Your search keyword '"Discretionary access control"' showing total 490 results

1. Secure Trusted Operating System Based on Microkernel Architecture

Author

Kun Xiao, Chong Fei Shen, Xiao Ke Tang, Li Xin Yang, Hui Wang, and De Jian Li

Subjects

Scheme (programming language), business.industry, Computer science, media_common.quotation_subject, computer.software_genre, Monolithic kernel, Discretionary access control, Software, Operating system, Isolation (database systems), Microkernel, business, Function (engineering), computer, Trusted operating system, media_common, computer.programming_language

Abstract

Currently, trusted execution environment technologies are widely used to enhance the security of connected devices such as mobile phones and tablets. The trusted operating system is the core component of a trusted execution environment solution, but the trusted operating system itself may face security challenges. The main reason is that the trusted operating system needs to provide different services for different application scenarios, which makes its function more complicated and further increases the code size. In most trusted execution environment solutions, the trusted operating system is based on Monolithic kernel architecture. This will inevitably face security issues such as software defects and lack of isolation between components. In this paper, we propose a scheme for design secure trusted operating system based on a microkernel architecture. In our scheme, we take the modified take-grant model as the system security model and design a discretionary access control mechanism based on the capability system. We implemented our secure trusted operating system on the i.MX6Q platform. The test results show that it works properly and meets the requirements of the GP TEE specifications.

Published

2021

2. Solid over the Interplanetary File System

Author

Christian Tschudin and Fabrizio Parrillo

Subjects

File system, Computer science, computer.internet_protocol, business.industry, Access control, Service-oriented architecture, Permission, computer.software_genre, Discretionary access control, Task (computing), Server, Operating system, Architecture, business, computer

Abstract

Solid is a moderate re-decentralization architecture for the Web. In Solid, applications fetch data from storage providers called “pods” which implement discretionary access control, permitting users to grant and revoke access rights and thus keeping control over their data. In this paper, we propose to apply an additional de-verticalization by introducing IPFS as a common backend for Solid pods, the goal being to prevent pod provider lock-in and permitting users to consider “self-poding” where the heavy persistency task is out-sourced to IPFS. We have implemented this Solid-over-IPFS architecture using the open-source “Community Solid Server” and successfully ran several Solid applications over IPFS.

Published

2021

3. A Scalable Role Mining Approach for Large Organizations

Author

Zohreh Raghebi, Haadi Jafarian, Farnoush Banaei-Kashani, and Masoumeh Abolfathi

Subjects

Discretionary access control, Flexibility (engineering), Computer science, business.industry, Distributed computing, Scalability, Role-based access control, Usability, Access control, business, Heuristics, Task (project management)

Abstract

Role-based access control (RBAC) model has gained significant attention in cybersecurity in recent years. RBAC restricts system access only to authorized users based on the roles and regulations within an organization. The flexibility and usability of this model have encouraged organizations to migrate from traditional discretionary access control (DAC) models to RBAC. However, this transition requires accomplishing a very challenging task called role mining in which users' roles are generated from the existing access control lists. Although various approaches have been proposed to address this NP-complete problem in the literature, they suffer either from low scalability such that their execution time increases exponentially with the input size, or they rely on fast heuristics with low optimality that generate too many roles. In this paper, we introduce a highly scalable yet optimal approach to tackle the role mining problem. To this end, we utilize a non-negative rank reduced matrix decomposition method to decompose a large-scale user-permission assignment into two constitutive components, i.e. the user-role and role-permission assignments. Then, we apply a thresholding technique to convert real-valued components into binary-valued factors. We employ various access control configurations and demonstrate that our proposed model is able to effectively discover the latent relationship behind the user-permission data even with large datasets.

Published

2021

4. A safe architecture for authorisation grant in healthcare ecosystems

Author

Marcos Gestal Pose, Rui Lebre, Carlos Costa, and Micael Pedrosa

Subjects

Authentication, 020205 medical informatics, business.industry, Computer science, Internet privacy, Context (language use), Cloud computing, 02 engineering and technology, Discretionary access control, Data access, Implied consent, Health care, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Smart card, business

Abstract

Recent regulations for security and privacy of personal data request new approaches in data access and retrieval processes. In the context of healthcare, the regulations point two types of consent to access sensitive personal medical data: explicit and implicit consent. This paper focus on explicit consent cases and presents an architecture where the patient grants on-demand access to private health records. The architecture is supported by a Discretionary Access Control model suited for cross-domain and cloud environments. Each resource belongs to a patient that has the power to grant or deny any access rights to users or groups of users. All the process is designed to be secure, from the authentication of the physician in the terminal until the communications between entities, passing by the physician’s terminal check by the patient. Furthermore, the security methods are discussed and evaluated. Finally, it is presented a summary of the developed work and the plans to apply in the future work.

Published

2020

5. Blockchain Platforms and Access Control Classification for IoT Systems

Author

Abdullah Alghamdi, Khalid Almarhabi, Adam Ibrahim Abdi, Fathy Eassa, and Kamal Jambi

Subjects

blockchain, Physics and Astronomy (miscellaneous), Computer science, General Mathematics, access control (AC), Access control, 02 engineering and technology, security, Computer security, computer.software_genre, privacy, AC classification, Discretionary access control, Central authority, 0202 electrical engineering, electronic engineering, information engineering, Computer Science (miscellaneous), business.industry, lcsh:Mathematics, 020206 networking & telecommunications, lcsh:QA1-939, Mandatory access control, Internet of Things (IoT), Chemistry (miscellaneous), Scalability, Table (database), 020201 artificial intelligence & image processing, Single point of failure, business, Internet of Things, computer

Abstract

The Internet of Things paradigm is growing rapidly. In fact, controlling this massive growth of IoT globally raises new security and privacy issues. The traditional access control mechanisms provide security to IoT systems such as DAC (discretionary access control) and mandatory access control (MAC). However, these mechanisms are based on central authority management, which raises some issues such as absence of scalability, single point of failure, and lack of privacy. Recently, the decentralized and immutable nature of blockchain technology integrated with access control can help to overcome privacy and security issues in the IoT. This paper presents a review of different access control mechanisms in IoT systems. We present a comparison table of reviewed access control mechanisms. The mechanisms’ scalability, distribution, security, user-centric, privacy and policy enforcing are compared. In addition, we provide access control classifications. Finally, we highlight challenges and future research directions in developing decentralized access control mechanisms for IoT systems.

Published

2020

6. Modeling Transformations of Information Links in the Cybersecurity Architecture of Systems Using Algorithms on Graphs and the 'Take-Grant' Formal Model

Author

Alexander Shumov

Subjects

business.industry, Computer science, Python (programming language), Computer security, computer.software_genre, Graph, Data modeling, Discretionary access control, Software modules, Software, Task analysis, Architecture, business, Algorithm, computer, computer.programming_language

Abstract

In this paper, the issue of modeling the transformations of information links in the architecture of cybersecurity of systems with discretionary access control on graphs using the formal "take-grant" model for the task of synthesizing the cybersecurity architecture is considered. For various initial conditions of the problem, reflecting the requirements for the final state of the structure of information links, modeling algorithms based on the Ford-Fulkerson theorem and methods for finding the smallest edge section of a graph are proposed. A software module has been created that implements the proposed algorithms in Python using the NetworkX library. Examples of the results of the created software module are given.

Published

2020

7. Strengthen Electronic Health Records System (EHR-S) Access-Control to Cope with GDPR Explicit Consent

Author

Paulo Bandiera-Paiva and Marcelo Antonio de Carvalho Junior

Subjects

020205 medical informatics, Computer science, Control (management), Medicine (miscellaneous), Health Informatics, Access control, 02 engineering and technology, Permission, Computer security, computer.software_genre, Health informatics, Discretionary access control, Health Information Management, Computer Systems, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, Electronic Health Records, Humans, Confidentiality, Computer Security, Informed Consent, business.industry, Service provider, business, computer, Information Systems

Abstract

Patient consent is currently a missing piece on Electronic Health Records System (EHR-S) access permission. The control is needed to ensure personal data as the property of the individual, not data controllers or health-care service providers. To cope with this need, in this article, an adaptation of existent Role-Based Access Control (RBAC), including patient-centric control, is described. The revisited feature of existing administrative and supporting RBAC functions allows exclusive control orchestrated by the patient as sole information owner, including the ability to encrypt their data for confidentiality purposes. The additions mimic a Discretionary Access Control (DAC) capability using existing user group membership to vet access over symmetric keys bind to patient's data via the associated PERMS matrix.

Published

2020

8. Developing and Assessing an Educational Game for Teaching Access Control

Author

Xiaohong Yuan, Patrickson Weanquoi, Jinsheng Xu, Elva J. Jones, and Jinghua Zhang

Subjects

Multimedia, Video game development, business.industry, Computer science, ComputingMilieux_PERSONALCOMPUTING, Access control, computer.software_genre, Adventure, Mandatory access control, Discretionary access control, Information sensitivity, Game design, business, computer, Access control list

Abstract

The protection of sensitive information in computer systems and networks from malicious manipulation is critical. As a key component in cybersecurity, access control is used to mitigate malicious access to sensitive information. To help students master the access control concepts, we developed a 2D educational game titled "Temple of Treasures" that aims to teach Discretionary Access Control (DAC), Access Control List (ACL) and Mandatory Access Control (MAC) in Unix/Linux Systems via a fun and interactive environment. The Unity3D game engine is used for game development and the game can be deployed to multiple platforms such as Windows, macOS, and web. Player information and in-game assessment data are saved on the cloud through GameSparks for analysis. The game story is centered around a group of adventurers in search of gold. The player is stuck in a temple and has to explore the temple for escape routes. The game has three levels, where level one focuses on DAC, level two focuses on ACL and the last level is for MAC. The player has to explore the temple and gain knowledge on targeted concepts to unlock the gate to the next level. Three in-game assessments have been implemented to provide immediate feedback for students. The UI Accessibility Plugin (UAP) is used to make the game accessible to visually impaired players. To scientifically measure the effectiveness of the game, we developed pre-test, post-test, survey, and focus group protocols. The game has been used in the Operating Systems class as a homework assignment at North Carolina A&T State University in spring 2020. This poster will present the game design and development process, the detailed evaluation plan, and our initial classroom experience. This portable and self-contained game will make it easy to share with other faculty engaged in cyber security teaching and research.

Published

2020

9. A Model-Driven Framework for Ensuring Role Based Access Control in IoT Devices

Author

Mariam Bisma, Muhammad Waseem Anwar, Farooque Azam, and Yawar Rasheed

Subjects

Discretionary access control, Order (exchange), business.industry, Process (engineering), Computer science, Distributed computing, Role-based access control, business, Automation, Variety (cybernetics), Metamodeling, Abstraction (linguistics)

Abstract

Ensuring security and privacy of IOT devices and the associated/ dependent complex and critical systems is certainly a major concern, especially after proliferation of IoT devices in variety of domains in current era. A considerable level of security can be achieved in these systems using the techniques of Role Based Access Control (RBAC). In contrast to Discretionary Access Control (DAC) where personal identity of the owner/ user matters, RBAC grants access permissions on the basis of roles of the user. Due to the inherent complexity associated with ensuring security in IoT devices and related systems/ services, a level of abstraction is required in the development process, in order to better understand and develop the system accordingly by integrating all the security aspects. This level of abstraction can be achieved by developing the system as per the concepts of Model Driven Development (MDD). In this paper, techniques of Model Driven Architecture (MDA)/ MDD has been used to propose such a Framework/ Meta-Model, which ensures RBAC in order to access the services associated with IoT devices. The proposed Meta-Model can be further extended for the model-based development and automation of such a system that ensure RBAC for IoT devices. Validity of proposed Meta-Model has been proved by creating an M1 level Instance Model of a real-world case study. Results prove, that the proposed Meta-Model is capable to be transformed into a reliable system that ensures RBAC in IoT devices.

Published

2020

10. Remote Access Control Model for MQTT Protocol

Author

Dmitrii I. Dikii

Subjects

Password, MQTT, Authentication, business.industry, Computer science, 010401 analytical chemistry, 020206 networking & telecommunications, Access control, 02 engineering and technology, Security policy, 01 natural sciences, 0104 chemical sciences, Discretionary access control, Service data unit, 0202 electrical engineering, electronic engineering, information engineering, business, Protocol (object-oriented programming), Computer network

Abstract

The author considers the Internet of Things security problems, namely, the organization of secure access control when using the MQTT protocol. Security mechanisms and methods that are employed or supported by the MQTT protocol have been analyzed. Thus, the protocol employs authentication by the login and password. In addition, it supports cryptographic processing over transferring data via the TLS protocol. Third-party services on OAuth protocol can be used for authentication. The authorization takes place by configuring the ACL-files or via third-party services and databases. The author suggests a device discretionary access control model of machine-to-machine interaction under the MQTT protocol, which is based on the HRU-model. The model entails six operators: the addition and deletion of a subject, the addition and deletion of an object, the addition and deletion of access privileges. The access control model is presented in a form of an access matrix and has three types of privileges: read, write, ownership. The model is composed in a way that makes it compatible with the protocol of a widespread version v3.1.1. The available types of messages in the MQTT protocol allow for the adjustment of access privileges. The author considered an algorithm with such a service data unit build that the unit could easily be distinguished in the message body. The implementation of the suggested model will lead to the minimization of administrator’s involvement due to the possibility for devices to determine access privileges to the information resource without human involvement. The author suggests recommendations for security policies, when organizing an informational exchange in accordance with the MQTT protocol.

Published

2020

11. Exploring the Access Control Policies of Web-Based Social Network

Author

Kaushal A. Shah and Devkishan Patel

Subjects

Discretionary access control, Social network, Computer science, business.industry, Internet privacy, Role-based access control, Trust management (information system), Web application, Access control, The Internet, Data breach, business

Abstract

The usage of the web based social networks is growing day by day. Our daily life has become dependent on the usage of these social networking applications (apps). These apps allow the people of different ages to share their ideas and remain connected to the people they like to connect with through the medium of internet. There are several web based social networking apps such as Instagram, Twitter, LinkedIn, and Facebook. Facebook has experienced the rapid growth in the number of users in last few years. The access control paradigm of Facebook is different from the way it is generally being provided. The access control is mainly defined through: Role based access control, Trust Management System, Discretionary Access Control. Web based social networks offer attractive means for interaction and communication; on the other hand they also raise privacy and security concerns. There are risks related to the privacy of the users attached to the usage of web based social networks as most of the users accept the privacy and access control policies of such apps without understanding the threat associated with the same. We try to explore some of the threats related to the privacy and access control of web based social network that helps the users to keep their profile safe and avoid any type of data breach.

Published

2020

12. An Adaptation of Context and Trust Aware Workflow Oriented Access Control for Remote Healthcare

Author

Tapalina Bhattasali, Nabendu Chaki, Khalid Saeed, and Rituparna Chaki

Subjects

Process management, Computer Networks and Communications, business.industry, Computer science, 020207 software engineering, Context (language use), Access control, 02 engineering and technology, Computer Graphics and Computer-Aided Design, Mandatory access control, Discretionary access control, Workflow, Artificial Intelligence, Remote healthcare, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, 020201 artificial intelligence & image processing, business, Adaptation (computer science), Software

Abstract

Traditional discretionary access control (DAC) or mandatory access control (MAC) is not quite effective for remote environment. General role-based access control (RBAC) also has its limitations to control access for applications like remote healthcare due to its static nature. Design of effective access control model is indeed a big challenge for such applications. Fine-grained access control logic capable of adapting changes based on run-time information needs to be considered to meet the requirements of remote healthcare scenarios. In this work, an adaptive access control model is proposed keeping in compliance with state–of-the-art scenario towards ensuring quality of context and trust relationship between owners and users. It focuses on inter-component relationship, where phases are executed either in online or in offline mode to avoid performance bottleneck. Adaptive binding is integrated with application specific workflows. Workflow net models for different scenarios of medical kiosk-based rural healthcare are analyzed to validate proposed access control logic at design time that can reduce the possibility of major faults at run time. Our proposed work supports formal analysis and verification using Workflow Petri Net Designer (WoPeD) tool. Comparative analysis shows how proposed access control model advances the state of art.

Published

2018

13. Multi-user permission strategy to access sensitive information

Author

Debasis Ghosh, Arunava Roy, and Dipankar Dasgupta

Subjects

Authentication, Information Systems and Management, Computer access control, Computer science, Control (management), 02 engineering and technology, Permission, Multi-user, Computer security, computer.software_genre, Computer Science Applications, Theoretical Computer Science, Discretionary access control, World Wide Web, 03 medical and health sciences, Information sensitivity, 0302 clinical medicine, Artificial Intelligence, Control and Systems Engineering, 020204 information systems, 030220 oncology & carcinogenesis, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, computer, Software

Abstract

A system and related methods for providing greater security and control over access to classified files and documents and other forms of sensitive information based upon a multi-user, multi-modality permission strategy centering on organizational structure, thereby making authentication strategy unpredictable so to significantly reduce the risk of exploitation. Based on the sensitivity or classification of the information being requested by a user, approvers are selected dynamically based on the work environment, e.g., mobility, use of the computing device seeking access, authentication factors under applicable environmental settings, access policy, and the like.

Published

2018

14. A trusted access method in software-defined network

Author

Jing Liu, Yinong Chen, Yingxu Lai, and Diao Zipeng

Subjects

0209 industrial biotechnology, Computer access control, Computer science, business.industry, Network Access Device, 020206 networking & telecommunications, Access control, 02 engineering and technology, Trusted Network Connect, Computer security, computer.software_genre, Discretionary access control, 020901 industrial engineering & automation, Distributed System Security Architecture, Hardware and Architecture, Modeling and Simulation, Network Access Control, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, business, computer, Software, Computer network

Abstract

In software-defined networks (SDN), most controllers do not have an established control function for endpoint users and access terminals to access network, which may lead to many attacks. In order to address the problem of security check on access terminals, a secure trusted access method in SDN is designed and implemented in this paper. The method includes an access architecture design and a security access authentication protocol. The access architecture combines the characteristics of the trusted access technology and SDN architecture, and enhances the access security of SDN. The security access authentication protocol specifies the specific structure and implementation of data exchange in the access process. The architecture and protocol implemented in this paper can complete the credibility judgment of the access device and user's identification. Furthermore, it provides different trusted users with different network access permissions. Experiments show that the proposed access method is more secure than the access method that is based on IP address, MAC address and user identity authentication only, thus can effectively guarantee the access security of SDN.

Published

2017

15. Current Research and Open Problems in Attribute-Based Access Control

Author

Sylvia L. Osborn and Daniel Servos

Subjects

General Computer Science, Delegation, business.industry, Computer science, media_common.quotation_subject, 020206 networking & telecommunications, Access control, 02 engineering and technology, Computer security, computer.software_genre, Data science, Mandatory access control, Theoretical Computer Science, Discretionary access control, Taxonomy (general), Scale (social sciences), Scalability, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, 020201 artificial intelligence & image processing, business, computer, media_common

Abstract

Attribute-based access control (ABAC) is a promising alternative to traditional models of access control (i.e., discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC)) that is drawing attention in both recent academic literature and industry application. However, formalization of a foundational model of ABAC and large scale adoption is still in its infancy. The relatively recent emergence of ABAC still leaves a number of problems unexplored. Issues like delegation, administration, auditability, scalability, hierarchical representations, and the like, have been largely ignored or left to future work. This article provides a basic introduction to ABAC and a comprehensive review of recent research efforts toward developing formal models of ABAC. A taxonomy of ABAC research is presented and used to categorize and evaluate surveyed articles. Open problems are identified based on the shortcomings of the reviewed works and potential solutions discussed.

Published

2017

16. Designing Application Permission Models that Meet User Expectations

Author

Franziska Roesner

Subjects

Computer Networks and Communications, Computer science, business.industry, Principle of least privilege, Internet privacy, Authorization, Mobile computing, 020206 networking & telecommunications, Access control, 02 engineering and technology, Permission, User expectations, Computer security, computer.software_genre, Discretionary access control, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, business, Law, computer, Explicit permission

Abstract

How should applications legitimately requiring access to sensitive resources to carry out their functionality be granted access to those resources? The answer to this question depends on users. This article introduces user-driven access control, an alternate permission model that adheres to the principle of least privilege while reducing the burden on users to make explicit permission decisions.

Published

2017

17. On the Feasibility of Attribute-Based Access Control Policy Mining

Author

Ravi Sandhu, Shuvra Chakraborty, and Ram Krishnan

Subjects

021110 strategic, defence & security studies, business.industry, Computer science, General problem, 0211 other engineering and technologies, Authorization, Access control, Context (language use), 02 engineering and technology, Attribute-based access control, Computer security, computer.software_genre, Discretionary access control, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, State (computer science), business, computer

Abstract

As the technology of attribute-based access control (ABAC) matures and begins to supplant earlier models such as role-based or discretionary access control, it becomes necessary to convert from already deployed access control systems to ABAC. Several variations of this general problem can be defined, some of which have been studied by researchers. In particular the ABAC policy mining problem assumes that attribute values for various entities such as users and objects in the system are given, in addition to the authorization state, from which the ABAC policy needs to be discovered. In this paper, we formalize the ABAC RuleSet Existence problem in this context and develop an algorithm and complexity analysis for its solution. We further introduce the notion of ABAC RuleSet Infeasibility Correction along with an algorithm for its solution.

Published

2019

18. Towards Integrating Attribute-Based Access Control into Ontologies

Author

Besik Dundua and Mikheil Rukhaia

Subjects

Discretionary access control, World Wide Web, Focus (computing), business.industry, Computer science, Role-based access control, Access control, Ontology language, Ontology (information science), business, Semantic Web, Mandatory access control

Abstract

Access control is a security technique that specifies which users can access particular resources in a computing environment. Over the years, numerous access control models have been developed to address various aspects of computer security. In this paper, we focus on a modern approach, attribute-based access control (ABAC), which has been proposed in order to overcome limitations of traditional models: discretionary access control (DAC), mandatory access control (MAC) and role-based access control (RBAC). The work on integrating access control mechanisms in semantic web technologies is developing into two directions: (1) to use semantic web technologies for modeling and analyzing access control policies and (2) to protect knowledge encoded in an ontology. In this paper we focus on the first issue and investigate how ABAC can be integrated into ontology languages.

Published

2019

19. From Access Control Models to Access Control Metamodels: A Survey

Author

Nadine Kashmar, Mirna Atieh, and Mehdi Adda

Subjects

Discretionary access control, Computer science, business.industry, Distributed computing, Data integrity, Role-based access control, Information technology, Access control, business, Mandatory access control, Abstraction (linguistics), Metamodeling

Abstract

Access control (AC) is a computer security requirement used to control, in a computing environment, what the user can access, when and how. Policy administration is an essential feature of an AC system. As the number of computers are in hundreds of millions, and due to the different organization requirements, applications and needs, various AC models are presented in literature, such as: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role Based Access Control (RBAC), etc. These models are used to implement organizational policies that prevent the unauthorized disclosure of sensitive data, protecting the data integrity, and enabling secure access and sharing of information. Each AC model has its own methods for making AC decisions and policy enforcement. However, due to the diversity of AC models and the various concerns and restrictions, its essential to find AC metamodels with higher level of abstraction. Access control metamodels serve as a unifying framework for specifying any AC policy and should ease the migration from an AC model to another. This study reviews existing works on metamodels descriptions and representations. But, are the presented metamodels sufficient to handle the needed target of controlling access especially in the presence of the current information technologies? Do they encompass all features of other AC models? In this paper we are presenting a survey on AC metamodels.

Published

2019

20. The Design and Implementation of a Linux Kernel Module for File Descriptor Revocation

Author

Hari Nn and Arjun Tu

Subjects

Discretionary access control, Software_OPERATINGSYSTEMS, Confused deputy problem, Computer science, Privilege separation, File descriptor, Principle of least privilege, Operating system, Linux kernel, Privilege (computing), computer.software_genre, Access control list, computer

Abstract

Privilege separation systems that are implemented in applications such as Chromium and OpenSSH Dae- mon(SSHD) are complex, cumbersome because they have to be built on top of traditional Access Control List(ACL) systems. Properties such as least privilege operations along with effective solutions to problems that plague ACL based implementations, such as the Confused Deputy problem makes Capabilities much more capable when compared with the current Mandatory Access Control (MAC)/ Discretionary Access Control(DAC) systems in use within the POSIX systems for implementing privilege separated applications. While some work has been done on integrating a capability system into Linux, the final implementation provided solution for a specific subset of problems that a typical Capability based systems addresses. We provide a kernel module that enhances the Linux File Descriptors (FD) with revocation property, that while providing as a starting point for future refinements and improvements for creating a Capability system, also provides sufficient advantages to existing work flows that involves privilege separation.

Published

2019

21. Effective Security and Access Control Framework for Multilevel Organizations

Author

Ei Ei Moe and Mie Mie Su Thwin

Subjects

Computer science, business.industry, Data security, Access control, Computer security, computer.software_genre, Security controls, Mandatory access control, Discretionary access control, Need to know, Role-based access control, Multilevel security, business, computer

Abstract

In many organizations, it is vital to protect sensitive and confidential data in today’s digital world. For this case such information is made as an open database system; businesses can face legal or financial ramifications. According to the various nature and structures of the organizations, they may not have the same defense and interrelated communities which consist of military services, bank, and other intelligence organizations. All kinds of organizations must set policies to systematically and consistently categorize their data security from theft and threats. There are many types of access control mechanisms depending on the nature of organization such as mandatory access control (MAC), role-based access control (RBAC), and discretionary access control (DAC). This proposed framework focuses on the common threats that can face in the multilevel organizations, the security mechanisms to be considered, and how to secure a database. Multilevel security system allows users with different clearance levels, authorization, and need to know ability to process information in the same system. Moreover, the technical security controls such as user authentication, file access authorization, data encryption, and privacy controls for each user are applied for this framework. The proposed system will present the implementation of effective security framework for multilevel organizations using Strict Integrity Policy by labeling clearances levels to system’s users and classification levels to system’s stored data.

Published

2019

22. Discretionary Access Control Method to Protect Blockchain Privacy

Author

Min-Sheng Tan, Lin Ding, and Jie Yang

Subjects

Blockchain, Computer science, business.industry, Access control, Plaintext, Computer security, computer.software_genre, Encryption, Discretionary access control, Order (business), Key (cryptography), business, computer, Database transaction

Abstract

Blockchain technology has been widely concerned by scholars and industry since it was put forward, and Banks, Internet of Things, Supply Chain, Government and Medical Industry have proposed using blockchain technology to solve their problems, respectively. However, there are some difficulties in the deployment of blockchain products. One important reason is privacy protection. In order to protect blockchain privacy, discretionary access control method is proposed, and the corresponding model and algorithm are given. Encryption algorithm is used to encrypt the blockchain transaction transactions to privacy transactions. The encryption key and access rights are encapsulated by Lagrange polynomial to form secret information sent to authorized users. Extracting enough secret information, authorized user groups work together to calculate the decryption key, and then obtain the transaction transactions plaintext and finally implement consensus mechanism to verify the transaction. Secret information safely self-destruct immediately if exceed effective time. Authorized users and effective time are entirely determined by the owner of the transaction. This paper realizes key distributed securely, achieves discretionary access control and fine-grained access control and provides strong privacy protection.

Published

2019

23. KDP scheme of preliminary key distribution in discretionary security policy

Author

Sergey V. Belim and S. Yu. Belim

Subjects

Scheme (programming language), 021110 strategic, defence & security studies, business.industry, Computer science, Distributed computing, 0211 other engineering and technologies, Key distribution, 02 engineering and technology, Computer security model, Encryption, Security policy, Discretionary access control, Control and Systems Engineering, Data exchange, Signal Processing, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer, Software, computer.programming_language, Data transmission

Abstract

A modification of the KDP scheme for the distribution of encryption keys is considered as applied to a distributed computer system with a discretionary security model. Limited access is specified as forbidden channels of data transmission. The scheme of preliminary key distribution is designed in such a way that it is impossible for forbidden channels to create a key-pair for the data exchange. An example of the construction of the proposed scheme is presented.

Published

2016

24. EACF: extensible access control framework for cloud environments

Author

Muhammad Awais Shibli, Rahat Masood, Faria Mehak, and Islam Elgedway

Subjects

Service (systems architecture), Database, Computer access control, Computer science, business.industry, Software as a service, 020207 software engineering, Access control, Cloud computing, 02 engineering and technology, computer.software_genre, Discretionary access control, Resource (project management), 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, 020201 artificial intelligence & image processing, Electrical and Electronic Engineering, business, computer

Abstract

The dynamic authorization and continuous monitoring of resource usage in cloud environments is a challenge. Moreover, the extant access control techniques are not well-suited for all types of the cloud-hosted applications predominantly for two reasons. Firstly, these techniques lack in providing features such as generality, extensibility, and flexibility. Secondly, they are static in nature, such that once the user is authorized, they do not evaluate the access request during and after the resource usage. Every application hosted in the cloud has its own requirement of evaluating access request; some applications require request evaluation before assigning resources, while some require continuous monitoring of resource usage along with a dynamic update of attribute values. To address these diverse requirements, we present an Extensible Access Control Framework (EACF) for cloud-based applications, which provides high-level extensibility by incorporating different access control models about the needs of the Cloud service consumers (organizations). A number of access control models are combined in the EACF, which provides reliable authorization service for managing and controlling access to the software as a service-hosted cloud applications.It also helps cloud consumers to provide authorized access to resources (data), as well as contributes to eliminate the need to write customized security code for individual applications. As a case study, three access control models are incorporated into the framework and tested on SaaS-hosted application DSpace to ascertain that the proposed features are functional and working fine.

Published

2016

25. An extended access control mechanism exploiting data dependencies

Author

Davide Alberto Albertini, Barbara Carminati, and Elena Ferrari

Subjects

Functional dependencies, Risk, Query rewriting, Computer Networks and Communications, Computer science, Distributed computing, Access control, Cryptography, 02 engineering and technology, computer.software_genre, Discretionary access control, Set (abstract data type), Data dependencies, Software, Information Systems, Safety, Risk, Reliability and Quality, 020204 information systems, Extended Access Control, 0202 electrical engineering, electronic engineering, information engineering, Information system, Foreign key, Database, business.industry, Reliability and Quality, 020201 artificial intelligence & image processing, Safety, Functional dependency, business, computer

Abstract

In general, access control mechanisms in DBMSs ensure that users access only those portions of data for which they have authorizations, according to a predefined set of access control policies. However, it has been shown that access control mechanisms might be not enough. A clear example is the inference problem due to functional dependencies, which might allow a user to discover unauthorized data by exploiting authorized data. In this paper, we wish to investigate data dependencies (e.g., functional dependencies, foreign key constraints, and knowledge-based implications) from a different perspective. In particular, the aim was to investigate data dependencies as a mean for increasing the DBMS utility, that is, the number of queries that can be safely answered, rather than as channels for releasing sensitive data. We believe that, under given circumstances, this unauthorized release may give more benefits than issues. As such, we present a query rewriting technique capable of extending defined access control policies by exploiting data dependencies, in order to authorize unauthorized but inferable data.

Published

2016

26. Privacy preserving and delegated access control for cloud applications

Author

Xinfeng Ye

Subjects

Multidisciplinary, Cloud computing security, business.industry, Computer science, Client-side encryption, 020206 networking & telecommunications, Access control, Cloud computing, 02 engineering and technology, Encryption, Computer security, computer.software_genre, Discretionary access control, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, Data Protection Act 1998, 020201 artificial intelligence & image processing, business, computer, Computer network

Abstract

In cloud computing applications, users' data and applications are hosted by cloud providers. This paper proposed an access control scheme that uses a combination of discretionary access control and cryptographic techniques to secure users' data and applications hosted by cloud providers. Many cloud applications require users to share their data and applications hosted by cloud providers. To facilitate resource sharing, the proposed scheme allows cloud users to delegate their access permissions to other users easily. Using the access control policies that guard the access to resources and the credentials submitted by users, a third party can infer information about the cloud users. The proposed scheme uses cryptographic techniques to obscure the access control policies and users' credentials to ensure the privacy of the cloud users. Data encryption is used to guarantee the confidentiality of data. Compared with existing schemes, the proposed scheme is more flexible and easy to use. Experiments showed that the proposed scheme is also efficient.

Published

2016

27. A Precedent Approach to Assigning Access Rights

Author

N. F. Bogachenko, Sergey V. Belim, and A. N. Kabanov

Subjects

FOS: Computer and information sciences, History, Sequence, Theoretical computer science, Computer Science - Cryptography and Security, Relation (database), Basis (linear algebra), Discrete Mathematics (cs.DM), Process (engineering), Computer science, Computer Science - Artificial Intelligence, Analogy, Computer Science Applications, Education, Discretionary access control, Matrix (mathematics), Artificial Intelligence (cs.AI), Family of sets, Cryptography and Security (cs.CR), Computer Science - Discrete Mathematics

Abstract

To design a discretionary access control policy, a technique is proposed that uses the principle of analogies and is based on both the properties of objects and the properties of subjects. As attributes characterizing these properties, the values of the security attributes of subjects and objects are chosen. The concept of precedent is defined as an access rule explicitly specified by the security administrator. The problem of interpolation of the access matrix is formulated: the security administrator defines a sequence of precedents, it is required to automate the process of filling the remaining cells of the access matrix. On the family of sets of security attributes, a linear order is introduced. The principles of filling the access matrix on the basis of analogy with the dominant precedent in accordance with a given order relation are developed. The analysis of the proposed methodology is performed and its main advantages are revealed.

Published

2018

28. Multilayer Access for Database Protection

Author

Ivan Mikityuk, Leonid Kupershtein, Olesia Voitovych, and Vitalii Lukichov

Subjects

Authentication, Database, SIMPLE (military communications protocol), business.industry, Computer science, media_common.quotation_subject, Authorization, Cryptography, computer.software_genre, Data modeling, Discretionary access control, Layer (object-oriented design), business, Function (engineering), computer, media_common

Abstract

The analysis of modern database management systems and their security allows highlighting the main problem-poor protection against loss of user authentication data and the use of discretionary access control mechanism to the management function. Multilayer approach to the user's authorization in the database management systems as the main stage of protection is proposed. The modular system of authorization system divides in 3 layers. First layer is getting access to the user rights which can give user simple access to read database information. Second layer is getting access to the redactor rights. Third layer is getting personal administrator access to the all rights in database. Access to each subsequent layer is possible only after the getting the previous one. Every layer uses security mechanisms, which can help creator of database to protect his database from nonauthorized access.

Published

2018

29. Attribute-Based Access Control in Web Applications

Author

Ayesha Rahman, Tameem Ahmad, Asad Mohammed Khan, and Sadia Kauser

Subjects

Flexibility (engineering), business.industry, Computer science, Access control, Computer security, computer.software_genre, Object (computer science), Security policy, Mandatory access control, Discretionary access control, Role-based access control, Web application, business, computer

Abstract

Nowadays, controlling access to resources is a challenge and the security policies are also needed to be flexible. For providing access control, many access control models can be implemented like Discretionary Access control (DAC), Mandatory Access Control (MAC) and Role-Based Access Control (RBAC) but there are certain limitations in them. Attribute-Based Access Control (ABAC) is the general model which could comprehend the benefits of these models while surpassing their demerits. In this work, we have explained how ABAC can be implemented on Web Application. For implementing ABAC, we have developed a sample web application for an organization to provide users and members access to different resources like course materials and project files. We have defined subject’s attributes, object’s attributes, and policies for it. In conclusion, ABAC can provide dynamic access permissions and flexibility to the access control mechanism in comparison to RBAC and is more secure than Trust-Based Access Control (TrustBAC).

Published

2018

30. Attaining Role-Based, Mandatory, and Discretionary Access Control for Services by Intercepting API Calls in Mobile Systems

Author

Lukas Gnirke, Steven A. Demurjian, and Yaira K. Rivera Sánchez

Subjects

021110 strategic, defence & security studies, Computer science, Health information technology, business.industry, 0211 other engineering and technologies, Cloud computing, Health information exchange, 02 engineering and technology, World Wide Web, Discretionary access control, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, business, Personally identifiable information, mHealth, Protected health information

Abstract

Mobile applications are quickly replacing traditional desktop computing for gaming, social media, email, web browsing, health and fitness, business usage, etc. Many of these mobile apps require that sensitive information (protected health information (PHI) and personally identifiable information (PII)) be displayed, accessed, modified, and stored. In the healthcare domain, there is a need for health information exchange (HIE) among patients and medical providers across a wide range of health information technology (HIT) systems such as electronic health records, e-prescribing, etc., all of which involve highly-sensitive data (PII and PHI) that is exchanged back and forth between the mobile application and its server-side repository/database. In the U.S. in 2015, the Office of the National Coordinator issued a report on certification rules for EHRs that has required that HIT vendors develop RESTful APIs for EHRs and other systems so that patients and medical providers using mobile health (mHealth) applications via the cloud can easily access their healthcare data from multiple sources. This necessitates the consideration that access control mechanisms are candidates to protect highly-sensitive data of such applications via the control of who can call which service. The paper presents the attainment of role-based (RBAC), mandatory (MAC), and discretionary (DAC) access control for RESTful API and cloud services via an Intercepting API Calls approach that is able to define and enforce users of mobile apps to limit the API/cloud services that can be invoked depending on a user’s permissions. The presented Intercepting API Calls approach is demonstrated via an existing mHealth application.

Published

2018

31. Ensuring Security in Cloud Computing Using Access Control: A Survey

Author

Fatima Sifou, Ali Kartit, and Ahmed Hammouch

Subjects

Cloud computing security, business.industry, Computer science, Data management, Access control, Cloud computing, Computer security, computer.software_genre, Mandatory access control, Discretionary access control, Scalability, Role-based access control, business, computer

Abstract

Currently, cloud computing has widely been implemented in several organizations. This is due to the fact that this new model delivers cost-efficient, flexibility and scalability computing resources to the clients. This has led to a growing demand of cloud implementations in different sectors. Although cloud computing facilitates data management, it still faces various security problems. So, it is important to examine cloud security issues before moving to this model. In particular, we focus on existing access control mechanisms in cloud computing. Actually, there exist multiple schemes that ensure data protection, such as DAC (Discretionary Access Control), MAC (Mandatory Access Control), RBAC (Role Base Access Control), ORBAC (Organizational Role Based Access Control) and ABAC (Attributes Based Access Control). The main contribution of this paper is to select the appropriate access control model that meets cloud constraints. Based on these considerations, ABAC model is more suitable to cloud environments compared to other models. In this regard, we provide a comprehensive taxonomy of different ABAC schemes.

Published

2018

32. Android Access Control Extension

Author

Branislav Madoš, Anton Baláž, and Michal Ambróz

Subjects

Computer access control, Computer science, Sandbox, Access control, Library and Information Sciences, computer.software_genre, Logical security, Management Information Systems, Discretionary access control, Android, Role-based access control, MAC, business.industry, QA75.5-76.95, Computer security model, Mandatory access control, Computer Science Applications, Policy, Network Access Control, Electronic computers. Computer science, Operating system, Security, Profile, business, computer, Information Systems

Abstract

The main objective of this work is to analyze and extend security model of mobile devices running on Android OS. Provided security extension is a Linux kernel security module that allows the system administrator to restrict program's capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. Module supplements the traditional Android capability access control model by providing mandatory access control (MAC) based on path. This extension increases security of access to system objects in a device and allows creating security sandboxes per application.

Published

2015

33. Analysis of SEAndroid Policies

Author

Xiangyu Zhang, Ninghui Li, Yousra Aafer, William Enck, and Haining Chen

Subjects

Unix, 021110 strategic, defence & security studies, Software_OPERATINGSYSTEMS, Computer science, 0211 other engineering and technologies, 020207 software engineering, 02 engineering and technology, computer.software_genre, Policy analysis, Popularity, Discretionary access control, Open source, Server, 0202 electrical engineering, electronic engineering, information engineering, Operating system, Malware, Android (operating system), computer

Abstract

Android has become a dominant computing platform, and its popularity has coincided with a surge of malware. The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform. While SEAndroid adds the benefits of mandatory protection that SELinux brought to desktops and servers, the protection is only as good as the policy. Existing Android devices contain a wide variety of SEAndroid policies, depending on both the version of Android as well as the device manufacturer. In this paper, we present an approach to analyze SEAndroid policies in conjunction with the underlying Linux/Unix Discretionary Access Control policies. We apply our approach to four different versions of Android Open Source Project (AOSP) as well as devices from seven different manufacturers, and find several forms of unintentional privilege assignments.

Published

2017

34. Authorization Contracts

Author

Stephen Chong

Subjects

Computer access control, business.industry, Computer science, Context (language use), Access control, Computer security, computer.software_genre, Variety (cybernetics), Discretionary access control, Software, Component-based software engineering, Role-based access control, business, computer

Abstract

Software components have a wide variety of access control requirements. A one-size-fits-all access control framework will not meet the needs of all of these components.We propose an expressive framework for implementing access control monitors for components. The basis of the framework is a novel concept: the authority environment. An authority environment associates rights with an execution context. The building blocks of access control monitors in our framework are authorization contracts: software contracts that manage authority environments.We've used the framework to implement diverse access control mechanisms (including discretionary access control, stack inspection, history-based access control, and object capabilities), and to write custom access control monitors for three case studies.

Published

2017

35. Policy Adaptation in Attribute-Based Access Control for Inter-Organizational Collaboration

Author

Saptarshi Das, Jaideep Vaidya, Shamik Sural, and Vijayalakshmi Atluri

Subjects

021110 strategic, defence & security studies, Process management, Process (engineering), Computer science, business.industry, Heuristic, 0211 other engineering and technologies, 020206 networking & telecommunications, Access control, 02 engineering and technology, Discretionary access control, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, Algorithm design, Set (psychology), business, Adaptation (computer science)

Abstract

In Attribute-Based Access Control (ABAC), attributes are defined as characteristics of subjects, objects as well as environment, and access is granted or denied based on the values of these attributes. With increasing number of organizations showing interest in migrating to ABAC, it is imperative that algorithmic techniques be developed to facilitate the process. While the traditional ABAC policy mining approaches support the development of an ABAC policy from existing Discretionary Access Control (DAC) or Role-Based Access Control (RBAC) systems, they do not handle adaptation to the policy of a similar organization. As the policy itself need not be developed ab initio in this process, it provides agility and a faster migration path, especially for organizations participating in collaborative sharing of data. With the set of objects and their attributes given, along with an access control policy to be adapted to, the problem is to determine an optimal assignment of attributes to subjects so that a set of desired accesses can be granted. Here, optimality is in the number of ABAC rules the subjects would require to use to gain access to various objects. Such an approach not only helps in assisting collaboration between organizations, but also ensures efficient evaluation of rules during policy enforcement. We show that the optimal policy adaptation problem is NP-Complete and present a heuristic solution.

Published

2017

36. Different Access Control Mechanisms for Data Security in Cloud Computing

Author

Ahmed Hammouch, Ali Kartit, and Fatima Sifou

Subjects

business.industry, Computer science, 010401 analytical chemistry, Data security, 020206 networking & telecommunications, Access control, Cloud computing, Context (language use), 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Mandatory access control, 0104 chemical sciences, Discretionary access control, Scalability, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, business, computer

Abstract

IT companies are largely adopting the emerging technology of cloud computing. Cloud computing technology provides cost-efficient computing resources with increased flexibility, and scalability. The primary concerns in cloud computing implementation are security and privacy. Access control models are used to address security threats and vulnerabilities. There are a variety of access control models, including DAC (Discretionary Access Control), MAC (Mandatory Access Control), RBAC (Role Base Access Control), ORBAC (Organizational Role Based Access Control) and ABAC (Attributes Based Access Control). As such it is important to analyze and compare the different existing access control models. To achieve this goal, we determine well defined criteria necessary within the context of current cloud computing requirements. Accordingly, we choose the appropriate model for the cloud environment.

Published

2017

37. An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security

Author

Nasir Mahmood, Mudassar Ahmad, Rehan Ashraf, and Muhammad Asif Habib

Subjects

Authentication, Computer access control, business.industry, Computer science, Separation of duties, 020206 networking & telecommunications, 020207 software engineering, Context (language use), Access control, 02 engineering and technology, Permission, Computer security, computer.software_genre, Discretionary access control, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, business, computer, Computer network

Abstract

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control are providing critical functionalities. In practice, the RBAC model has three perspectives such as Access Control, End User, and Administrator. An access control model must be built while giving highest priority to Access Control dimension. It means that the system must be secure regarding authorization. Thus, the system may be less useful for end-users and administrators. In this paper, we categorize that the basic motivation behind RBAC model is the easiest administration compared to tight authorization that becomes the reason for the evolution of RBAC model. Tight authorization creates many problems to make a system secure regarding authorization. Therefore, the true dimensions of RBAC model are identified in this study to change the mindset of researchers that RBAC is evolved for easier administration instead of tight access control. We propose a solution to incorporate the concept of roles for relaxed administration along with the permission-based access control. Moreover, we conclude that the dynamic separation of duty (DSD) should be implemented by permissions instead of roles in RBAC model.

Published

2017

38. New access control policies for private network and protocol security

Author

Jalal Laassiri and Yousra Hafid

Subjects

Computer access control, Network security, Computer science, Covert channel, Access control, 02 engineering and technology, Asset (computer security), Internet security, Computer security, computer.software_genre, Security policy, Logical security, Security information and event management, Discretionary access control, Firewall (construction), Distributed System Security Architecture, 0202 electrical engineering, electronic engineering, information engineering, Information system, Role-based access control, Cloud computing security, business.industry, 020206 networking & telecommunications, Information security, Computer security model, Security service, Network Access Control, Physical access, Network security policy, 020201 artificial intelligence & image processing, business, computer

Abstract

Access control is a means to implement within an information system to ensure its security. The development of two distinct themes which are: Access control and networking, to improve one by using the other. It is a vision that motivated us to look for existing methods to combine the two for the benefit of computer security [5, 23, 28, 31]. In fact, our work focuses on the paradigm of access control and its application. First, we studied the best-known access control models existing in the literature. Moreover, we defined the security concept network and protocol, by choosing a cloud system as a case study in order to apply a policy Access control at the level of a firewall to secure our system. Finally, the most appropriate model is presented for implementation based on the security policies and requirements of organizations and the specifications of each access control model.

Published

2017

39. A Semi-Formal Multi-Policy Secure Model for Semantic Spatial Trajectories

Author

Xingang Wang, Zhigang Gai, and Kuo Guo

Subjects

Computer science, business.industry, Access control, Bell–LaPadula model, Web Ontology Language, 02 engineering and technology, Semantics, computer.software_genre, Mandatory access control, Semi-formal, Discretionary access control, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, Data mining, business, computer, computer.programming_language

Abstract

With the proliferation of locating devices, more and more raw spatial trajectories are formed, and many works enrich these raw trajectories with semantics, and mine patterns from both raw and semantic trajectories, but access control of spatial trajectories is not considered yet. We present a multi-policy secure model for semantic spatial trajectories. In our model, Mandatory Access Control, Role Based Access Control and Discretionary Access control are all enforced, separately and combined, and we represent the model semi-formally in Web Ontology Language.

Published

2017

40. Logical Language of Certificate-Based Access Control in Security Models

Author

M. M. Kucherov and N. A. Bogulskaya

Subjects

060201 languages & linguistics, business.industry, Computer science, Access control, 06 humanities and the arts, 02 engineering and technology, Computer security model, Computer security, computer.software_genre, Certificate, Formal methods, Discretionary access control, 0602 languages and literature, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, 020201 artificial intelligence & image processing, Material implication, Discretionary policy, business, computer

Abstract

Over the last decades, we have seen several policy models, including role-based access control and more recently, certificate-base control. These models are based on the important notion "flow relation". In this work, we present a logical language of certificate-based access control. Our model presents the formal method of reasoning for discretionary access and defines logic to express a discretionary policy. We introduce, instead, material implication widely used in mathematics, and we show in a case study its ease in every sense. We find it allows the policy specifications to be interpreted more conveniently by practitioners and implemented in a simple way. Our evaluation shows that policies defined with material implication can be used for creation of the specification of a trust relationships policy and for checking safety of any computer system.

Published

2017

41. Domain 5

Author

Seth Misenar, Joshua Feldman, and Eric Conrad

Subjects

Authentication, business.industry, Computer science, Access control, Computer security, computer.software_genre, Identity management, Mandatory access control, Domain (software engineering), Discretionary access control, Role-based access control, Identity (object-oriented programming), business, computer

Abstract

This chapter focuses on the application of access control models such as mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC) represent a significant amount of this domain’s material. Understanding the key categories of access control defenses, as well as preventive, detective, corrective, recovery, deterrent, and compensating controls, is necessary for this and numerous other domains. The final major content area in this chapter is dealing with authentication by introducing methods, protocols, and concepts related to ensuring that an identity claim can be validated appropriately.

Published

2017

42. Multilabels-Based Scalable Access Control for Big Data Applications

Author

Hongsong Chen, Fu Zhongchuan, and Bharat Bhargava

Subjects

Information privacy, Computer access control, Database, Computer Networks and Communications, Computer science, business.industry, Big data, Hash function, Access control, computer.software_genre, Mandatory access control, Computer Science Applications, Discretionary access control, Computer Science (miscellaneous), Role-based access control, business, computer, Software

Abstract

Multidata sources and formats and multiuser types introduce new security and privacy challenges to big data applications. The authors propose a multilabels-based scalable access control framework for use in a Hadoop-based big data healthcare application. This framework combines active bundle, role-based access control (RBAC), attribute-based access control (ABAC), discretionary access control (DAC), and mandatory access control (MAC). The multilabels include data type, security degree, lifetime, number of replications, access policy, and hash value. In the framework, data type can be related to security degree. If the user has new access control requirements, the big data administrator can add, delete, or revise the labels to achieve a different access control granularity.

Published

2014

43. A flexible hierarchical access control mechanism enforcing extension policies

Author

Ya-Fen Chang

Subjects

Transitive relation, Computer access control, Computer Networks and Communications, business.industry, Computer science, Hash function, Access control, Computer security, computer.software_genre, Object (computer science), Mandatory access control, Discretionary access control, Role-based access control, business, computer, Information Systems, Computer network

Abstract

Some specific information or resources only can be accessed by authorized users. Discretionary access control DAC, mandatory access control MAC, and role-based access control RBAC are three main classes of access control policies. MAC and RBAC are more secure than discretionary access control because a system instead of an object's owner determines the policy. MAC is appropriate for multilevel applications with high security requirements such as military ones, while RBAC provides security and business benefits. Most institutions, companies, and governments are multilevel, so relationships between roles or security levels tend to be hierarchical. In this work, an access control mechanism, providing explicit transitive exception and antisymmetric arrangement, is proposed to provide flexible and appropriate solutions to hierarchical relationships. For practicability, no access control policy is strictly constrained in the proposed mechanism such that security classes can be determined according to specific requirements. The proposed mechanism employs an elliptic curve cryptosystem and a two-layer hash approach to ensure security and computation efficiency. Copyright © 2014 John Wiley & Sons, Ltd.

Published

2014

44. Secure Attribute-Based Access Control with a Ciphertext-Policy Attribute-Based Encryption Scheme

Author

Rifki Sadikin, Kil Houm Park, and Young-Ho Park

Subjects

Computer access control, Computer science, business.industry, Client-side encryption, Access control, Computer security, computer.software_genre, Encryption, Discretionary access control, Multiple encryption, Role-based access control, Attribute-based encryption, business, computer, Computer network

Abstract

An access control system is needed to ensure only authorized users can access a sensitive resource. We propose a secure access control based on a fully secure and fine grained ciphertext-policy attribute-based encryption scheme. The access control for a sensitive resource is ensured by encrypting it with encryption algorithm from the CP-ABE scheme parameterized by an access control policy. Furthermore, the proposed access control supports non-monotone type access control policy. The ciphertext only can be recovered by users whose attributes satisfy the access control policy. We also implement and measure the performance of our proposed access control. The results of experiments show that our proposed secure access control is feasible.

Published

2014

45. VIRTUAL LEARNING IN NIGERIAN UNIVERSITIES

Author

O M Adeyeye, I. T. Afolabi, and Ayo C. K

Subjects

Intranet, Hypertext Transfer Protocol, Computer science, computer.internet_protocol, General Medicine, Privilege (computing), World Wide Web, Discretionary access control, Upload, Lightweight Directory Access Protocol, Directory service, ComputingMilieux_COMPUTERSANDEDUCATION, Virtual learning environment, computer

Abstract

Currently, local area network (LAN) is commonplace in the Nigerian tertiary institutions and can be a good platform for distributing and disseminating instructional materials. Thus, this paper proposes to improve the quality of academics through online provision of learning resources based on Free and Open Source Software (FOSS); wired and wireless access to contents; and availability of the system 24/7. The system is based on third party software or FOSS called phpBB and Windows 2003 Server Active Directory Services. Both are installed and configured on an intranet. It has a discussion forum which is accessed through Hypertext Transfer Protocol using a web browser; and directory services for files/folders upload and download based on a set of privilege levels in Discretionary Access Control List (DACL) as a way of improving security. The system leads to the development of a virtual campus in Covenant University. Also, it has helpedimprove the quality of teaching by making lecture notes availably on the intranet, lecturer/studentinteraction, accessibility to teaching materials and reduce student’s idle time. The system helps in no small measure to correct the problems plaguing the educational sector such as examination malpractice, decline standards of education and cultism, as students are gainfully engaged in academic and social activities. The creation of a virtual campus would enhance the level of e-participation, and e-readiness of the graduate for the employment market. In particular, it bridges the divide between the developed and the developing nations.

Published

2014

46. Group-Based Discretionary Access Control in Health Related Repositories

Author

Dulce Domingos, Carlos Santos, Mário J. Silva, and João Zamite

Subjects

Group based, General Computer Science, Computer access control, business.industry, Computer science, Access control, Permission, Computer security, computer.software_genre, Data sharing, Discretionary access control, Scale (social sciences), Role-based access control, business, computer

Abstract

The authors introduce a group-based discretionary access control with decentralized permission and group management for scientific repositories. Currently, access control approaches for repositories have inflexible centralized administrations, which do not scale well to large numbers of users. Moreover, discretionary access control is a legal standard for health-related resources. The proposed access control model, which is formalized using Barker's Unifying Meta-model, differentiates permissions for data and meta-data, enabling the sharing of meta-data while protecting sensitive data. The authors describe how the model was implemented, and what challenges were tackled, in the Epidemic Marketplace, an open software information platform for epidemic studies, designed to foster cooperative behavior and data sharing.

Published

2014

47. Study on Access Control Based on Trusted Computing

Author

Xin Qiang Ma, Yi Huang, and Bo Lv

Subjects

business.industry, Computer science, Access control, General Medicine, Trusted Computing, Computer security, computer.software_genre, Trusted Network Connect, law.invention, Discretionary access control, law, Key (cryptography), Direct Anonymous Attestation, Trusted client, Trusted Platform Module, business, computer

Abstract

An important new technology has recently been developed that will revolutionize trust and security for online transactions. Conventionally, most of the security-relevant functions are concentrated within the operating system. Often, these functions, especially those dealing with access control, are commingled with object management functions. This article, abstracted from a new book on the subject, explains the key concepts and the exciting potential of Trusted Computing Platforms (often abbreviated to Trusted Platforms). We discuss access control in multilevel database management systems applies and illustrate the main applies of access control based on Trusted Computing in the LogicSQL database system.

Published

2013

48. The Study of Access Mechanism for the Security of Linux

Author

Cheng Jiong Wang

Subjects

Cloud computing security, Computer access control, business.industry, Computer science, Access control, General Medicine, computer.software_genre, Computer security, Logical security, Discretionary access control, Distributed System Security Architecture, Network Access Control, Physical access, Role-based access control, Operating system, business, Access control list, computer

Abstract

TCSEC standard is defined by the U.S. Department of Defense as the operating system security evaluation criteria. Under this standard, Linux system has a higher security level, but there are still some dangers, such as the coarseness of file access granularity. In this paper, we have studied the file access mechanism of Linux, analyzed the security module of LinuxLSM, and then designed the file access mechanism ACL, achieved fine-grained access to files, thus improving the system security level of Linux.

Published

2013

49. Design and Implementation of Role and Group Based Access Control with Context in Document Access Control System

Author

He Huang, Wei Kang, and Long Fan

Subjects

Multimedia, Computer access control, Computer science, business.industry, Access control, Context (language use), General Medicine, Permission, computer.software_genre, World Wide Web, Discretionary access control, Role-based access control, Systems design, business, computer

Abstract

In traditional role-based access control (Role Based Access Control, RBAC), proposed the role and user-groups based on access control with context-aware (Role and Group Based Access Control with Context, RGBACC) model. RGBACC can do unified functional management to users, and can dynamically change the user's permission by the information from application environment in the context of access and security-related .This article RGBACC model applied to the actual document access control system, and the system design and implementation of a detailed description.

Published

2013

50. Risk Assessment for Identifying Intrusion in Manet

Author

Shankar Reddy, M. Siva, and D. Raman

Subjects

Service (systems architecture), Network security, business.industry, Computer science, Wireless network, Access control, Computer security, computer.software_genre, Discretionary access control, Security service, Network Access Control, Secrecy, business, computer

Abstract

In this paper we have taken one of the most amazing network concepts which makes network simpler. By considering the aspect of both side as of good and its related issues like most important and unavoidable is i.e. "Security". Hence, enhancing the security in wireless networks has become of vital importance. In this perspective of concept, we mainly study two security aspects of wireless networks. One is service confidentiality and access control that is to ensure only legitimate users can access service data according to their privileges and in other perspective is of service attack. Wireless broadcast is a convenient and effective approach for disseminating data to a number of users. User training in computer and network security is crucial to the survival of modern networks, yet the methods employed to train users often seem ineffective. The secrecy issues in the context of mandatory and discretionary access control in a multilevel networked environment. Hence of, we stressed on two aspects key management scheme is proposed to address secrecy and efficiency in broadcast services, where keys are used for service confidentiality and access control.

Published

2013