Dissertations / Theses on the topic 'Data access control policies'

This thesis proposes a privacy protection framework for the controlled distribution and use of personal private data. The framework is based on the idea that privacy policies can be set directly by the data owner and can be automatically enforced against the data user. Data privacy continues to be a very important topic, as our dependency on electronic communication maintains its current growth, and private data is shared between multiple devices, users and locations. The growing amount and the ubiquitous availability of personal private data increases the likelihood of data misuse. Early privacy protection techniques, such as anonymous email and payment systems have focused on data avoidance and anonymous use of services. They did not take into account that data sharing cannot be avoided when people participate in electronic communication scenarios that involve social interactions. This leads to a situation where data is shared widely and uncontrollably and in most cases the data owner has no control over further distribution and use of personal private data. Previous efforts to integrate privacy awareness into data processing workflows have focused on the extension of existing access control frameworks with privacy aware functions or have analysed specific individual problems such as the expressiveness of policy languages. So far, very few implementations of integrated privacy protection mechanisms exist and can be studied to prove their effectiveness for privacy protection. Second level issues that stem from practical application of the implemented mechanisms, such as usability, life-time data management and changes in trustworthiness have received very little attention so far, mainly because they require actual implementations to be studied. Most existing privacy protection schemes silently assume that it is the privilege of the data user to define the contract under which personal private data is released. Such an approach simplifies policy management and policy enforcement for the data user, but leaves the data owner with a binary decision to submit or withhold his or her personal data based on the provided policy. We wanted to empower the data owner to express his or her privacy preferences through privacy policies that follow the so-called Owner-Retained Access Control (ORAC) model. ORAC has been proposed by McCollum, et al. as an alternate access control mechanism that leaves the authority over access decisions by the originator of the data. The data owner is given control over the release policy for his or her personal data, and he or she can set permissions or restrictions according to individually perceived trust values. Such a policy needs to be expressed in a coherent way and must allow the deterministic policy evaluation by different entities. The privacy policy also needs to be communicated from the data owner to the data user, so that it can be enforced. Data and policy are stored together as a Protected Data Object that follows the Sticky Policy paradigm as defined by Mont, et al. and others. We developed a unique policy combination approach that takes usability aspects for the creation and maintenance of policies into consideration. Our privacy policy consists of three parts: A Default Policy provides basic privacy protection if no specific rules have been entered by the data owner. An Owner Policy part allows the customisation of the default policy by the data owner. And a so-called Safety Policy guarantees that the data owner cannot specify disadvantageous policies, which, for example, exclude him or her from further access to the private data. The combined evaluation of these three policy-parts yields the necessary access decision. The automatic enforcement of privacy policies in our protection framework is supported by a reference monitor implementation. We started our work with the development of a client-side protection mechanism that allows the enforcement of data-use restrictions after private data has been released to the data user. The client-side enforcement component for data-use policies is based on a modified Java Security Framework. Privacy policies are translated into corresponding Java permissions that can be automatically enforced by the Java Security Manager. When we later extended our work to implement server-side protection mechanisms, we found several drawbacks for the privacy enforcement through the Java Security Framework. We solved this problem by extending our reference monitor design to use Aspect-Oriented Programming (AOP) and the Java Reflection API to intercept data accesses in existing applications and provide a way to enforce data owner-defined privacy policies for business applications.
Im Rahmen der Dissertation wurde ein Framework für die Durchsetzung von Richtlinien zum Schutz privater Daten geschaffen, welches darauf setzt, dass diese Richtlinien oder Policies direkt von den Eigentümern der Daten erstellt werden und automatisiert durchsetzbar sind. Der Schutz privater Daten ist ein sehr wichtiges Thema im Bereich der elektronischen Kommunikation, welches durch die fortschreitende Gerätevernetzung und die Verfügbarkeit und Nutzung privater Daten in Onlinediensten noch an Bedeutung gewinnt. In der Vergangenheit wurden verschiedene Techniken für den Schutz privater Daten entwickelt: so genannte Privacy Enhancing Technologies. Viele dieser Technologien arbeiten nach dem Prinzip der Datensparsamkeit und der Anonymisierung und stehen damit der modernen Netznutzung in Sozialen Medien entgegen. Das führt zu der Situation, dass private Daten umfassend verteilt und genutzt werden, ohne dass der Datenbesitzer gezielte Kontrolle über die Verteilung und Nutzung seiner privaten Daten ausüben kann. Existierende richtlinienbasiert Datenschutztechniken gehen in der Regel davon aus, dass der Nutzer und nicht der Eigentümer der Daten die Richtlinien für den Umgang mit privaten Daten vorgibt. Dieser Ansatz vereinfacht das Management und die Durchsetzung der Zugriffsbeschränkungen für den Datennutzer, lässt dem Datenbesitzer aber nur die Alternative den Richtlinien des Datennutzers zuzustimmen, oder keine Daten weiterzugeben. Es war daher unser Ansatz die Interessen des Datenbesitzers durch die Möglichkeit der Formulierung eigener Richtlinien zu stärken. Das dabei verwendete Modell zur Zugriffskontrolle wird auch als Owner-Retained Access Control (ORAC) bezeichnet und wurde 1990 von McCollum u.a. formuliert. Das Grundprinzip dieses Modells besteht darin, dass die Autorität über Zugriffsentscheidungen stets beim Urheber der Daten verbleibt. Aus diesem Ansatz ergeben sich zwei Herausforderungen. Zum einen muss der Besitzer der Daten, der Data Owner, in die Lage versetzt werden, aussagekräftige und korrekte Richtlinien für den Umgang mit seinen Daten formulieren zu können. Da es sich dabei um normale Computernutzer handelt, muss davon ausgegangen werden, dass diese Personen auch Fehler bei der Richtlinienerstellung machen. Wir haben dieses Problem dadurch gelöst, dass wir die Datenschutzrichtlinien in drei separate Bereiche mit unterschiedlicher Priorität aufteilen. Der Bereich mit der niedrigsten Priorität definiert grundlegende Schutzeigenschaften. Der Dateneigentümer kann diese Eigenschaften durch eigene Regeln mittlerer Priorität überschrieben. Darüber hinaus sorgt ein Bereich mit Sicherheitsrichtlinien hoher Priorität dafür, dass bestimmte Zugriffsrechte immer gewahrt bleiben. Die zweite Herausforderung besteht in der gezielten Kommunikation der Richtlinien und deren Durchsetzung gegenüber dem Datennutzer (auch als Data User bezeichnet). Um die Richtlinien dem Datennutzer bekannt zu machen, verwenden wir so genannte Sticky Policies. Das bedeutet, dass wir die Richtlinien über eine geeignete Kodierung an die zu schützenden Daten anhängen, so dass jederzeit darauf Bezug genommen werden kann und auch bei der Verteilung der Daten die Datenschutzanforderungen der Besitzer erhalten bleiben. Für die Durchsetzung der Richtlinien auf dem System des Datennutzers haben wir zwei verschiedene Ansätze entwickelt. Wir haben einen so genannten Reference Monitor entwickelt, welcher jeglichen Zugriff auf die privaten Daten kontrolliert und anhand der in der Sticky Policy gespeicherten Regeln entscheidet, ob der Datennutzer den Zugriff auf diese Daten erhält oder nicht. Dieser Reference Monitor wurde zum einen als Client-seitigen Lösung implementiert, die auf dem Sicherheitskonzept der Programmiersprache Java aufsetzt. Zum anderen wurde auch eine Lösung für Server entwickelt, welche mit Hilfe der Aspekt-orientierten Programmierung den Zugriff auf bestimmte Methoden eines Programms kontrollieren kann. In dem Client-seitigen Referenzmonitor werden Privacy Policies in Java Permissions übersetzt und automatisiert durch den Java Security Manager gegenüber beliebigen Applikationen durchgesetzt. Da dieser Ansatz beim Zugriff auf Daten mit anderer Privacy Policy den Neustart der Applikation erfordert, wurde für den Server-seitigen Referenzmonitor ein anderer Ansatz gewählt. Mit Hilfe der Java Reflection API und Methoden der Aspektorientierten Programmierung gelang es Datenzugriffe in existierenden Applikationen abzufangen und erst nach Prüfung der Datenschutzrichtlinie den Zugriff zuzulassen oder zu verbieten. Beide Lösungen wurden auf ihre Leistungsfähigkeit getestet und stellen eine Erweiterung der bisher bekannten Techniken zum Schutz privater Daten dar.

Current regulatory requirements on data privacy make it increasingly important for enterprises to be able to verify and audit their compliance with their privacy policies. Traditionally, a privacy policy is written in a natural language. Such policies inherit the potential ambiguity, inconsistency and mis-interpretation of natural text. Hence, formal languages are emerging to allow a precise specification of enforceable privacy policies that can be verified. The EP3P language is one such formal language. An EP3P privacy policy of an enterprise consists of many rules. Given the semantics of the language, there may exist some rules in the ruleset which can never be used, these rules are referred to as redundant rules. Redundancies adversely affect privacy policies in several ways. Firstly, redundant rules reduce the efficiency of operations on privacy policies. Secondly, they may misdirect the policy auditor when determining the outcome of a policy. Therefore, in order to address these deficiencies it is important to identify and resolve redundancies. This thesis introduces the concept of minimal privacy policy - a policy that is free of redundancy. The essential component for maintaining the minimality of privacy policies is to determine the effects of the rules on each other. Hence, redundancy detection and resolution frameworks are proposed. Pair-wise redundancy detection is the central concept in these frameworks and it suggests a pair-wise comparison of the rules in order to detect redundancies. In addition, the thesis introduces a policy management tool that assists policy auditors in performing several operations on an EP3P privacy policy while maintaining its minimality. Formal results comparing alternative notions of redundancy, and how this would affect the tool, are also presented.

This thesis is based on the research carried out under the EPSRC-funded EEAP project and the EC-funded TAS3 project. The research aimed to develop a technique enabling users to write access control policies in natural language. One of the main intentions of the research was to help non- technical users overcome the difficulty of understanding the security policy authoring within computer languages. Policies are relatively easy for humans to specify in natural language, but are much more difficult for them to specify in computer based languages e.g. XML. Consequently humans usually need some sort of Human Computer Interface (HCI) in order to ease the task of policy specification. The usual solution to this problem is to devise a Graphical User Interface (GUI) that is relatively easy for humans to use, and that is capable of converting the chosen icons, menu items and entered text strings into the computer based policy language. However, users still have to learn how to use the GUI, and this can be difficult for them, especially for novice users. This thesis describes the research that was performed in order to allow human I users to specify access control policies using a subset of English called Controlled Natural Language (CNL). The CNL was designed for the task of authoring access control policies based on the Role Based Access Control (RBAC) model, with enhancements for a distributed environment. An ontology was made as a common representation of policies from different languages. As the result of the research, the author has designed and implemented an interface enabling users to author access control policies in the CNL. The policy in CNL can be converted to a policy in one of several machine language formats, so that it can be automatically enforced by a Policy Enforcement Point (PEP) and Policy Decision Point (PDP). The design is modular and a set of APIs have been specified, so that new modules can be added or existing modules can be extended in functionality or replaced.

Increasing amounts of data are being collected and stored relating to every aspect of an individual's life, ranging from shopping habits to medical conditions. This data is increasingly being shared for a variety of reasons, from providing vast quantities of data to validate the latest medical hypothesis, to supporting companies in targeting advertising and promotions to individuals that fit a certain profile. In such cases, the data being used often comes from multiple sources --- with each of the contributing parties owning, and being legally responsible for, their own data. Within such models of collaboration, access control becomes important to each of the individual data owners. Although they wish to share data and benefit from information that others have provided, they do not wish to give away the entirety of their own data. Rather, they wish to use access control policies that give them control over which aspects of the data can be seen by particular individuals and groups. Each data owner will have access control policies that are carefully crafted and understood --- defined in terms of the access control representation that they use, which may be very different from the model of access control utilised by other data owners or by the technology facilitating the data sharing. Achieving interoperability in such circumstances would typically require the rewriting of the policies into a uniform or standard representation --- which may give rise to the need to embrace a new access control representation and/or the utilisation of a manual, error-prone, translation. In this thesis we propose an alternative approach, which embraces heterogeneity, and establishes a framework for automatic transformations of access control policies. This has the benefit of allowing data owners to continue to use their access control paradigm of choice. Of course, it is important that the data owners have some confidence in the fact that the new, transformed, access control policy representation accurately reflects their intentions. To this end, the use of tools for formal modelling and analysis allows us to reason about the translation, and demonstrate that the policies expressed in both representations are equivalent under access control requests; that is, for any given request both access control mechanisms will give an equivalent access decision. For the general case, we might propose a standard intermediate access control representation with transformations to and from each access control policy language of interest. However, for the purpose of this thesis, we have chosen to model the translation between role-based access control (RBAC) and the XML-based policy language, XACML, as a proof of concept of our approach. In addition to the formal models of the access control mechanisms and the translation, we provide, by way of a case study, an example of an implementation which performs the translation. The contributions of this thesis are as follows. First, we propose an approach to resolving issues of authorisation heterogeneity within distributed contexts, with the requirements being derived from nearly eight years of work in developing secure, distributed systems. Our second contribution is the formal description of two popular approaches to access control: RBAC and XACML. Our third contribution is the development of an Alloy model of our transformation process. Finally, we have developed an application that validates our approach, and supports the transformation process by allowing policy writers to state, with confidence, that two different representations of the same policy are equivalent.

In recent years access control has been a crucial aspect of computer systems, since it is the component responsible for giving users specific permissions enforcing a administrator-defined policy. This lead to the formation of a wide literature proposing and implementing access control models reflecting different system perspectives. Moreover, many analysis techniques have been developed with special attention to scalability, since many security properties have been proved hard to verify. In this setting the presented work provides two main contributions. In the first, we study the security of workflow systems built on top of an attribute-based access control in the case of collusion of multiples users. We define a formal model for an ARBAC based workflow system and we state a notion of security against collusion. Furthermore we propose a scalable static analysis technique for proving the security of a workflow. Finally we implement it in a prototype tool showing its effectiveness. In the second contribution, we propose a new model of administrative attribute-based access control (AABAC) where administrative actions are enabled by boolean expressions predicating on user attributes values. Subsequently we introduce two static analysis techniques for the verification of reachability problem: one precise, but bounded, and one over-approximated. We also give a set of pruning rules in order to reduce the size of the problem increasing scalability of the analysis. Finally, we implement the analysis in a tool and we show its effectiveness on several realistic case studies.

Broadly speaking, wireless ad hoc networks are permeated by cooperative behaviors. In such systems, indeed, nodes have to continuously pool their resources to achieve goals that are of general interest, such as routing packets towards a destination that would otherwise be out of reach for an information source, or coordinating medium access so as to successfully share a common spectrum. Recently, however, the idea of collaboration has gathered a renewed and increasing deal of attention in the research community thanks to the development of innovative concepts, most notably the idea of cooperative relaying, that have been shown to unleash significant improvements, going beyond some intrinsic limitations that affect wireless communications systems. While these emerging solutions have been thoroughly studied from a theoretical perspective, the advantages they offer can be reaped in real world implementations only if additional coordination among nodes is provided, so that cooperating terminals are allowed to offer their help obeying the rules that control medium access, and without disrupting the normal activity of the network. Along this line of reasoning, this thesis focuses on the design and study of link layers that implement cooperation in ad hoc networks. The contribution of our work is twofold. On the one hand, we introduce novel and beneficial collaborative strategies, while on the other hand we investigate how the intrinsic nature of different medium access control policies can be more or less beneficial to cooperative behaviors. In the first part, we present an innovative approach to cooperation in networks with multi-antenna equipped nodes that rely on directional transmissions and receptions. Our solution proposes terminals to share information on ongoing communications to better coordinate medium access at the link layer, and manages to overcome issues such as node deafness that typically hamper the potential of large scale directional wireless systems. The central part of this work, conversely, concentrates on the simpler ad hoc scenario where omnidirectional communications are in place, and tackles some inefficiencies of the cooperative relaying paradigm. In particular, we introduce the novel concept of hybrid cooperative-network coded ARQ, which allows a relay to code data of its own together with a corrupted packet during a retransmission at no additional cost in terms of bandwidth. Such a solution encourages nodes to cooperate, since they are offered the possibility to pursue a goal of their interest while helping surrounding terminals. Moreover, the capability of exploiting retransmissions to serve additional traffic, achieved by smartly taking advantage of network coding techniques, triggers beneficial effects also at a network level in terms of sustainable throughput and reduced congestion. The potential of the proposed approach is first investigated by means of mathematical analysis, while subsequently extensive simulation campaigns test the effectiveness of link layers that implement it in a variety of networking environments. Taking the cue from a reasoned comparison of the results achieved by relaying schemes in different scenarios, we devote the final part of the thesis to the investigation of the impact that distinct spectrum control policies can have on collaborative behaviors. Combining once again mathematical analysis and simulations, we consider how the characteristics of completely distributed, e.g., carrier sense based, and centralized, e.g., time division based, systems influence the effectiveness of a given cooperative strategy. Not only does our study shed light on the relations that exist between cooperation and medium access, but also it provides important hints on how to efficiently design link layers capable of supporting such techniques. Finally, the appendix of this thesis reports the outcome of a research activity, carried out in collaboration with the IBM Zurich Research Laboratory (Switzerland), whose focus falls out of the topic of cooperative link layers and covers the design of energy-efficient routing protocols for wireless sensor networks.
Le reti wireless ad hoc presentano in generale moltissimi comportamenti di natura cooperativa, nei quali i nodi condividono le loro risorse per perseguire un interesse di utilità comune. Basti pensare, in tal senso, alle procedure di routing per la consegna di traffico multihop, o allo scambio di informazioni tra terminali necessario per riuscire a gestire in modo efficace uno spettro condiviso. Recentemente, inoltre, è progressivamente emerso un rinnovato e crescente interesse nella comunità di ricerca per il concetto di collaborazione tra nodi, grazie allo sviluppo di nuovi paradigmi, tra i quali in primis l'idea del relaying cooperativo, che si sono dimostrati in grado di mitigare brillantemente alcuni problemi tipici dei sistemi wireless, rendendo possibili significativi miglioramenti delle prestazioni. Sebbene tali soluzioni innovative siano state oggetto di notevole attenzione in letteratura, gli studi su di esse si sono concentrati principalmente su trattazioni di natura analitica, atte a dimostrarne le potenzialità e i vantaggi nell'ottica della teoria dell'informazione. Approcci di questo tipo tendono chiaramente a considerare, ai fini della trattabilità matematica, topologie semplificate quali reti a tre soli nodi, e spesso assumono un accesso al mezzo idealizzato. Nel momento in cui queste idee vogliano essere implementate in scenari reali, tuttavia, si rende necessario un profondo raffinamento della coordinazione a livello di rete, dal momento che i nodi cooperanti devono comunque sottostare alle regole che caratterizzano la gestione del canale (link layer), di modo da offrire il loro contributo senza ostacolare la normale attività della rete. Prendendo spunto da tale riflessione, questa tesi si concentra sulla definizione e l'analisi di link layer che implementino soluzioni cooperative in reti ad hoc. Due sono i principali contributi del lavoro. Se da un lato, infatti, sono introdotti paradigmi innovativi ed efficaci, dall'altro viene presentato uno studio articolato e completo su come diverse politiche di accesso al mezzo possano influenzare tali comportamenti cooperativi. La prima parte della tesi si focalizza sullo sviluppo di un nuovo approccio collaborativo per reti i cui terminali, dotati di sistemi multiantenna, siano in grado di effettuare trasmissioni e ricezioni direzionali. L'idea proposta prevede che i nodi condividano, tramite scambio di brevi pacchetti di controllo, informazioni sulle comunicazioni attive di cui sono a conoscenza, per poter favorire la maggior distribuzione possibilie di una percezione corretta dello stato del sistema al fine di garantire una migliore coordinazione nell'accesso al mezzo. Studi dedicati dimostrano come tale soluzione sia in grado di superare problemi, quali la sordità di nodo (deafness), che spesso limitano l'efficacia delle trasmissioni direzionali in reti con numero elevato di dispositivi, portando a importanti guadagni in termini di prestazione complessive. La parte centrale del lavoro, al contrario, prende in considerazione reti ad hoc con comunicazioni omnidirezionali, e affronta alcune inefficienze che caratterizzano il paradigma di relaying cooperativo. In particolare, viene introdotto per la prima volta il concetto innovativo di ARQ ibrido cooperativo-network coded, che permette a nodi che agiscano da relay di utilizzare le ritrasmissione di un pacchetto in vece di una sorgente, non in grado di consegnarlo, al fine di servire anche del proprio traffico. Tale approccio, a differenza del comportamento puramente altruistico richiesto dal relaying semplice, incoraggia i terminali a cooperare, offrendo loro la possibilità di perseguire un loro interesse contingente nell'atto stesso di aiutare altri nodi in difficoltà. Inoltre, la capacità di sfruttare il meccanismo di ritrasmissione per servire traffico addizionale, resa possibile dall'utilizzo di tecniche di combinazione lineare sui dati caratteristiche del network coding, getta le basi per benefici anche a livello di rete, quali un incremento del throughput sostenibile e una riduzione della congestione nell'utilizzo della banda. Le potenzialità della soluzione identificata sono dapprima studiate per mezzo di modelli matematici, seguendo le modalità tipicamente riscontrabili in letteratura. Successivamente sono proposti l'implementazione e lo studio simulativo di diversi link layer in grado di supportare tale forma di ARQ ibrido in contesti differenti, quali reti completamente distribuite e reti maggiormente strutturate. Traendo spunto da un confronto ragionato dei risultati ottenibili da schemi di relaying in scenari di rete diversi, la parte finale di questa tesi è dedicata alla discussione dell'impatto che politiche di accesso al mezzo distinte possono avere su comportamenti di natura cooperativa. Combinando ancora una volta analisi matematica e studi simulativi, viene affrontato il problema di come le caratteristiche intrinseche di sistemi basati su carrier sensing e su condivisione del mezzo a multiplazione di tempo influenzino l'efficacia di meccanismi di collaborazione tra nodi. Le osservazioni ottenute tramite questo approccio non solo mettono in luce la stretta relazione esistente tra politiche di gestione dello spettro e cooperazione, ma al tempo stesso forniscono importanti suggerimenti sulla progettazione di link layer in grado di supportare in modo efficace tali strategie. In appendice, infine, vengono riportati i risultati di attività di ricerca svolte in collaborazione con i laboratori di ricerca IBM di Zurigo (Svizzera) e incentrate su tematiche che si discostano leggermente dal fulcro della tesi, quali la progettazione di teniche di routing per reti wireless di sensori, con particolare attenzione all'efficienza energetica.

Thesis (Ph. D.) -- University of Maryland, College Park, 2008.
Thesis research directed by: Dept. of Computer Science. Title from t.p. of PDF. Includes bibliographical references. Published by UMI Dissertation Services, Ann Arbor, Mich. Also available in paper.

The introduction of Electronic Medical Records (EMR) within healthcare organizations has the main goal of integrating heterogeneous patient information that is usually scattered over different locations. However, there are some barriers that impede the effective integration of EMR within the healthcare practice (e.g., educational, time/costs, security). A focus in improving access control definition and implementation is fundamental to define proper system workflow and access. The main objectives of this research are: to involve end users in the definition of access control rules; to determine which access control rules are important to those users; to define an access control model that can model these rules; and to implement and evaluate this model. Technical, methodological and legislative reviews were conducted on access control both in general and the healthcare domain. Grounded theory was used together with mixed methods to gather users experiences and needs regarding access control. Focus groups (main qualitative method) followed by structured questionnaires (secondary quantitative method) were applied to the healthcare professionals whilst structured telephone interviews were applied to the patients. A list of access control rules together with the new Break-The-Glass (BTG) RBAC model were developed. A prototype together with a pilot case study was implemented in order to test and evaluate the new model. A research process was developed during this work that allows translating access control procedures in healthcare, from legislation to practice, in a systematic and objective way. With access controls closer to the healthcare practice, educational, time/costs and security barriers of EMR integration can be minimized. This is achieved by: reducing the time needed to learn, use and alter the system; allowing unanticipated or emergency situations to be tackled in a controlled manner (BTG) and reducing unauthorized and non-justified accesses. All this helps to achieve a faster and safer patient treatment.

Companies today are required more and more to interconnect their information systems with partners and suppliers in order to be competitive in a global marketplace. A problem of how to compare a security policy between two different companies when they need to agree upon a single security policy has been raised. Can a comparison of two access control policies made through Semantic of Business Vocabulary and Business Rules (SBVR) be more appropriate than the traditional way of intuitively comparing two information security policies? In this research, a case study has been conducted along with the questionnaires as a data collection approach. In the case study, a calculation for a degree of policy statement similarity of Company A’s and Company B has been done. Both calculations were based on the questionnaire results of the Company A and Company B in form of SBVR and traditional policy statements separately. This research has revealed that SBVR applied policy is more appropriate for comparing two company policies than a traditional written policy. By applying SBVR to the policy statements, Company A and Company B had their policy in the same structure, which is in the SBVR format. They could get a very clear similar part of the policy statements (70% calculated by the results of the second questionnaire in this case study) agreed by both companies.

As our society grows more dependent on digital systems, policies that regulate access to electronic resources are becoming more common. However, such policies are notoriously difficult to configure properly, even for trained professionals. An incorrectly written access-control policy can result in inconvenience, financial damage, or even physical danger. The difficulty is more pronounced when multiple types of policy interact with each other, such as in routers on a network. This thesis presents a policy-analysis tool called Margrave. Given a query about a set of policies, Margrave returns a complete collection of scenarios that satisfy the query. Since the query language allows multiple policies to be compared, Margrave can be used to obtain an exhaustive list of the consequences of a seemingly innocent policy change. This feature gives policy authors the benefits of formal analysis without requiring that they state any formal properties about their policies. Our query language is equivalent to order-sorted first-order logic (OSL). Therefore our scenario-finding approach is, in general, only complete up to a user-provided bound on scenario size. To mitigate this limitation, we identify a class of OSL that we call Order-Sorted Effectively Propositional Logic (OS-EPL). We give a linear-time algorithm for testing membership in OS-EPL. Sentences in this class have the Finite Model Property, and thus Margrave's results on such queries are complete without user intervention.

Les services multimédia de type " streaming ", exigent classiquement des performances élevées du réseau (haut débit, faible taux d'erreur et délai bref), en contradiction avec les importantes contraintes que subissent les réseaux sans fil (bande passante limitée, canaux souvent bruités et états de réseau très changeants). Dans cette thèse, nous étudions l'hypothèse que cet environnement subissant des contraintes importantes exige des architectures spécifiques à l'application, plutôt que des architectures généralistes, afin d'augmenter l'efficacité d'utilisation des ressources du réseau. Plus particulièrement, nous étudions le cas de la compression des en-têtes ROHC de flux vidéo en "streaming" sur les réseaux sans fil. Trois études ont été réalisées. La première étude évalue la performance de ROHC en complément du protocole UDP-Lite. Nous avons constaté que l'utilisation de la bande passante est améliorée par la diminution du taux de perte de paquets. Les deuxième et troisième études considèrent le cas où des utilisateurs joignent un canal commun, de manière aléatoire, pour recevoir la vidéo en " streaming ". Pour que l'affichage de la vidéo démarre, ces utilisateurs doivent attendre la réception de deux contextes, celui de ROHC et celui de la compression vidéo. Des architectures inter-couches, dites " de haut en bas ", ont été développées afin d'adapter les algorithmes de ROHC à ceux de la compression de la vidéo. Nos études montrent que ces architectures parviennent à optimiser l'utilisation de la bande passante, à assurer une robustesse à l'erreur, et à offrir un délai pour démarrer l'affichage de la vidéo plus court que ne le font les architectures généralistes.
Multimedia streaming services in their traditional design require high performance from the network (high bandwidth, low error rates and delay), which is in contradiction with the resource constrains that appear in wireless networks (limited bandwidth, error-prone channels and varying network conditions). In this thesis, we study the hypothesis that this harsh environment with severe resource constraints requires application-specific architectures, rather than general-purpose protocols, to increase the resource usage efficiency. We consider case studies on wireless multicast video streaming. The first study evaluates the performance of ROHC and UDP-Lite. We found that bandwidth usage is improved because packet loss rate is decreased by the packet size reduction achieved by ROHC and the less strict integrity verification policy implemented by UDP-Lite. The second and third studies consider the case where users join a unidirectional common channel at random times to receive video streaming. After joining the transmission, the user have to wait to receive both, video and header compression contexts, to be able to play the multimedia application. This start up delay will depend on the user access time and the initialization and refresh of video and header compression contexts periodicity. "Top-down" cross layer approaches were developed to adapt header compression behavior to video compression. These studies show that application-specific protocol architectures achieve the bandwidth usage, error robustness and delay to start video reproduction needed for wireless networks

Many everyday human skills can be framed in terms of performing some task subject to constraints imposed by the task or the environment. Constraints are usually unobservable and frequently change between contexts. In this thesis, we explore the problem of learning control policies from data containing variable, dynamic and non-linear constraints on motion. We show that an effective approach for doing this is to learn the unconstrained policy in a way that is consistent with the constraints. We propose several novel algorithms for extracting these policies from movement data, where observations are recorded under different constraints. Furthermore, we show that, by doing so, we are able to learn representations of movement that generalise over constraints and can predict behaviour under new constraints. In our experiments, we test the algorithms on systems of varying size and complexity, and show that the novel approaches give significant improvements in performance compared with standard policy learning approaches that are naive to the effect of constraints. Finally, we illustrate the utility of the approaches for learning from human motion capture data and transferring behaviour to several robotic platforms.

There has been a growth of a class of databases known as the Not only SQL (NoSQL) databases in recent years. Its quick growth has been fueled by a high demand by businesses as it offers a convenient way to store data and is significantly different from our traditional relational databases. It is easy to process unstructured data, offers a cloud-friendly ap- proach and grows through the distribution of data over lots of commodity computers. Most of these NoSQL databases are distributed in several different locations, spanning countries and are known as geo-distributed cloud datastores. We work to customize one of these known as Cassandra. Given the size of the database and the size of applications accessing the data stored, it has been challenging to customize it to meet existing application Service Level Agreement (SLAs). We live in an era of data breaches and even though some types of information are stripped of all sensitive data, there are ways to easily identify and link it to data of real persons or government. Data saved in different countries are subject to the rules and regulations of that specific country and security measures employed to safeguard consumer data. In this thesis, we describe mechanisms for selectively replicating data in a large scale NoSQL datastore in respect of privacy and legal regulations. We introduce an easily extensible constraint language to implement these policy constraints through the creation of a pluggable topology provider in the configuration files of Cassandra. Experiments using the modified Cassandra trunk demonstrate that our techniques work well, respect response times and improves read and write latencies.

When sharing data across multiple sites, service applications should not be trusted automatically. Services that are suspected of faulty, erroneous, or malicious behaviors, or that run on systems that may be compromised, should not be able to gain access to protected data or entrusted with the same data access rights as others. This thesis proposes a context flow model that controls the information flow in a distributed system. Each service application along with its surrounding context in a distributed system is treated as a controllable principal. This thesis defines a trust-based access control model that controls the information exchange between these principals. An online monitoring framework is used to evaluate the trustworthiness of the service applications and the underlining systems. An external communication interception runtime framework enforces trust-based access control transparently for the entire system.

Thesis (M.S. Computer Science) Naval Postgraduate School, September 1999.
"September 1999". Thesis advisor(s): Cynthia E. Irvine. Includes bibliographical references (p. 169-171). Also available online.

This thesis advances the modelling and verification of access control policies by using automated knowledge-based symbolic model checking techniques. The key contributions of this thesis are threefold: firstly, a modelling language that expresses dynamic access control policies with compound actions that update multiple variables; secondly, a knowledge-based verification algorithm that verifies properties over an access control policy that has compound actions; and finally, an automated tool, called X-Policy, which implements the algorithm. This research enables us to model and verify access control policies for web-based collaborative systems. We model and analyse a number of conference management systems and their security properties. We propose the appropriate modifications to rectify the policies when possible. Ultimately, this research will allow us to model and verify more systems and help avoid the current situation.

Dans cette thèse nous nous intéressons au contrôle d’accès dans un système issu d’une intégration de données. Dans un système d’intégration de données un médiateur est défini. Ce médiateur a pour objectif d’offrir un point d’entrée unique à un ensemble de sources hétérogènes. Dans ce type d’architecture, l’aspect sécurité, et en particulier le contrôle d’accès, pose un défi majeur. En effet, chaque source, ayant été construite indépendamment, définit sa propre politique de contrôle d’accès. Le problème qui émerge de ce contexte est alors le suivant : "Comment définir une politique représentative au niveau du médiateur et qui permet de préserver les politiques des sources de données impliquées dans la construction du médiateur?" Préserver les politiques des sources de données signifie qu’un accès interdit au niveau d’une source doit également l’être au niveau du médiateur. Aussi, la politique du médiateur doit préserver les données des accès indirects. Un accès indirect consiste à synthétiser une information sensible en combinant des informations non sensibles et les liens sémantiques entre ces informations. Détecter tous les accès indirects dans un système est appelé problème d’inférence. Dans ce manuscrit, nous proposons une méthodologie incrémentale qui permet d’aborder le problème d’inférence dans un contexte d’intégration de données. Cette méthodologie est composée de trois phases. La première, phase de propagation, permet de combiner les politiques sources et ainsi générer une politique préliminaire au niveau médiateur. La deuxième phase, phase de détection, caractérise le rôle que peuvent jouer les relations sémantiques entre données afin d’inférer une information confidentielle. Par la suite, nous introduisant, au sein de cette phase, une approche basée sur les graphes afin d’énumérer tous les accès indirects qui peuvent induire l’accès à une information sensible. Afin de remédier aux accès indirects détectés nous introduisons la phase de reconfiguration qui propose deux solutions. La première solution est mise en œuvre au niveau conceptuel. La seconde solution est mise en œuvre lors de l’exécution
In this thesis we are interested in controlling the access to a data integration system. In a data integration system, a mediator is defined. This mediator aims at providing a unique entry point to several heterogeneous sources. In this kind of architecture security aspects and access control in particular represent a major challenge. Indeed, every source, designed independently of the others, defines its own access control policy. The problem is then: "How to define a representative policy at the mediator level that preserves sources’ policies?" Preserving the sources’ policies means that a prohibited access at the source level should also be prohibited at the mediator level. Also, the policy of the mediator needs to protect data against indirect accesses. An indirect access occurs when one could synthesize sensitive information from the combination of non sensitive information and semantic constraints. Detecting all indirect accesses in a given system is referred to as the inference problem. In this manuscript, we propose an incremental methodology able to tackle the inference problem in a data integration context. This methodology has three phases. The first phase, the propagation phase, allows combining source policies and therefore generating a preliminary policy at the mediator level. The second phase, the detection phase, characterizes the role of semantic constraints in inducing inference about sensitive information. We also introduce in this phase a graph-based approach able to enumerate all indirect access that could induce accessing sensitive information. In order to deal with previously detected indirect access, we introduce the reconfiguration phase which provides two solutions. The first solution could be implemented at design time. The second solution could be implemented at runtime

The new generation of Wireless Sensor Networks, that is known as the Internet of Things enables the direct connection of physical objects to the Internet using microcontrollers. In most cases these microcontrollers have very limited computational resources. The global connectivity provides great opportunities for data collection and analysis as well as for interaction of objects that cannot be connected to the same local area network. Many of application scenarios have high requirements to security and privacy of transmitted data. At the same time security solutions that are utilized for general purpose computers are not always applicable for constrained devices. That leaves a room for new solutions that takes into account the technological aspects of the Internet of Things. In this thesis we investigate the access control solution for the IETF standard draft Constrained Application Protocol, using the Datagram Transport Layer Security protocol for transport security. We use the centralized approach to save access control information in the framework. Since the public key cryptography operations might be computationally too expensive for constrained devices we build our solution based on symmetric cryptography. Evaluation results show that the access control framework increases computational effort of the handshake by 6.0%, increases the code footprint of the Datagram Transport Layer Security implementation by 7.9% and has no effect on the overall handshake time. Our novel protocol is not vulnerable to Denial of Service or Drain Battery Attack.

The new generation of Wireless Sensor Networks, that is known as the Internet of Things enables the direct connection of physical objects to the Internet using microcontrollers. In most cases these microcontrollers have very limited computational resources. The global connectivity provides great opportunities for data collection and analysis as well as for interaction of objects that cannot be connected to the same local area network. Many of application scenarios have high requirements to security and privacy of transmitted data. At the same time security solutions that are utilized for general purpose computers are not always applicable for constrained devices. That leaves a room for new solutions that takes into account the technological aspects of the Internet of Things. In this thesis we investigate the access control solution for the IETF standard draft Constrained Application Protocol, using the Datagram Transport Layer Security protocol for transport security. We use the centralized approach to save access control information in the framework. Since the public key cryptography operations might be computationally too expensive for constrained devices we build our solution based on symmetric cryptography. Evaluation results show that the access control framework increases computational effort of the handshake by 6.0%, increases the code footprint of the Datagram Transport Layer Security implementation by 7.9% and has no effect on the overall handshake time. Our novel protocol is not vulnerable to Denial of Service or Drain Battery Attack.
Thesis supervised by Shahid Raza (shahid@sics.se) and Ludwig Seitz (ludwig@sics.se)

The health and social care sector has a continuous growth in the use of information technology. With more and more information about the patient stored in different systems by different health care actors, information sharing is a key to better treatment. The introduction of the personal health record aims at making this treatment process easier. In addition to being able to share information to others, the patients can also take a more active part in their treatment by communicating with participants through the system. As the personal health record is owned and controlled by the patient with assistance from health care actors, one of the keys to success lies in how the patient can control the access to the record. In this master's thesis we have developed an access control model for the personal health record in a Norwegian setting. The development is based on different studies of existing similar solutions and literature. Some of the topics we present are re-introduced from an earlier project. Interviews with potential users have also been a valuable and important source for ideas and inspiration, especially due to the fact that the access control model sets high demands on user-friendliness. As part of the access control model we have also suggested a set of key roles for the personal health record. Through a conceptual implementation we have further shown that the access control model can be implemented. Three different solutions that show the conceptual implementation in the Indivo personal health record have been suggested, using the Extensible Access Control Markup Language as the foundation.

The amount of information on the Web is spreading very rapidly. Users as well as companies bring data to the network and are willing to share with others. They quickly reach a situation where their information is hosted on many machines they own and on a large number of autonomous systems where they have accounts. Management of all this information is rapidly becoming beyond human expertise. We introduce WebdamExchange, a novel distributed knowledge-base model that includes logical statements for specifying information, access control, secrets, distribution, and knowledge about other peers. These statements can be communicated, replicated, queried, and updated, while keeping track of time and provenance. The resulting knowledge guides distributed data management. WebdamExchange model is based on WebdamLog, a new rule-based language for distributed data management that combines in a formal setting deductiverules as in Datalog with negation, (to specify intensional data) and active rules as in Datalog:: (for updates and communications). The model provides a novel setting with a strong emphasis on dynamicity and interactions(in a Web 2.0 style). Because the model is powerful, it provides a clean basis for the specification of complex distributed applications. Because it is simple, it provides a formal framework for studying many facets of the problem such as distribution, concurrency, and expressivity in the context of distributed autonomous peers. We also discuss an implementation of a proof-of-concept system that handles all the components of the knowledge base and experiments with a lighter system designed for smartphones. We believe that these contributions are a good foundation to overcome theproblems of Web data management, in particular with respect to access control.

Thesis (Ph. D.) -- University of Maryland, College Park, 2004.
Thesis research directed by: Electrical Engineering. Title from t.p. of PDF. Includes bibliographical references. Published by UMI Dissertation Services, Ann Arbor, Mich. Also available in paper.

Security of data is tightly coupled to its access policy. However, in practice, a data owner has control of his data’s access policies only as far as the boundaries of his own systems. We introduce graduated access control, which provides mobile, programmable, and dynamically-resolving policies for access control that extends a data owner’s policies across system boundaries. We realize this through a novel data-centric abstraction called trusted capsules and its associated system, the trusted data monitor. A trusted capsule couples data and policy into a single mobile unit. A capsule is backwards-compatible and is indistinguishable from any regular file to applications. In coordination with the trusted data monitor, a capsule provides data integrity and confidentiality on remote devices, strong authentication to a trusted capsule service, and supports nuanced and dynamic access control decisions on remote systems. We implemented our data monitor using ARM TrustZone. We show that graduated access control can express novel and useful real world policies, such as revocation, remote monitoring, and risk-adaptable disclosure. We illustrate trusted capsules for different file formats, including JPEG, FODT, MP4 and PDF. We also show compatibility with unmodified applications such as LibreOffice Writer, Evince, GpicView and VLC. In general, we found that applications operating on trusted capsules have varying performance, which depends on file size, application access patterns, and policy complexity.
Science, Faculty of
Computer Science, Department of
Graduate

Thesis: S.M., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2016.
This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.
Cataloged from student-submitted PDF version of thesis.
Includes bibliographical references (pages 55-60).
Modern web services rob users of low-level control over cloud storage; a user's single logical data set is scattered across multiple storage silos whose access controls are set by the web services, not users. The result is that users lack the ultimate authority to determine how their data is shared with other web services. In this thesis, we introduce Sieve, a new architecture for selectively exposing user data to third party web services in a provably secure manner. Sieve starts with a user-centric storage model: each user uploads encrypted data to a single cloud store, and by default, only the user knows the decryption keys. Given this storage model, Sieve defines an infrastructure to support rich, legacy web applications. Using attribute-based encryption, Sieve allows users to define intuitive, understandable access policies that are cryptographically enforceable. Using key homomorphism, Sieve can re-encrypt user data on storage providers in situ, revoking decryption keys from web services without revealing new ones to the storage provider. Using secret sharing and two-factor authentication, Sieve protects against the loss of user devices like smartphones and laptops. The result is that users can enjoy rich, legacy web applications, while benefiting from cryptographically strong controls over what data the services can access.
by Frank Yi-Fei Wang.
S.M.

Future cellular systems need to cope with a huge amount of data and diverse service requirements in a flexible, sustainable, green and efficient way with minimal signalling overhead. This calls for network densification, a short length wireless link, efficient and proactive control signalling and the ability to switch off the power consuming devices when they are not in use. In this direction, the conventional always-on service and worst-case design approach has been identified as the main source of inefficiency, and a paradigm shift towards adaptive and on-demand systems is seen as a promising solution. However, the conventional radio access network (RAN) architecture limits the achievable gains due to the tight coupling between network and data access points, which in turn imposes strict coverage and signalling requirements irrespective of the spatio-temporal service demand, channel conditions or mobility profiles. This suggests a new clean slate RAN architecture with a logical separation between the ability to establish availability of the network and the ability to provide functionality or service. This separation of control and data planes provides a framework where limitations and constraints of the conventional RAN can be overcome. In this context, the aim of this thesis is to investigate the control/data separation architecture (CDSA) for futuristic RANs where data services are provided by data base stations (DBSs) under the umbrella of a coverage layer supported by control base stations (CBSs). A comprehensive literature survey of the CDSA is provided in this thesis. The concept, general structure and basic operation are discussed along with the separation framework and approaches. In addition, limitations of the conventional architecture are pointed out and superiority of the CDSA is discussed whilst focusing on futuristic deployment scenarios. Furthermore, the CDSA technical challenges and enabling technologies are identified, and preliminary standardisation proposals related to this research vision are presented. Three areas, namely energy efficiency, signalling overhead and latency, and mobility management, are identified as promising dimensions that can be substantially improved under CDSA configuration. Focusing on the signalling overhead dimension, a correlation-based adaptive DBS pilot signalling scheme is proposed by exploiting the separation property and the one-to-one nature of the DBS link. The proposed scheme considers channel estimation pilots in the downlink of a multi-carrier DBS air interface, and it depends on estimating the actual channel correlation function to redistribute the pilot signals dynamically. Simulation results show that the proposed adaptive scheme provides a significant saving of 74%-78% in pilot signalling overhead without (or with a marginal) performance penalty as compared with the conventional worst-case design approach. In addition, the out-of-band signalling related to mobility management is investigated by exploiting the relaxed constraints offered by the CDSA. In particular, the active state handover (HO) signalling in the DBS layer is tackled by proposing two predictive DBS HO signalling schemes with minimal HO latency. These include a history-based predictive DBS HO scheme that predicts future DBS HO events based on the user history, and a measurement-based context-aided predictive DBS HO scheme that predicts future DBS HO events along with the expected HO time by combining DBS signal measurements to physical proximity and user contextual information. In both schemes, the prediction outcome is utilised to perform the HO-related DBS RAN signalling in advance, resulting into light-weight HO procedures. Simulation results show that these predictive schemes can remarkably reduce the DBS HO signalling latency w.r.t. the benchmark. Precisely, up to 34% reduction in the HO signalling latency is achieved. Moreover, the dual connection feature of the CDSA and the large CBS footprint are utilised to minimise the HO-related core-network (CN) signalling load by proposing a CN-transparent HO signalling scheme. In the latter, the CBS is used as a mobility anchor point for the users and as a data plane anchor point for the DBSs. Thus, the control plane remains unchanged as long as the user mobility is within the same CBS, while the data plane is switched locally at the CBS. Furthermore, the additional data plane backhaul latency induced by the CDSA is modelled and an upper bound for the DBS density under latency constraints is derived. Numerical and simulation results show that the CDSA-based CN-transparent HO signalling scheme significantly outperforms the conventional architecture-based CN-visible HO approaches in terms of CN signalling load. In dense deployment scenarios, the CN-transparent HO scheme is found to be more beneficial where the gains reach 90% reduction in the CN signalling load. Additionally, the CN-transparent HO scheme is integrated with the predictive HO techniques, and simulation results show that the integrated scheme doubles the gains of the predictive-only HO approach in terms of reduction in DBS HO signalling latency.

The growth in the global data gathering capacity is producing a vast amount of data which is getting vaster at an increasingly faster rate. This data properly analyzed can represent great opportunity for businesses, but processing it is a resource-intensive task. Sharing can increase efficiency due to reusability but there are legal and ethical questions that arise when data is shared. The purpose of this thesis is to gain an in depth understanding of the different access control methods that can be used to facilitate sharing, and choose one to implement on a platform that lets user analyze, share, and collaborate on, datasets. The resulting platform uses a project based access control on the API level and a fine-grained role based access control on the file system to give full control over the shared data to the data owner.
I dagsläget så genereras och samlas det in oerhört stora mängder data som växer i ett allt högre tempo för varje dag som går. Den korrekt analyserade datan skulle kunna erbjuda stora möjligheter för företag men problemet är att det är väldigt resurskrävande att bearbeta. Att göra det möjligt för organisationer att dela med sig utav datan skulle effektivisera det hela tack vare återanvändandet av data men det dyker då upp olika frågor kring lagliga samt etiska aspekter när man delar dessa data. Syftet med denna rapport är att få en djupare förståelse för dom olika åtkomstmetoder som kan användas vid delning av data för att sedan kunna välja den metod som man ansett vara mest lämplig att använda sig utav i en plattform. Plattformen kommer att användas av användare som vill skapa projekt där man vill analysera, dela och arbeta med DataSets, vidare kommer plattformens säkerhet att implementeras med en projekt-baserad åtkomstkontroll på API nivå och detaljerad rollbaserad åtkomstkontroll på filsystemet för att ge dataägaren full kontroll över den data som delas

Most of today's information systems are quite complex and often involve multi-user resource-sharing. In such a system, authorization policies are needed to ensure that the information flows in the desired way and to prevent illegal access to the system resource. Overall, authorization policies provide the ability to limit and control accesses to systems, applications and information. These policies need to be updated to capture the changing requirements of applications, systems and users. These updatings are implemented through the transformation of authorization policies. In this thesis, the author proposes a logic based formal approach to specifying authorization policies and to reason about the transformation and sequence of transformations of authorization policies and its application in object oriented databases. The author defines the structure of the policy transformation and employs model-based semantics to perform the transformation under the principle of minimum change. The language is modified to consider a sequence of authorization policy transformations. It handles more complex transformations and solves certain problems. The language is able to represent incomplete information, default authorizations and allows denials to be expressed explicitly. The proposed language is used to specify a variety of well known access control policies such as static separation of duty, dynamic separation of duty and Chinese wall security policy. The authorization formalization is also applied to object oriented databases.
Doctor of Philosophy (PhD)

Key management is one of the major proolem areas in today's secure data communications networks. Many of the problems may be solved with a device known as a security module. The security module must be designed to meet the requirements of a key management system, and also be capable of preventing abuses of it. It has been discovered that rule-based programming languages are particularly suited to modelling the functionality of security modules and their role in cryptographic key management. In this work automated techniques for analyzing security systems which employ security modules are presented.

The reliance on computer‐based systems is growing steadily. Information systems span many aspects of our lives. Due to increased reliance on computer‐based systems there is a growing concern about the security and privacy of information available in these systems. As a result, the complexity of data protection and availability requirements of most of the modern applications has also increased. An access control mechanism is one of the key security elements in the implementation of data protection and availability requirements. The effective implementation of access control requirements into the system design is generally hampered by the fact that security requirements are typically analysed in isolation from rest of the systems requirements. This isolation of security and systems engineering leads to a number of integration problems. In general, the effective integration of access control models is affected by four major problems: (1) the informal models may not be formally verified for correctness; (2) the formally specified models may not be easy to understand and validate; and (3) the often specialized formal models use different notation to the specification and design notation; and (4) the overall development does not support the early integration of security requirements into the design process, and the requirements traceability is often lost. For effective integration of security‐related requirements a security engineering method has been developed, which is based on an existing systems development approach called Behavior Engineering (BE). The BE approach uses a graphical notation called Behavior Trees (BT) for specification of requirements. The approach provides a systematic translation of informal requirements into a formal representation. An integrated view of requirements is generated which provides a platform for requirements analysis and design. With tool support the BT model can be simulated and model‐checked for correctness. The extension of BE for security engineering has been augmented by an access control model called BT‐RBAC. The BTRBAC is an integrated graphical model that aims to simplify the formal specification, validation, verification and integration of access control requirements into the system design. The integration of access control requirements is assisted through the use of single notation throughout the development process. Other features of the model include a systematic translation process, early defect detection, requirements traceability and support for requirements transformation into the system design in a traceable manner.
Thesis (PhD Doctorate)
Doctor of Philosophy (PhD)
School of Information and Communication Technology
Science, Environment, Engineering and Technology
Full Text

Thesis (M.S. in Computer Science)--Naval Postgraduate School, March 2006.
Thesis Advisor(s): Cynthia E. Irvine, Timothy E. Levin. "March 2006." Includes bibliographical references (p. 43-45). Also available online.

Online social networks have become a fast and efficient way of sharing information and experiences. Over the past few years the trend of using social networks has drastically increased with an enormous amount of users’ private contents injected into the providers’ data centers. This has raised concerns about how the users’ contents are protected and how the privacy of users is preserved by the service providers. Moreover, current social networks have been subject to much criticism over their privacy settings and access control mechanism. The providers own the users’ contents and these contents are subject to potential misuse. Many socially engineered attacks have exposed user contents due to the lack of sufficient privacy and access control. These security and privacy threats are addressed by Project Safebook, a distributed peer-to-peer online social networking solution leveraging real life trust. By design Safebook decentralizes data storage and thus the control over user content is no longer in the service provider’s hands. Moreover, Safebook uses an anonymous routing technique to ensure communication privacy between different users. This thesis project addresses privacy aware data management for Safebook users and a data access control solution to preserve users’ data privacy and visibility utilizing a peer to peer paradigm. The solution focuses on three sub-problems: (1) preserving the user’s ownership of user data, (2) providing an access control scheme which supports fine grained access rights, and (3) secure key management. In our proposed system, the user profile is defined over a collection of small data artifacts. An artifact is the smallest logical entity of a profile. An artifact could be a user’s status tweak, text comment, photo album metadata, or multimedia contents. These artifacts are then logically arranged to form a hierarchical tree, call the User Profile Hierarchy. The root of the profile hierarchy is the only entry point exposed by Safebook from where the complete user profile can be traversed. The visibility of portions of the user profile can be defined by exposing a subset of profile hierarchy. This requires limiting access to child artifacts, by encrypting the connectivity information with specific access keys. Each artifact is associated with a dynamic access chain, which is an encrypted string and contains the information regarding the child nodes. A dynamic access chain is generated using a stream cipher, where each child’s unique identifier is encrypted with its specific access key and concatenated to form the dynamic access chain. The decryption process will reveal only those child artifacts whose access keys are shared. The access keys are managed in a hierarchical manner over the profile hierarchy. Child artifacts inherit the parent’s access key or their access key can be overridden with a new key. In this way, fine grained access rights can be achieved over a user’s artifacts. Remote users can detect changes in a specific branch of a profile hierarchy and fetch new artifacts through our proposed profile hierarchy update service. On top of the proposed access control scheme, any social networking abstraction (such as groups, circles, badges, etc.) can be easily implemented.
Online sociala nätverk har blivit ett snabbt och effektivt sätt att dela information och erfarenheter. Under de senaste åren har trenden med att använda sociala nätverk har ökat drastiskt med en enorm mängd av användarnas privata innehåll injiceras in i leverantörernas datacenter. Detta har väckt farhågor om hur användarnas innehåll skyddas och hur användarnas integritet bevaras av tjänsteleverantörerna. Dessutom har nuvarande sociala nätverk varit föremål för mycket kritik över sina sekretessinställningar och åtkomstkontroll. Leverantörerna äger användarnas innehåll och dessa innehåll är föremål för potentiellt missbruk. Många socialt konstruerade attacker har utsatt användarnas innehåll på grund av bristen på tillräcklig integritet och åtkomstkontroll. Dessa säkerhets-och privatliv hot hanteras av Project Safebook, en distribuerad peer-to-peer sociala nätverk online-lösning utnyttja verkliga livet förtroende. Genom design Safebook decentralizes datalagring och därmed kontrollen över användarens innehåll är inte längre i tjänsteleverantörens händer. Dessutom använder Safebook en anonym routing teknik för att säkerställa kommunikationen sekretess mellan olika användare. Detta examensarbete behandlar sekretess medvetna datahantering för Safebook användare och åtkomstkontroll lösning för att bevara användarnas integritet och synlighet använder en peer to peer paradigm. Lösningen fokuserar på tre delproblem: (1) bevara användarens ägande av användardata, (2) att tillhandahålla ett system för åtkomstkontroll som stöder finkorniga åtkomsträttigheter, samt (3) säkra nyckelhantering. I vårt föreslagna systemet, användaren profilen som definieras över en samling av små data-artefakter. En artefakt är det minsta logisk enhet i en profil. En artefakt kan vara en användares status tweak, text kommentar, fotoalbum metadata, eller multimedieinnehåll. Dessa artefakter då är logiskt ordnade att bilda ett hierarkiskt träd, ring Användarprofil Hierarki. Roten till profilen hierarkin är den enda inkörsporten exponeras genom Safebook varifrån hela användarprofil kan passeras. Synligheten av delar av användarprofilen kan definieras genom att exponera en delmängd av profilen hierarki. Detta kräver att begränsa tillgången till barn artefakter, genom att kryptera uppkopplingen informationen med särskilda snabbtangenter. Varje artefakt är associerad med en dynamisk tillgång kedja, som är en krypterad sträng och innehåller information om de underordnade noder. En dynamisk tillgång kedjan genereras med hjälp av en ström chiffer, där varje barns unika identifierare är krypterad med dess specifika tillgången knapp och sammanfogas för att bilda den dynamiska tillgång kedjan. Dekrypteringsprocessen avslöjar endast de barn artefakter vars tillgång nycklar delas. De snabbtangenter hanteras på ett hierarkiskt sätt över profilen hierarkin. Barn artefakter ärva föräldrarnas tillgång nyckel eller deras åtkomstnyckeln kan åsidosättas med en ny nyckel. På detta sätt kan finkorniga åtkomsträttigheter uppnås över en användares artefakter. Fjärranvändare kan upptäcka förändringar i en viss gren av en profil hierarki och hämta nya artefakter genom vår föreslagna profil hierarki uppdateringstjänst. Ovanpå den föreslagna åtkomstkontroll system kan alla sociala nätverk abstraktion (t.ex. grupper, cirklar, märken, osv.) lätt genomföras.

Dans le monde d'aujourd'hui où la plupart des aspects de la vie moderne sont traités par des systèmes informatiques, la vie privée est de plus en plus une grande préoccupation. En outre, les données ont été générées massivement et traitées en particulier dans les deux dernières années, ce qui motive les personnes et les organisations à externaliser leurs données massives à des environnements infonuagiques offerts par des fournisseurs de services. Ces environnements peuvent accomplir les tâches pour le stockage et l'analyse de données massives, car ils reposent principalement sur Hadoop MapReduce qui est conçu pour traiter efficacement des données massives en parallèle. Bien que l'externalisation de données massives dans le nuage facilite le traitement de données et réduit le coût de la maintenance et du stockage de données locales, elle soulève de nouveaux problèmes concernant la protection de la vie privée. Donc, comment on peut effectuer des calculs sur de données massives et sensibles tout en préservant la vie privée. Par conséquent, la construction de systèmes sécurisés pour la manipulation et le traitement de telles données privées et massives est cruciale. Nous avons besoin de mécanismes pour protéger les données privées, même lorsque le calcul en cours d'exécution est non sécurisé. Il y a eu plusieurs recherches ont porté sur la recherche de solutions aux problèmes de confidentialité et de sécurité lors de l'analyse de données dans les environnements infonuagique. Dans cette thèse, nous étudions quelques travaux existants pour protéger la vie privée de tout individu dans un ensemble de données, en particulier la notion de vie privée connue comme confidentialité différentielle. Confidentialité différentielle a été proposée afin de mieux protéger la vie privée du forage des données sensibles, assurant que le résultat global publié ne révèle rien sur la présence ou l'absence d'un individu donné. Enfin, nous proposons une idée de combiner confidentialité différentielle avec une autre méthode de préservation de la vie privée disponible.
In nowadays world where most aspects of modern life are handled and managed by computer systems, privacy has increasingly become a big concern. In addition, data has been massively generated and processed especially over the last two years. The rate at which data is generated on one hand, and the need to efficiently store and analyze it on the other hand, lead people and organizations to outsource their massive amounts of data (namely Big Data) to cloud environments supported by cloud service providers (CSPs). Such environments can perfectly undertake the tasks for storing and analyzing big data since they mainly rely on Hadoop MapReduce framework, which is designed to efficiently handle big data in parallel. Although outsourcing big data into the cloud facilitates data processing and reduces the maintenance cost of local data storage, it raises new problem concerning privacy protection. The question is how one can perform computations on sensitive and big data while still preserving privacy. Therefore, building secure systems for handling and processing such private massive data is crucial. We need mechanisms to protect private data even when the running computation is untrusted. There have been several researches and work focused on finding solutions to the privacy and security issues for data analytics on cloud environments. In this dissertation, we study some existing work to protect the privacy of any individual in a data set, specifically a notion of privacy known as differential privacy. Differential privacy has been proposed to better protect the privacy of data mining over sensitive data, ensuring that the released aggregate result gives almost nothing about whether or not any given individual has been contributed to the data set. Finally, we propose an idea of combining differential privacy with another available privacy preserving method.

Thesis (M.Sc.Eng.) PLEASE NOTE: Boston University Libraries did not receive an Authorization To Manage form for this thesis or dissertation. It is therefore not openly accessible, though it may be available by request. If you are the author or principal advisor of this work and would like to request open access for it, please contact us at open-help@bu.edu. Thank you.
Recent regulations by the Federal Communication Commission (FCC) enable network service providers to lease their spectrum to short-term leased secondary users for opportunistic usage. Driven by earlier studies on spectrum leasing for voice and streaming traffic, this thesis derives optimal policies for the admission control of secondary users carrying data traffic. Additionally, it establishes profitability conditions of spectrum leasing. We consider a processor sharing network where bandwidth is equally shared among all users with no partitioning. We further consider homogeneous and elastic data traffic: All the users have the same traffic characteristics and adjust their access rate to the available bandwidth in the network. The contributions of this thesis are the following: First, we analyze the joint problem of bandwidth allocation and admission control of secondary users. Under the assumption of Poisson session arrivals and balanced bandwidth allocations, we show that the steady state distributions of the number of active users in the network are insensitive to track characteristics beyond their means. This result holds for arbitrary occupancy-based admission control policies. Next, we prove that the optimal occupancy-based admission control policy of secondary users is of threshold type, which means that secondary user arrivals are accepted when the total number of active users in the network is below a certain threshold; otherwise, they are rejected. Finally, under optimal occupancy-based admission control, we characterize profitable prices. We show that profitability is insensitive to the secondary demand function. We identify a price, referred to as the break-even price, that makes opening the network for secondary spectrum access profitable. Thus, we show that admitting secondary users when the network is empty is profitable for any price greater than the break-even price. Remarkably, all of our results hold for realistic data traffic models assuming Poisson session arrivals and general flow size distributions.
2031-01-01

A new access control model incorporating the notion of time and events is introduced. It allows the specification of fine-grained and flexible security policies which are sensitive to the operating environment. The system constraints, expressed in terms of access windows and obligations, are stored in extended access control lists. The addition of a capability mechanism gives another dimension of protection and added flexibility, so that the flexibility and expressive power of the system constraints is fully supported by the underlying mechanism. The approach is compared to several existing models and its' expressive power is demonstrated by showing the new model can be used to specify different existing security models as well as some special problems. The model is then adapted to work in a distributed environment.
Science, Faculty of
Computer Science, Department of
Graduate

This thesis evaluates the use of a loadtime metaobject protocol as a practical mechanism for enforcing access control policies upon applications distributed as user-level compiled code. Enforcing access control policies upon user-level compiled code is necessary because there are many situations where users are vulnerable to security breaches because they download and run potentially untrustworthy applications provided in the form of user-level compiled code. These applications might be distributed applications so access control for both local and distributed resources is required. Examples of potentially untrustworthy applications are Browser plug-ins, software patches, new applications, or Internet computing applications such as SETI@home. Even applications from trusted sources might be malicious or simply contain bugs that can be exploited by attackers so access control policies must be imposed to prevent the misuse of resources. Additionally, system administrators might wish to enforce access control policies upon these applications to ensure that users use them in accordance with local security requirements. Unfortunately, applications developed externally may not include the necessary enforcement code to allow the specification of organisation-specific access control policies. Operating system security mechanisms are too coarse-grained to enforce security policies on applications implemented as user-level code. Mechanisms that control access to both user-level and operating system-level resources are required for access control policies but operating system mechanisms only focus on controlling access to system-level objects. Conventional object-oriented software engineering can be used to use existing security architectures to enforce access control on user-level resources as well as system-resources. Common techniques are to insert enforcement within libraries or applications, use inheritance and proxies. However, these all provide a poor separation of concerns and cannot be used with compiled code. In-lined reference monitors provide a good separation of concerns and meet criteria for good security engineering. They use object code rewriting to control access to both userlevel and system-level objects by in-lining reference monitor code into user-level compiled code. However, their focus is upon replacing existing security architectures and current implementations do not address distributed access control policies. Another approach that does provide a good separation of concerns and allows reuse of existing security architectures are metaobject protocols. These allow constrained changes to be made to the semantics of code and therefore can be used to implement access control policies for both local and distributed resources. Loadtime metaobject protocols allow metaobject protocols to be used with compiled code because they rewrite base level classes and insert meta-level interceptions. However, these have not been demonstrated to meet requirements for good security engineering such as complete mediation. Also current implementations do not provide distributed access control. This thesis implements a loadtime metaobject protocol for the Java programming language. The design of the metaobject protocol specifically addresses separation of concerns, least privilege, complete mediation and economy of mechanism. The implementation of the metaobject protocol, called Kava, has been evaluated by implementing diverse security policies in two case studies involving third-party standalone and distributed applications. These case studies are used as the basis of inferences about general suitability of using loadtime reflection for enforcing access control policies upon user-level compiled code.

Security models using access control policies have over the years improved from Role-based access control (RBAC) to newer models which have added some features like support for distributed systems and solving problems in older security policy models such as identifying policy conflicts. Access control policies based on hierarchical roles provide more flexibility in controlling system resources for users. The policies allow for granularity when extended to have both allow and deny permissions as well as weighted priority attribute for the rules in the policies. Such flexibility allows administrators to succinctly specify access for their system resources but also prone to conflict. This study found that conflicts in access control policies were still a problem even in recent literature. There have been successful attempts at using algorithms to identify the conflicts. However, the conflicts were only identified but not resolved or averted and system administrators still had to resolve the policy conflicts manually. This study proposed a weighted attribute administration model (WAAM) containing values that feed the calculation of a weighted priority attribute. The values are tied to the user, hierarchical role, and secured objects in a security model to ease their administration and are included in the expression of the access control policy. This study also suggested a weighted attribute algorithm (WAA) using these values to resolve any conflicts in the access control policies. The proposed solution was demonstrated in a simulation that combined the WAAM and WAA. The simulation's database used WAAM and had data records for access control policies, some of which had conflicts. The simulation then showed that WAA could both identify and resolve access control policy (ACP) conflicts while providing results in sub-second time. The WAA is extensible so implementing systems can extend WAA to meet specialized needs. This study shows that ACP conflicts can be identified and resolved during authorization of a user into a system.

Whilst existing research addresses protection or information contained in generic XML formats, none address the protection of information in document formats based on XML. This research addresses this void by suggesting an innovative scheme to protect contents of ODF documents using the XACML access control model. This study is significant to those conducting studying mechanisms of document security, members of the standardization community and information security providers of enterprises. The study conducted in this research may also have commercial value as a product developed to secure ODF document contents.

The ultimate goal of an access control system is to allocate each user the precise level of access they need to complete their job - no more and no less. This proves to be challenging in an organisational setting. On one hand employees need enough access to the organisation’s resources in order to perform their jobs and on the other hand more access will bring about an increasing risk of misuse - either intentionally, where an employee uses the access for personal benefit, or unintentionally, through carelessness or being socially engineered to give access to an adversary. This thesis investigates issues of existing approaches to access control in allocating optimal level of access to users and proposes solutions in the form of new access control models. These issues are most evident when uncertainty surrounding users’ access needs, incentive to misuse and accountability are considered, hence the title of the thesis. We first analyse access control in environments where the administrator is unable to identify the users who may need access to resources. To resolve this uncertainty an administrative model with delegation support is proposed. Further, a detailed technical enforcement mechanism is introduced to ensure delegated resources cannot be misused. Then we explicitly consider that users are self-interested and capable of misusing resources if they choose to. We propose a novel game theoretic access control model to reason about and influence the factors that may affect users’ incentive to misuse. Next we study access control in environments where neither users’ access needs can be predicted nor they can be held accountable for misuse. It is shown that by allocating budget to users, a virtual currency through which they can pay for the resources they deem necessary, the need for a precise pre-allocation of permissions can be relaxed. The budget also imposes an upper-bound on users’ ability to misuse. A generalised budget allocation function is proposed and it is shown that given the context information the optimal level of budget for users can always be numerically determined. Finally, Role Based Access Control (RBAC) model is analysed under the explicit assumption of administrators’ uncertainty about self-interested users’ access needs and their incentives to misuse. A novel Budget-oriented Role Based Access Control (B-RBAC) model is proposed. The new model introduces the notion of users’ behaviour into RBAC and provides means to influence users’ incentives. It is shown how RBAC policy can be used to individualise the cost of access to resources and also to determine users’ budget. The implementation overheads of B-RBAC is examined and several low-cost sub-models are proposed.

This thesis describe two graphical modeling languages that can be used for specifying the access control setup in most systems that store information in a tree based structure. The Tree-based Access control Modeling Language (TACOMA) is the simplest language that is defined. It is easy to learn and use as it has only 8 symbols and two relations. With this language it is possible to define the exact access control rules for users using a graphical notation. The simplicity of the language do however come at a cost: it is best suited for small or medium sized tasks where the number of users and objects being controlled are limited. To solve the scalability problem a second language is also presented. The Policy Tree-based Access control Modeling Language (PTACOMA) is a policy based version of TACOMA that doubles the number of symbols and relations. While it is harder to learn it scales better to larger tasks. It also allows for distributed specification of access rules where administrators of different domains can be responsible for specifying their own access control rules. Domains can be organized in a hierarchical manner so that administrators on a higher level can create policies that have higher priority and therefor limits what administrators at lower levels can do. The thesis describes the two languages in detail and provides a comparison between them to show the strong and weak points of each language. There is also a detailed case study that shows how the two languages can be used for specifying access control in SNMPv3.

Several nice hardware functionalities located at the low level of operating system onmobile phones could be utilized in a better way if they are available to applicationdevelopers. With their help, developers are able to bring overall user experienceto a new level in terms of developing novel applications. For instance, one of thosehardware functionalities, SIM-card authentication is able to offer stronger andmore convenient way of authentication when compared to the traditional approach.Replacing the username-password combination with the SIM-card authentication,users are freed from memorizing passwords. However, since normally those kindsof functionalities are locked up at the low level, they are only accessible by a fewusers who have been given privileged access rights. To let the normal applicationsbe benefiting as well, they need to be made accessible at the application level. Onthe one hand, as we see the benefit it will bring to us, there is a clear intentionto open it up, however, on the other hand, there is also a limitation resultingfrom their security-critical nature that needs to be placed when accessing whichis restricting the access to trusted third parties. Our investigation is based on the Android platform. The problem that we havediscovered is the existing security mechanism in Android is not able to satisfy everyregards of requirements we mentioned above when exposing SIM-card authenticationfunctionality. Hence, our requirement on enhancing the access control modelof Android comes naturally. In order to better suit the needs, we proposed a solutionWhite lists & Domains (WITDOM) to improve its current situation in thethesis. The proposed solution is an extension to the existing access control modelin Android that allows alternative ways to specify access controls therefore complementingthe existing Android security mechanisms. We have both designedand implemented the solution and the result shows that with the service that weprovided, critical functionalities, such as APIs for the low-level hardware functionalitycan retain the same level of protection however in the meanwhile, with moreflexible protection mechanism.

Includes bibliographical references and index.
The design and implementation of a method to software interface high level applications programs used for the control and monitoring of a Particle Accelerator is described. Effective methods of interfacing the instrumentation bus system with a Real time multitasking computer operating system were examined and optimized for efficient utilization of the operating system software and available hardware. Various methods of accessing the instrumentation bus are implemented as well as demand response servicing of the instruments on the bus.