. The problem is exacerbated in service-oriented architectures (SOAs) where data may also be exposed as they transit between SOAs. For example, credit card numbers may be leaked during transmission to or handling by transaction-clearing intermediaries. We present F3ildCrypt, a system that provides end-to-end protection of data across a web pipeline and between SOAs. Sensitive data are protected from their origin (the user’s browser) to their legitimate final destination. To that end, F3ildCrypt exploits browser scripting to enable application- and merchant-aware handling of sensitive data. Such techniques have traditionally been considered a security risk; to our knowledge, this is one of the first uses of web scripting that enhances overall security.Our approach scales well in the number of public key operations required for web clients and does not reveal proprietary details of the logical enterprise network. We evaluate F3ildCrypt and show an additional cost of 40 to 150 ms when making sensitive transactions from the web browser, and a processing rate of 100 to 140 protected fields/second on the server. We believe such costs to be a reasonable tradeoff for increased sensitive-data confidentiality.