Technological innovations like social networks, personal devices and cloud computing, allow users to share and store online a huge amount of personal data. Sharing personal data online raises significant privacy concerns for users, who feel that they do not have full control over their data. A solution often proposed to alleviate users' privacy concerns is to let them specify access control policies that reflect their privacy constraints. However, existing approaches to access control often produce policies which either are too restrictive or allow the leakage of sensitive information. In this paper, we present a novel access control model that reduces the risk of information leakage. The model relies on a data model which encodes the domain knowledge along with the semantic relations between data. We illustrate how the access control model and the reasoning over the data model can be automatically translated in XACML. We evaluate and compare our model with existing access control models with respect to its effectiveness in preventing leakage of sensitive information and efficiency in authoring policies. The evaluation shows that the proposed model allows the definition of effective access control policies that mitigate the risks of inference of sensitive data while reducing users' effort in policy authoring compared to existing models.
{"title":"Preventing Information Inference in Access Control","authors":"F. Paci, Nicola Zannone","doi":"10.1145/2752952.2752971","DOIUrl":"https://doi.org/10.1145/2752952.2752971","url":null,"abstract":"Technological innovations like social networks, personal devices and cloud computing, allow users to share and store online a huge amount of personal data. Sharing personal data online raises significant privacy concerns for users, who feel that they do not have full control over their data. A solution often proposed to alleviate users' privacy concerns is to let them specify access control policies that reflect their privacy constraints. However, existing approaches to access control often produce policies which either are too restrictive or allow the leakage of sensitive information. In this paper, we present a novel access control model that reduces the risk of information leakage. The model relies on a data model which encodes the domain knowledge along with the semantic relations between data. We illustrate how the access control model and the reasoning over the data model can be automatically translated in XACML. We evaluate and compare our model with existing access control models with respect to its effectiveness in preventing leakage of sensitive information and efficiency in authoring policies. The evaluation shows that the proposed model allows the definition of effective access control policies that mitigate the risks of inference of sensitive data while reducing users' effort in policy authoring compared to existing models.","PeriodicalId":305802,"journal":{"name":"Proceedings of the 20th ACM Symposium on Access Control Models and Technologies","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129228449","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Bidirectional programming allows developers to write programs that will produce transformations that extract data from a source document into a view. The same transformations can then be used to update the source in order to propagate the changes made to the view, provided that the transformations satisfy two essential properties. Bidirectional transformations can provide a form of authorisation mechanism. From a source containing sensitive data, a view can be extracted that only contains the information to be shared with a subject. The subject can modify the view, and the source can be updated accordingly, without risk of release of the sensitive information to the subject. However, the authorisation model afforded by bidirectional transformations is limited. Implementing an attribute-based access control (ABAC) mechanism directly in bidirectional transformations would violate the essential properties of well-behaved transformations; it would contradict the principle of separation of concerns; and it would require users to write and maintain a different transformation for every subject they would like to share a view with. In this paper, we explore a solution to enforce ABAC on bidirectional transformations, using a policy language from which filters are generated to enforce the policy rules.
{"title":"Towards Attribute-Based Authorisation for Bidirectional Programming","authors":"Lionel Montrieux, Zhenjiang Hu","doi":"10.1145/2752952.2752963","DOIUrl":"https://doi.org/10.1145/2752952.2752963","url":null,"abstract":"Bidirectional programming allows developers to write programs that will produce transformations that extract data from a source document into a view. The same transformations can then be used to update the source in order to propagate the changes made to the view, provided that the transformations satisfy two essential properties. Bidirectional transformations can provide a form of authorisation mechanism. From a source containing sensitive data, a view can be extracted that only contains the information to be shared with a subject. The subject can modify the view, and the source can be updated accordingly, without risk of release of the sensitive information to the subject. However, the authorisation model afforded by bidirectional transformations is limited. Implementing an attribute-based access control (ABAC) mechanism directly in bidirectional transformations would violate the essential properties of well-behaved transformations; it would contradict the principle of separation of concerns; and it would require users to write and maintain a different transformation for every subject they would like to share a view with. In this paper, we explore a solution to enforce ABAC on bidirectional transformations, using a policy language from which filters are generated to enforce the policy rules.","PeriodicalId":305802,"journal":{"name":"Proceedings of the 20th ACM Symposium on Access Control Models and Technologies","volume":"59 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114158027","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
David Lorenzi, Pratik Chattopadhyay, Emre Uzun, Jaideep Vaidya, S. Sural, V. Atluri
As online automation, image processing and computer vision become increasingly powerful and sophisticated, methods to secure online assets from automated attacks (bots) are required. As traditional text based CAPTCHAs become more vulnerable to attacks, new methods for ensuring a user is human must be devised. To provide a solution to this problem, we aim to reduce some of the security shortcomings in an alternative style of CAPTCHA - more specifically, the image CAPTCHA. Introducing noise helps image CAPTCHAs thwart attacks from Reverse Image Search (RIS) engines and Computer Vision (CV) attacks while still retaining enough usability to allow humans to pass challenges. We present a secure image generation method based on noise addition that can be used for image CAPTCHAs, along with 4 different styles of image CAPTCHAs to demonstrate a fully functional image CAPTCHA challenge system.
{"title":"Generating Secure Images for CAPTCHAs through Noise Addition","authors":"David Lorenzi, Pratik Chattopadhyay, Emre Uzun, Jaideep Vaidya, S. Sural, V. Atluri","doi":"10.1145/2752952.2753065","DOIUrl":"https://doi.org/10.1145/2752952.2753065","url":null,"abstract":"As online automation, image processing and computer vision become increasingly powerful and sophisticated, methods to secure online assets from automated attacks (bots) are required. As traditional text based CAPTCHAs become more vulnerable to attacks, new methods for ensuring a user is human must be devised. To provide a solution to this problem, we aim to reduce some of the security shortcomings in an alternative style of CAPTCHA - more specifically, the image CAPTCHA. Introducing noise helps image CAPTCHAs thwart attacks from Reverse Image Search (RIS) engines and Computer Vision (CV) attacks while still retaining enough usability to allow humans to pass challenges. We present a secure image generation method based on noise addition that can be used for image CAPTCHAs, along with 4 different styles of image CAPTCHAs to demonstrate a fully functional image CAPTCHA challenge system.","PeriodicalId":305802,"journal":{"name":"Proceedings of the 20th ACM Symposium on Access Control Models and Technologies","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124950796","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Cramer, Diego Agustín Ambrossio, Pieter Van Hertum
In ownership-based access control frameworks with the possibility of delegating permissions and administrative rights, chains of delegated accesses will form. There are different ways to treat these delegation chains when revoking rights, which give rise to different revocation schemes. Hagström et al. [8] proposed a framework for classifying revocation schemes, in which the different revocation schemes are defined graph-theoretically; they motivate the revocation schemes in this framework by presenting various scenarios in which the agents have different reasons for revocating. This paper is based on the observation that there are some problems with Hagström et al.'s definitions of the revocation schemes, which have led us to propose a refined framework with new graph-theoretic definitions of the revocation schemes. In order to formally study the merits and demerits of various definitions of revocation schemes, we propose to apply the axiomatic method originating in social choice theory to revocation schemes. For formulating an axiom, i.e. a desirable property of revocation frameworks, we propose a logic, Trust Delegation Logic TDL) , with which one can formalize the different reasons an agent may have for performing a revocation. We show that our refined graph-theoretic definitions of the revocation schemes, unlike Hagström et al.'s original definitions, satisfy the desirable property that can be formulated using TDL.
{"title":"A Logic of Trust for Reasoning about Delegation and Revocation","authors":"M. Cramer, Diego Agustín Ambrossio, Pieter Van Hertum","doi":"10.1145/2752952.2752968","DOIUrl":"https://doi.org/10.1145/2752952.2752968","url":null,"abstract":"In ownership-based access control frameworks with the possibility of delegating permissions and administrative rights, chains of delegated accesses will form. There are different ways to treat these delegation chains when revoking rights, which give rise to different revocation schemes. Hagström et al. [8] proposed a framework for classifying revocation schemes, in which the different revocation schemes are defined graph-theoretically; they motivate the revocation schemes in this framework by presenting various scenarios in which the agents have different reasons for revocating. This paper is based on the observation that there are some problems with Hagström et al.'s definitions of the revocation schemes, which have led us to propose a refined framework with new graph-theoretic definitions of the revocation schemes. In order to formally study the merits and demerits of various definitions of revocation schemes, we propose to apply the axiomatic method originating in social choice theory to revocation schemes. For formulating an axiom, i.e. a desirable property of revocation frameworks, we propose a logic, Trust Delegation Logic TDL) , with which one can formalize the different reasons an agent may have for performing a revocation. We show that our refined graph-theoretic definitions of the revocation schemes, unlike Hagström et al.'s original definitions, satisfy the desirable property that can be formulated using TDL.","PeriodicalId":305802,"journal":{"name":"Proceedings of the 20th ACM Symposium on Access Control Models and Technologies","volume":"114 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131561840","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A workflow is a collection of steps that must be executed in some specific order to achieve an objective. A computerised workflow management system may enforce authorisation policies and constraints, thereby restricting which users can perform particular steps in a workflow. The existence of policies and constraints may mean that a workflow is unsatisfiable, in the sense that it is impossible to find an authorised user for each step in the workflow and satisfy all constraints. In this paper, we consider the problem of finding the "least bad" assignment of users to workflow steps by assigning a weight to each policy and constraint violation. To this end, we introduce a framework for associating costs with the violation of workflow policies and constraints and define the valued workflow satisfiability problem (Valued WSP), whose solution is an assignment of steps to users of minimum cost. We establish the computational complexity of Valued WSP with user-independent constraints and show that it is fixed-parameter tractable. We then describe an algorithm for solving Valued WSP with user-independent constraints and evaluate its performance, comparing it to that of an off-the-shelf mixed integer programming package.
{"title":"Valued Workflow Satisfiability Problem","authors":"J. Crampton, G. Gutin, Daniel Karapetyan","doi":"10.1145/2752952.2752961","DOIUrl":"https://doi.org/10.1145/2752952.2752961","url":null,"abstract":"A workflow is a collection of steps that must be executed in some specific order to achieve an objective. A computerised workflow management system may enforce authorisation policies and constraints, thereby restricting which users can perform particular steps in a workflow. The existence of policies and constraints may mean that a workflow is unsatisfiable, in the sense that it is impossible to find an authorised user for each step in the workflow and satisfy all constraints. In this paper, we consider the problem of finding the \"least bad\" assignment of users to workflow steps by assigning a weight to each policy and constraint violation. To this end, we introduce a framework for associating costs with the violation of workflow policies and constraints and define the valued workflow satisfiability problem (Valued WSP), whose solution is an assignment of steps to users of minimum cost. We establish the computational complexity of Valued WSP with user-independent constraints and show that it is fixed-parameter tractable. We then describe an algorithm for solving Valued WSP with user-independent constraints and evaluate its performance, comparing it to that of an off-the-shelf mixed integer programming package.","PeriodicalId":305802,"journal":{"name":"Proceedings of the 20th ACM Symposium on Access Control Models and Technologies","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127339150","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Claudio Soriente, Ghassan O. Karame, H. Ritzdorf, Srdjan Marinovic, Srdjan Capkun
Cloud storage platforms promise a convenient way for users to share files and engage in collaborations, yet they require all files to have a single owner who unilaterally makes access control decisions. Existing clouds are, thus, agnostic to shared ownership. This can be a significant limitation in many collaborations because, for example, one owner can delete files and revoke access without consulting the other collaborators. In this paper, we first formally define a notion of shared ownership within a file access control model. We then propose a solution, called Commune, to the problem of distributed enforcement of shared ownership in agnostic clouds, so that access grants require the support of an agreed threshold of owners. Commune can be used in existing clouds without modifications to the platforms. We analyze the security of our solution and evaluate its performance through an implementation integrated with Amazon S3.
{"title":"Commune: Shared Ownership in an Agnostic Cloud","authors":"Claudio Soriente, Ghassan O. Karame, H. Ritzdorf, Srdjan Marinovic, Srdjan Capkun","doi":"10.1145/2752952.2752972","DOIUrl":"https://doi.org/10.1145/2752952.2752972","url":null,"abstract":"Cloud storage platforms promise a convenient way for users to share files and engage in collaborations, yet they require all files to have a single owner who unilaterally makes access control decisions. Existing clouds are, thus, agnostic to shared ownership. This can be a significant limitation in many collaborations because, for example, one owner can delete files and revoke access without consulting the other collaborators. In this paper, we first formally define a notion of shared ownership within a file access control model. We then propose a solution, called Commune, to the problem of distributed enforcement of shared ownership in agnostic clouds, so that access grants require the support of an agreed threshold of owners. Commune can be used in existing clouds without modifications to the platforms. We analyze the security of our solution and evaluate its performance through an implementation integrated with Amazon S3.","PeriodicalId":305802,"journal":{"name":"Proceedings of the 20th ACM Symposium on Access Control Models and Technologies","volume":"68 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-11-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123843767","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the 20th ACM Symposium on Access Control Models and Technologies","authors":"","doi":"10.1145/2752952","DOIUrl":"https://doi.org/10.1145/2752952","url":null,"abstract":"","PeriodicalId":305802,"journal":{"name":"Proceedings of the 20th ACM Symposium on Access Control Models and Technologies","volume":"332 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122333056","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: