Nirupama Talele, Jason Teutsch, R. Erbacher, T. Jaeger
System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.
{"title":"Monitor placement for large-scale systems","authors":"Nirupama Talele, Jason Teutsch, R. Erbacher, T. Jaeger","doi":"10.1145/2613087.2613107","DOIUrl":"https://doi.org/10.1145/2613087.2613107","url":null,"abstract":"System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"41 1","pages":"29-40"},"PeriodicalIF":0.0,"publicationDate":"2014-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81203198","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A. Armando, R. Carbone, Eyasu Getahun Chekole, Silvio Ranise
The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of attacks, ranging from SQL injection to unauthorized access of sensitive data. Available security solutions must be re-used and/or adapted to work with APIs. In this paper, we focus on the development of a flexible access control mechanism for APIs. This is an important security mechanism to guarantee the enforcement of authorization constraints on resources while invoking their API functions. We have developed an extension of the Spring Security framework, the standard for securing services and apps built in the popular (open source) Spring framework, for the specification and enforcement of Attribute-Based Access Control (ABAC) policies. We demonstrate our work with scenarios arising in a smart energy eco-system.
{"title":"Attribute based access control for APIs in spring security","authors":"A. Armando, R. Carbone, Eyasu Getahun Chekole, Silvio Ranise","doi":"10.1145/2613087.2613109","DOIUrl":"https://doi.org/10.1145/2613087.2613109","url":null,"abstract":"The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of attacks, ranging from SQL injection to unauthorized access of sensitive data. Available security solutions must be re-used and/or adapted to work with APIs. In this paper, we focus on the development of a flexible access control mechanism for APIs. This is an important security mechanism to guarantee the enforcement of authorization constraints on resources while invoking their API functions. We have developed an extension of the Spring Security framework, the standard for securing services and apps built in the popular (open source) Spring framework, for the specification and enforcement of Attribute-Based Access Control (ABAC) policies. We demonstrate our work with scenarios arising in a smart energy eco-system.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"30 1","pages":"85-88"},"PeriodicalIF":0.0,"publicationDate":"2014-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84059578","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Simon Gansel, Stephan Schnitzer, Ahmad Gilbeau-Hammoud, V. Friesen, Frank Dürr, K. Rothermel, Christian Maihöfer
The relevance of graphical functions in vehicular applications has increased significantly during the few last years. Modern cars are equipped with multiple displays used by different applications such as speedometer or navigation system. However, so far applications are restricted to using dedicated displays. In order to increase flexibility, the requirement of sharing displays between applications has emerged. Sharing displays leads to safety and security concerns since safety-critical applications as the dashboard warning lights share the same displays with uncritical or untrusted applications like the navigation system or third-party applications. To guarantee the safe and secure sharing of displays, we present a formal model for defining and controlling the access to display areas in this paper. We prove the validity of this model, and present a proof-of-concept implementation to demonstrate the feasibility of our concept.
{"title":"An access control concept for novel automotive HMI systems","authors":"Simon Gansel, Stephan Schnitzer, Ahmad Gilbeau-Hammoud, V. Friesen, Frank Dürr, K. Rothermel, Christian Maihöfer","doi":"10.1145/2613087.2613104","DOIUrl":"https://doi.org/10.1145/2613087.2613104","url":null,"abstract":"The relevance of graphical functions in vehicular applications has increased significantly during the few last years. Modern cars are equipped with multiple displays used by different applications such as speedometer or navigation system. However, so far applications are restricted to using dedicated displays. In order to increase flexibility, the requirement of sharing displays between applications has emerged. Sharing displays leads to safety and security concerns since safety-critical applications as the dashboard warning lights share the same displays with uncritical or untrusted applications like the navigation system or third-party applications. To guarantee the safe and secure sharing of displays, we present a formal model for defining and controlling the access to display areas in this paper. We prove the validity of this model, and present a proof-of-concept implementation to demonstrate the feasibility of our concept.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"5 1","pages":"17-28"},"PeriodicalIF":0.0,"publicationDate":"2014-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84349073","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The protection of information in enterprise and cloud platforms is growing more important and complex with increasing numbers of users who need to access resources with distinct permissions. Role-based access control (RBAC) eases administrative complexity for large-scale access control, while a client-server model can ease performance bottlenecks by distributing access enforcement across multiple servers that consult the centralized access decision policy server as needed. In this paper, we propose a new approach to access enforcement using an existing associative array hardware data structure (HWDS) to cache authorizations in a distributed system using RBAC. This HWDS approach uses hardware that has previous been demonstrated as useful for several application domains including access control, network packet routing, and generic comparison-based integer search algorithms. We reproduce experiments from prior work on distributed access enforcement for RBAC systems, and we design and conduct new experiments to evaluate HWDS-based access enforcement. Experimental data show the HWDS cuts session initiation time by about a third compared to existing solutions, while achieving similar performance to authorize access requests. These results suggest that distributed systems using RBAC could use HWDS-based access enforcement to increase session throughput or to decrease the number of access enforcement servers without losing performance.
{"title":"Hardware-enhanced distributed access enforcement for role-based access control","authors":"Gedare Bloom, R. Simha","doi":"10.1145/2613087.2613096","DOIUrl":"https://doi.org/10.1145/2613087.2613096","url":null,"abstract":"The protection of information in enterprise and cloud platforms is growing more important and complex with increasing numbers of users who need to access resources with distinct permissions. Role-based access control (RBAC) eases administrative complexity for large-scale access control, while a client-server model can ease performance bottlenecks by distributing access enforcement across multiple servers that consult the centralized access decision policy server as needed. In this paper, we propose a new approach to access enforcement using an existing associative array hardware data structure (HWDS) to cache authorizations in a distributed system using RBAC. This HWDS approach uses hardware that has previous been demonstrated as useful for several application domains including access control, network packet routing, and generic comparison-based integer search algorithms. We reproduce experiments from prior work on distributed access enforcement for RBAC systems, and we design and conduct new experiments to evaluate HWDS-based access enforcement. Experimental data show the HWDS cuts session initiation time by about a third compared to existing solutions, while achieving similar performance to authorize access requests. These results suggest that distributed systems using RBAC could use HWDS-based access enforcement to increase session throughput or to decrease the number of access enforcement servers without losing performance.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"12 1","pages":"5-16"},"PeriodicalIF":0.0,"publicationDate":"2014-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85108794","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jyothsna Rachapalli, V. Khadilkar, Murat Kantarcioglu, B. Thuraisingham
The Semantic Web is envisioned as the future of the current web, where the information is enriched with machine understandable semantics. According to the World Wide Web Consortium (W3C), "The Semantic Web provides a common framework that allows data to be shared and reused across application, enterprise, and community boundaries". Among the various technologies that empower Semantic Web, the most significant ones are Resource Description Framework (RDF) and SPARQL, which facilitate data integration and a means to query respectively. Although Semantic Web is elegantly and effectively equipped for data sharing and integration via RDF, lack of efficient means to securely share data pose limitations in practice. In order to make data sharing and integration pragmatic for Semantic Web, we present a query language based secure data sharing mechanism. We extend SPARQL with a new query form called SANITIZE which comprises a set of sanitization operations that are used to sanitize or mask sensitive data within an RDF graph. The sanitization operations can be further leveraged towards RDF access control and anonymization, thus enabling secure sharing of RDF data.
{"title":"Towards fine grained RDF access control","authors":"Jyothsna Rachapalli, V. Khadilkar, Murat Kantarcioglu, B. Thuraisingham","doi":"10.1145/2613087.2613092","DOIUrl":"https://doi.org/10.1145/2613087.2613092","url":null,"abstract":"The Semantic Web is envisioned as the future of the current web, where the information is enriched with machine understandable semantics. According to the World Wide Web Consortium (W3C), \"The Semantic Web provides a common framework that allows data to be shared and reused across application, enterprise, and community boundaries\". Among the various technologies that empower Semantic Web, the most significant ones are Resource Description Framework (RDF) and SPARQL, which facilitate data integration and a means to query respectively. Although Semantic Web is elegantly and effectively equipped for data sharing and integration via RDF, lack of efficient means to securely share data pose limitations in practice. In order to make data sharing and integration pragmatic for Semantic Web, we present a query language based secure data sharing mechanism. We extend SPARQL with a new query form called SANITIZE which comprises a set of sanitization operations that are used to sanitize or mask sensitive data within an RDF graph. The sanitization operations can be further leveraged towards RDF access control and anonymization, thus enabling secure sharing of RDF data.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"58 1","pages":"165-176"},"PeriodicalIF":0.0,"publicationDate":"2014-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80981000","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mordechai Guri, Gabi Kedma, B. Carmeli, Y. Elovici
Organizations are repeatedly embarrassed when their sensitive digital documents go public or fall into the hands of adversaries, often as a result of unintentional or inadvertent leakage. Such leakage has been traditionally handled either by preventive means, which are evidently not hermetic, or by punitive measures taken after the main damage has already been done. Yet, the challenge of preventing a leaked file from spreading further among computers and over the Internet is not resolved by existing approaches. This paper presents a novel method, which aims at reducing and limiting the potential damage of a leakage that has already occurred. The main idea is to tag sensitive documents within the organization's boundaries by attaching a benign detectable malware signature (DMS). While the DMS is masked inside the organization, if a tagged document is somehow leaked out of the organization's boundaries, common security services such as Anti-Virus (AV) programs, firewalls or email gateways will detect the file as a real threat and will consequently delete or quarantine it, preventing it from spreading further. This paper discusses various aspects of the DMS, such as signature type and attachment techniques, along with proper design considerations and implementation issues. The proposed method was implemented and successfully tested on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. The evaluation results have demonstrated its effectiveness in limiting the spread of leaked documents.
{"title":"Limiting access to unintentionally leaked sensitive documents using malware signatures","authors":"Mordechai Guri, Gabi Kedma, B. Carmeli, Y. Elovici","doi":"10.1145/2613087.2613103","DOIUrl":"https://doi.org/10.1145/2613087.2613103","url":null,"abstract":"Organizations are repeatedly embarrassed when their sensitive digital documents go public or fall into the hands of adversaries, often as a result of unintentional or inadvertent leakage. Such leakage has been traditionally handled either by preventive means, which are evidently not hermetic, or by punitive measures taken after the main damage has already been done. Yet, the challenge of preventing a leaked file from spreading further among computers and over the Internet is not resolved by existing approaches. This paper presents a novel method, which aims at reducing and limiting the potential damage of a leakage that has already occurred. The main idea is to tag sensitive documents within the organization's boundaries by attaching a benign detectable malware signature (DMS). While the DMS is masked inside the organization, if a tagged document is somehow leaked out of the organization's boundaries, common security services such as Anti-Virus (AV) programs, firewalls or email gateways will detect the file as a real threat and will consequently delete or quarantine it, preventing it from spreading further. This paper discusses various aspects of the DMS, such as signature type and attachment techniques, along with proper design considerations and implementation issues. The proposed method was implemented and successfully tested on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. The evaluation results have demonstrated its effectiveness in limiting the spread of leaked documents.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"27 1","pages":"129-140"},"PeriodicalIF":0.0,"publicationDate":"2014-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77966531","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Processes need a variety of resources from their operating environment in order to run properly, but adversary may control the inputs to resource retrieval or the end resource itself, leading to a variety of vulnerabilities. Conventional access control methods are not suitable to prevent such vulnerabilities because they use one set of permissions for all system call invocations. In this paper, we define a novel policy model for describing when resource retrievals are unsafe, so they can be blocked. This model highlights two contributions: (1) the explicit definition of adversary models as adversarial roles, which list the permissions that dictate whether one subject is an adversary of another, and (2) the application of data-flow to determine the adversary control of the names used to retrieve resources. An evaluation using multiple adversary models shows that data-flow is necessary to authorize resource retrieval in over 90% of system calls. By making adversary models and the adversary accessibility of all aspects of resource retrieval explicit, we can block resource access attacks system-wide.
{"title":"Policy models to protect resource retrieval","authors":"H. Vijayakumar, Xinyang Ge, T. Jaeger","doi":"10.1145/2613087.2613111","DOIUrl":"https://doi.org/10.1145/2613087.2613111","url":null,"abstract":"Processes need a variety of resources from their operating environment in order to run properly, but adversary may control the inputs to resource retrieval or the end resource itself, leading to a variety of vulnerabilities. Conventional access control methods are not suitable to prevent such vulnerabilities because they use one set of permissions for all system call invocations. In this paper, we define a novel policy model for describing when resource retrievals are unsafe, so they can be blocked. This model highlights two contributions: (1) the explicit definition of adversary models as adversarial roles, which list the permissions that dictate whether one subject is an adversary of another, and (2) the application of data-flow to determine the adversary control of the names used to retrieve resources. An evaluation using multiple adversary models shows that data-flow is necessary to authorize resource retrieval in over 90% of system calls. By making adversary models and the adversary accessibility of all aspects of resource retrieval explicit, we can block resource access attacks system-wide.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"279 1","pages":"211-222"},"PeriodicalIF":0.0,"publicationDate":"2014-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74376719","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
To relieve users of the burden to memorize and manage their credentials while allowing for seamless roaming between various end devices, the idea of so-called credential repositories that store credentials for users came to attention. Both the risk of the credential repository being unavailable and the risk of the credentials becoming compromised are managed by the party that hosts the credential repository and that has to be trusted by the user. Removing the need for a trust relationship to a single party implies that users have to manage the risks themselves, for instance, by splitting the credentials across multiple systems/parties. However, if the systems differ in terms of availability and vulnerability, determining a suitable splitting strategy to manage the tradeoff between credential availability and vulnerability constitutes a complex problem. In this paper we present CREDIS, an approach that supports the user in building a credential repository based on heterogeneous systems that differ in terms of vulnerability and availability. CREDIS enables users to specify requirements on the availability and the vulnerability of the distributed credential repository and determines an optimal strategy on how to split secrets across the heterogeneous systems. We prove the NP-hardness of finding an optimal strategy, introduce an approach based on Integer Linear Programming to find optimal strategies for medium sized scenarios and propose heuristics for larger ones. We show that the CREDIS approach yields a reasonably secure and available credential repository even when the distributed repository is built based on low-grade devices or systems.
{"title":"User-centric management of distributed credential repositories: balancing availability and vulnerability","authors":"Jens Köhler, Jens Mittag, H. Hartenstein","doi":"10.1145/2462410.2462412","DOIUrl":"https://doi.org/10.1145/2462410.2462412","url":null,"abstract":"To relieve users of the burden to memorize and manage their credentials while allowing for seamless roaming between various end devices, the idea of so-called credential repositories that store credentials for users came to attention. Both the risk of the credential repository being unavailable and the risk of the credentials becoming compromised are managed by the party that hosts the credential repository and that has to be trusted by the user. Removing the need for a trust relationship to a single party implies that users have to manage the risks themselves, for instance, by splitting the credentials across multiple systems/parties. However, if the systems differ in terms of availability and vulnerability, determining a suitable splitting strategy to manage the tradeoff between credential availability and vulnerability constitutes a complex problem. In this paper we present CREDIS, an approach that supports the user in building a credential repository based on heterogeneous systems that differ in terms of vulnerability and availability. CREDIS enables users to specify requirements on the availability and the vulnerability of the distributed credential repository and determines an optimal strategy on how to split secrets across the heterogeneous systems. We prove the NP-hardness of finding an optimal strategy, introduce an approach based on Integer Linear Programming to find optimal strategies for medium sized scenarios and propose heuristics for larger ones. We show that the CREDIS approach yields a reasonably secure and available credential repository even when the distributed repository is built based on low-grade devices or systems.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"16 1","pages":"237-248"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"72872309","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Publicly accessible data warehouses are an indispensable resource for data analysis. But they also pose a significant risk to the privacy of the clients, since a data warehouse operator may follow the client's queries and infer what the client is interested in. Private Information Retrieval (PIR) techniques allow the client to retrieve a cell from a data warehouse without revealing to the operator which cell is retrieved. However, PIR cannot be used to hide OLAP operations performed by the client, which may disclose the client's interest. This paper presents a solution for private data warehouse queries on the basis of the Boneh-Goh-Nissim cryptosystem which allows one to evaluate any multi-variate polynomial of total degree 2 on ciphertexts. By our solution, the client can perform OLAP operations on the data warehouse and retrieve one (or more) cell without revealing any information about which cell is selected. Furthermore, our solution supports some types of statistical analysis on data warehouse, such as regression and variance analysis, without revealing the client's interest. Our solution ensures both the server's security and the client's security.
可公开访问的数据仓库是数据分析不可或缺的资源。但是它们也对客户机的隐私构成了重大风险,因为数据仓库操作员可能会跟踪客户机的查询并推断客户机感兴趣的内容。私有信息检索(Private Information Retrieval, PIR)技术允许客户机从数据仓库中检索单元,而不向操作员透露所检索的单元。但是,PIR不能用于隐藏客户机执行的OLAP操作,这可能会泄露客户机的兴趣。本文提出了一种基于Boneh-Goh-Nissim密码系统的私有数据仓库查询解决方案,该系统允许对密文上的任何总次为2的多变量多项式求值。通过我们的解决方案,客户机可以在数据仓库上执行OLAP操作并检索一个(或多个)单元,而无需透露有关选择哪个单元的任何信息。此外,我们的解决方案支持对数据仓库进行某些类型的统计分析,例如回归和方差分析,而不会暴露客户的兴趣。我们的解决方案既保证了服务器的安全性,又保证了客户端的安全性。
{"title":"Private data warehouse queries","authors":"X. Yi, Russell Paulet, E. Bertino, Guandong Xu","doi":"10.1145/2462410.2462418","DOIUrl":"https://doi.org/10.1145/2462410.2462418","url":null,"abstract":"Publicly accessible data warehouses are an indispensable resource for data analysis. But they also pose a significant risk to the privacy of the clients, since a data warehouse operator may follow the client's queries and infer what the client is interested in. Private Information Retrieval (PIR) techniques allow the client to retrieve a cell from a data warehouse without revealing to the operator which cell is retrieved. However, PIR cannot be used to hide OLAP operations performed by the client, which may disclose the client's interest. This paper presents a solution for private data warehouse queries on the basis of the Boneh-Goh-Nissim cryptosystem which allows one to evaluate any multi-variate polynomial of total degree 2 on ciphertexts. By our solution, the client can perform OLAP operations on the data warehouse and retrieve one (or more) cell without revealing any information about which cell is selected. Furthermore, our solution supports some types of statistical analysis on data warehouse, such as regression and variance analysis, without revealing the client's interest. Our solution ensures both the server's security and the client's security.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"1 1","pages":"25-36"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83176398","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In policy composition frameworks, such as XACML, composite policies can be formed by the application of policy composition algorithms (PCAs), which combine authorization decisions of component policies. Understanding the behaviour of composite policies is a non-trivial endeavour, but instrumental in the engineering of correct access control policies. Existing policy analyses take a black-box approach, in which the global behaviour of the composite policy is assessed. A black-box approach is useful for detecting the presence of erroneous behaviour, but not particularly useful for locating the source of the error. In this work, we propose a white-box policy analysis, known as Decision in Context (DIC), that assesses the behaviour of component policies situated in a composite policy. We show that the DIC query can be applied to facilitate policy change impact analysis, break-glass reduction analysis, dead policy identification, as well as the pruning of redundant subpolicies. For generality, the DIC query is defined in an XACML-style policy composition framework that is agnostic of the underlying access control model. The DIC query is implemented via a reduction to either propositional satisfiability (SAT) or pseudo boolean satisfiability (PBS) instances, after which standard solvers can be invoked to complete the evaluation. Empirical analyses have been conducted to compare the relative efficiency of the SAT and PBS encodings. The latter is found to be a more effective encoding, especially for composite policies containing majority-voting PCAs.
{"title":"A white-box policy analysis and its efficient implementation","authors":"Jayalakshmi Balasubramaniam, Philip W. L. Fong","doi":"10.1145/2462410.2462416","DOIUrl":"https://doi.org/10.1145/2462410.2462416","url":null,"abstract":"In policy composition frameworks, such as XACML, composite policies can be formed by the application of policy composition algorithms (PCAs), which combine authorization decisions of component policies. Understanding the behaviour of composite policies is a non-trivial endeavour, but instrumental in the engineering of correct access control policies. Existing policy analyses take a black-box approach, in which the global behaviour of the composite policy is assessed. A black-box approach is useful for detecting the presence of erroneous behaviour, but not particularly useful for locating the source of the error. In this work, we propose a white-box policy analysis, known as Decision in Context (DIC), that assesses the behaviour of component policies situated in a composite policy. We show that the DIC query can be applied to facilitate policy change impact analysis, break-glass reduction analysis, dead policy identification, as well as the pruning of redundant subpolicies. For generality, the DIC query is defined in an XACML-style policy composition framework that is agnostic of the underlying access control model. The DIC query is implemented via a reduction to either propositional satisfiability (SAT) or pseudo boolean satisfiability (PBS) instances, after which standard solvers can be invoked to complete the evaluation. Empirical analyses have been conducted to compare the relative efficiency of the SAT and PBS encodings. The latter is found to be a more effective encoding, especially for composite policies containing majority-voting PCAs.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"21 1","pages":"149-160"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79072044","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: