检索结果-内蒙古大学图书馆

Proceedings of the 16th acm symposium on access control models and technologies

作者： Hu, Hongxin Ahn, Gail-Joon Kulkarni, Ketan Arizona State University Tempe AZ 85287 United States

ISBN: (纸本)9781450307215

the advent of emerging technologies such asWeb services, serviceoriented architecture, and cloud computing has enabled us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by unauthorized actions in business services while providing more convenient services to Internet users through such a cutting-edge technological growth. Furthermore, designing and managing Web access control policies are often error-prone due to the lack of effective analysis mechanisms and tools. In this paper, we represent an innovative policy anomaly analysis approach for Web access control policies. We focus on XacmL (eXtensible access control Markup Language) policy since XacmL has become the de facto standard for specifying and enforcing access control policies for various Webbased applications and services. We introduce a policy-based segmentation technique to accurately identify policy anomalies and derive effective anomaly resolutions. We also discuss a proof-ofconcept implementation of our method called XAnalyzer and demonstrate how efficiently our approach can discover and resolve policy anomalies. © 2011 acm.

关键词： access control

来源：评论

学校读者我要写书评

暂无评论

Program synthesis in administration of higher-order permissions 11

Program synthesis in administration of higher-order permissi...

引用

Proceedings of the 16th acm symposium on access control models and technologies

作者： Bruns, Glenn Huth, Michael Avijit, Kumar Bell Labs Alcatel-Lucent United States Imperial College London United Kingdom Carnegie Mellon University United States

ISBN: (纸本)9781450307215

In "administrative" access control, policy controls permissions not just on application actions, but also on actions to modify permissions, on actions to modify permissions on those actions, and so on. One context of work in administrative policy is "administrative RBAC", in which policy controls the permissions of roles, the membership of roles, and other elements of RBAC access-control state. Here we study and extend the UARBAC model for administrative RBAC from the perspective of usability and expressiveness. Using tools from logic and program verification, we formulate UARBAC logically and develop an algorithm that produces "administrative plans" that achieve specified permissions through permitted actions. this work is closely related to work on the safety problem in administrative access control, but aims to aid legitimate users in understanding how to reach a desired access-control state. We then show how this machinery can be used so that ad- ministrative actions at any desired depth, and so plans as well, can be uniformly simulated in the UARBAC model. © 2011 acm.

关键词： access control

来源：评论

学校读者我要写书评

暂无评论

xDAuth: A scalable and lightweight framework for cross domain access control and delegation 11

xDAuth: A scalable and lightweight framework for cross domai...

引用

Proceedings of the 16th acm symposium on access control models and technologies

作者： Alam, Masoom Zhang, Xinwen Khan, Kamran H Ali, Gohar Security Engineering Research Group IMSciences United States Huawei America Research Center Santa Clara CA United States

ISBN: (纸本)9781450307215

Cross domain resource sharing and collaborations have be- come pervasive in today's service oriented organizations. Existing approaches for the realization of cross domain access control are either focused on the model level only without concrete implementation mechanisms, or not general enough to provide a exible framework for enterprise web applications. In this paper, we present xDAuth, a frame- work for the realization of cross domain access control and delegation with RESTful web service architecture. While focusing on real issues under the context of cross domain access scenarios such as no predened trust relationship between a service provider domain and service requestor domain, xDAuth leverages existing web technologies to realize desired security requirements while supporting exible and scalable security policies and privacy protection with low performance overhead. We have implemented xDAuth in a medical module in OpenERP, an open source ERP system. Our evaluation demonstrates that xDAuth is a feasible framework towards general cross domain access control for service oriented architectures. © 2011 acm.

关键词： Authorization

来源：评论

学校读者我要写书评

暂无评论

An authorization scheme for version control systems 11

An authorization scheme for version control systems

引用

Proceedings of the 16th acm symposium on access control models and technologies

作者： Chamarty, Sitaram Patel, Hiren D. Tripunitara, Mahesh V. Tata Consultancy Services Hyderabad India ECE Department Univ. of Waterloo Canada

ISBN: (纸本)9781450307215

We present gitolite, an authorization scheme for Version control Systems (VCSes). We have implemented it for the Git VCS. A VCS enables versioning, distributed collaboration and several other features, and is an important context for authorization and access control. Our main consideration behind the design of gitolite is the balance between expressive power, correctness and usability in realistic settings. We discuss our design of gitolite, and in particular the four user-classes in its delegation model, and the administrative actions a user at each class performs. We discuss also our ongoing work on expressing gitolite precisely in first-order logic, to thereby give it a precise semantics and establish correctness properties. gitolite has been adopted in open-source software development, university and industry settings. We discuss our experience with these deployments, and present some performance results related to access enforcement from a real deployment. © 2011 acm.

关键词： Authorization

来源：评论

学校读者我要写书评

暂无评论

Fine-grained integration of access control policies

引用

COMPUTERS & SECURITY 2011年第2-3期30卷 91-107页

作者： Rao, Prathima Lin, Dan Bertino, Elisa Li, Ninghui Lobo, Jorge Purdue Univ Dept Comp Sci W Lafayette IN 47907 USA Missouri Univ Sci & Technol Dept Comp Sci Rolla MO USA IBM TJ Watson Res Ctr Yorktown Hts NY USA

Collaborative and distributed applications, such as dynamic coalitions and virtualized grid computing, often require integrating access control policies of collaborating parties. Such an integration must be able to support complex authorization specifications and the fine-grained integration requirements that the various parties may have. In this paper, we introduce an algebra for fine-grained integration of sophisticated policies. the algebra, which consists of three binary and two unary operations, is able to support the specification of a large variety of integration constraints. For ease of use, we also introduce a set of derived operators and provide guidelines for users to edit a policy with desired properties. To assess the expressive power of our algebra, we define notion of completeness and prove that our algebra is complete and minimal with respect to the notion. We then propose a framework that uses the algebra for the fine-grained integration of policies expressed in XacmL. We also present a methodology for generating the actual integrated XacmL policy, based on the notion of Multi-Terminal Binary Decision Diagrams. Experimental results have demonstrated both effectiveness and efficiency of our approach. In addition, we also discuss issues regarding obligations. (C) 2010 Elsevier Ltd. All rights reserved.

关键词： access control Algebra Framework Policy integration XacmL

来源：评论

学校读者我要写书评

暂无评论

Rumpole: A flexible break-glass access control model 11

Rumpole: A flexible break-glass access control model

引用

Proceedings of the 16th acm symposium on access control models and technologies

作者： Marinovic, Srdjan Craven, Robert Ma, Jiefei Dulay, Naranker Department of Computing Imperial College London United Kingdom

ISBN: (纸本)9781450307215

access control operates under the assumption that it is possible to correctly encode and predict all subjects' needs and rights. However, in human-centric pervasive domains, such as health care, it is hard if not impossible to encode all emergencies and exceptions, but also to imagine a priori all the permissible requests. Break-glass is an approach that embodies the idea that under certain conditions it is possible for a subject to break-the-glass and explicitly override the denied request. Current break-glass models make this decision without considering and investigating what the reasons for issuing the denial are, and they have a fixed decision procedure to determine whether the override is permitted. Furthermore, they do not explicitly represent and reason over conflicting and missing information about subjects and the context;which in human-centric pervasive domains is a norm rather than an anomaly. this paper presents a novel break-glass model, Rumpole, that structures a break-glass policy by establishing why the access was denied. It uses Belnap's four-valued logic to represent conflicting and missing (unknown) information, allowing the policy to make a more informed decision when faced with missing or inconsistent knowledge. the model also provides a declarative query language that is used to specify an explicit break-glass decision procedure, rather than having an implicitly hard-coded one. this allows a policy writer to further condition and restrict when and how break-glass access is permitted © 2011 acm.

关键词： access control

来源：评论

学校读者我要写书评

暂无评论

System for automatic estimation of data sensitivity with applications to access control and other applications 11

System for automatic estimation of data sensitivity with app...

引用

Proceedings of the 16th acm symposium on access control models and technologies

作者： Park, Youngja Gates, Stephen C. Teiken, Wilfried Chari, Suresh N. IBM T. J. Watson Research Center P.O. Box 704 Yorktown Heights NY 10598 United States

ISBN: (纸本)9781450307215

the Enterprise Information Security Management (EISM) system aims to semi-automatically estimate the sensitivity of enterprise data through advanced content analysis and business process mining. We demonstrate a proof-of-concept of EISM that crawls all the files in a personal computer and estimates the sensitivity of individual files and the overall sensitivity level of the computer. the system can identify 11 different personally identifiable information (PII) types and 11 sensitive data categories, and estimate data sensitivity based on the identified sensitive information in the data. Furthermore, the tool produces the evidences of the discovered sensitive information including the surrounding context in the document to help users understand what kinds of sensitive information are stored in their computer. the evidences allow users can easily redact the sensitive information or move it to a more secure location. thus, this system can be used as a privacy enhancing tool as well as a security tool. © 2011 acm.

关键词： Personal computers

来源：评论

学校读者我要写书评

暂无评论

An approach to modular and testable security models of real-world health-care applications 11

An approach to modular and testable security models of real-...

引用

Proceedings of the 16th acm symposium on access control models and technologies

作者： Brucker, Achim D. Brügger, Lukas Kearney, Paul Wolff, Burkhart SAP Research Vincenz-Priessnitz-Str. 1 76131 Karlsruhe Germany Information Security ETH Zurich 8092 Zurich Switzerland Security Futures Practice BT Innovate and Design Adastral Park Ipswich United Kingdom Parc Club Orsay Universit´ Université Paris-Sud 91893 Orsay Cedex France

ISBN: (纸本)9781450307215

We present a generic modular policy modelling framework and instantiate it with a substantial case study for modelbased testing of some key security mechanisms of applications and services of the NPfIT. NPfIT, the National Programme for IT, is a very large-scale development project aiming to modernise the IT infrastructure of the National Health Service (NHS) in England. Consisting of heterogeneous and distributed applications, it is an ideal target for model-based testing techniques of a large system exhibiting critical security features. We model the four information governance principles, comprising a role-based access control model, as well as policy rules governing the concepts of patient consent, sealed envelopes and legitimate relationships. the model is given in Higher-order Logic (HOL) and processed together with suitable test specifications in the hol-TestGen system, that generates test sequences according to them. Particular emphasis is put on the modular description of security policies and their generic combination and its consequences for model-based testing. © 2011 acm.

关键词： access control

来源：评论

学校读者我要写书评

暂无评论

Modeling data flow in socio-information networks: A risk estimation approach 11

Modeling data flow in socio-information networks: A risk est...

引用

Proceedings of the 16th acm symposium on access control models and technologies

作者： Wang, Ting Srivatsa, Mudhakar Agrawal, Dakshi Liu, Ling College of Computing Georgia Institute of Technology Atlanta GA United States IBM T.J. Watson Research Center Hawthorne NY United States

ISBN: (纸本)9781450307215

Information leakage via the networks formed by subjects (e.g., Facebook, Twitter) and objects (e.g., blogosphere) - some of whom may be controlled by malicious insiders - often leads to unpredicted access control risks. While it may be impossible to precisely quantify information flows between two entities (e.g., two friends in a social network), this paper presents a first attempt towards leveraging recent advances in modeling socio-information networks to develop a statistical risk estimation paradigm for quantifying such insider threats. In the context of socio-information networks, our models estimate the following likelihoods: prior flow - has a subject s acquired covert access to object o via the networks? posterior flow - if s is granted access to o, what is its impact on information flows between subject s′ and object o!? network evolution - how will a newly created social relationship between s and s′ influence current risk estimates? Our goal is not to prescribe a one-size-fits-all solution;instead we develop a set of composable network-centric risk estimation operators, with implementations configurable to concrete socio-information networks. the efficacy of our solutions is empirically evaluated using real-life datasets collected from the IBM SmallBlue project and Twitter. © 2011 acm.

关键词： access control

来源：评论

学校读者我要写书评

暂无评论

Data leakage mitigation for discretionary access control in collaboration clouds 11

Data leakage mitigation for discretionary access control in ...

引用

Proceedings of the 16th acm symposium on access control models and technologies

作者： Wang, Qihua Jin, Hongxia IBM Almaden Research Center San Jose CA United States

ISBN: (纸本)9781450307215

With the growing popularity of cloud computing, more and more enterprises are migrating their collaboration platforms from inenterprise systems to Software as a Service (SaaS) applications. While SaaS collaboration has numerous advantages, it also raises new security challenges. In particular, since SaaS collaboration is increasingly used across enterprise boundaries, organizations are concerned that sensitive information may be leaked to outsiders due to their employees' inadvertent mistakes on information sharing. In this article, we propose to mitigate the data leakage problem in SaaS collaboration systems by reducing human errors. Built on top of the discretionary access control model in existing collaboration systems, we have designed a series of mechanisms to provide defense in depth against information leakage. First, we allow enterprises to encode their organizational security rules as mandatory access control policies, so as to impose coarse-grained restrictions on their employees' discretionary sharing decisions. Second, we design an attribute-based recommender that suggests and prioritizes potential recipients for users' files, reducing errors in the choices of recipients. third, our system actively examines abnormal recipients entered by a file owner, providing the last line of defense before a file is shared. We have implemented a prototype of our solution and performed experiments on data collected from real-world collaboration systems. © 2011 acm.

关键词： access control

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：