Your search keyword '"S., DE CAPITANI DI VIMERCATI"' showing total 42 results

1. An authorization model for query execution in the cloud

Author

Pierangela Samarati, Giovanni Livraga, Sushil Jajodia, Sara Foresti, S. De Capitani di Vimercati, and S. Paraboschi

Subjects

021110 strategic, defence & security studies, Authorization model, Collaborative query evaluation, Equivalent attributes, Implicit attributes, Plaintext and encrypted visibility, Relation profile, Database, business.industry, Computer science, 0211 other engineering and technologies, Authorization, Cloud computing, 02 engineering and technology, computer.software_genre, Hardware and Architecture, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Settore ING-INF/05 - Sistemi di Elaborazione delle Informazioni, business, computer, Information Systems

Published

2021

2. Cloud Security

Author

S. De Capitani di Vimercati and Pierangela Samarati

Subjects

0301 basic medicine, 03 medical and health sciences, 030104 developmental biology, Cloud computing security, Computer science, 05 social sciences, 050301 education, Computer security, computer.software_genre, 0503 education, computer

Published

2016

3. A privacy-aware access control system

Author

Marco Cremonini, S. De Capitani di Vimercati, Pierangela Samarati, and Claudio Agostino Ardagna

Subjects

Computer access control, Computer Networks and Communications, business.industry, Group method of data handling, Computer science, Control (management), 020206 networking & telecommunications, Access control, 02 engineering and technology, Computer security, computer.software_genre, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Safety, Risk, Reliability and Quality, business, Personally identifiable information, computer, Software

Abstract

The protection of privacy is an increasing concern in our networked society because of the growing amount of personal information that is being collected by a number of commercial and public services. Emerging scenarios of user-service interactions in the digital world are then pushing toward the development of powerful and flexible privacy-aware models and languages. This paper aims at introducing concepts and features that should be investigated to fulfill this demand. We identify different types of privacy-aware policies: access control, release and data handling policies. The access control policies govern access/release of data/services managed by the party (as in traditional access control), and release policies govern release of personal identifiable information (PII) of the party and specify under which conditions it can be disclosed. The data handling policies allow users to specify and communicate to other parties the policy that should be enforced to deal with their data. We also discuss how data handling policies can be integrated with traditional access control systems and present a privacy control module in charge of managing, integrating, and evaluating access control, release and data handling policies.

Published

2008

4. XML-based access control languages

Author

Claudio Agostino Ardagna, S. De Capitani di Vimercati, Ernesto Damiani, and Pierangela Samarati

Subjects

Settore INF/01 - Informatica, Computer access control, Computer Networks and Communications, Computer science, computer.internet_protocol, Efficient XML Interchange, XACML, XML Signature, XML validation, computer.file_format, XML framework, World Wide Web, XML Schema Editor, Safety, Risk, Reliability and Quality, computer, Software, XML, computer.programming_language

Abstract

One of the most challenging problems in managing large, distributed, and heterogeneous networked systems is specifying and enforcing security policies regulating interactions between parties and access to services and resources. Recent proposals for specifying and exchanging access control policies adopt XML-based languages. XML appears in fact a natural choice as the basis for the common security-policy language, due to the ease with which its syntax and semantics can be extended and the widespread support that it enjoys from all the main platform and tool vendors. In this chapter, we first investigate the basic concepts behind access control design and enforcement, and point out different security requirements that may need to be taken into consideration in designing an access control language for Internet information systems. We then focus on XML-based access control languages and, in particular, on the eXtensible Access Control Markup Language (XACML), a recent OASIS standardization effort. XACML is designed to express authorization policies in XML against objects that are themselves identified in XML. XACML can represent the functionalities of most policy representation mechanisms.

Published

2004

5. Managing multiple and dependable identities

Author

Ernesto Damiani, Pierangela Samarati, and S. De Capitani di Vimercati

Subjects

Structure of Management Information, Information privacy, Computer Networks and Communications, business.industry, Computer science, Data management, Computer security, computer.software_genre, Identity management, Digital identity, Information sensitivity, Identity (object-oriented programming), Dependability, business, computer

Abstract

Digital management of multiple robust identities is a crucial issue in developing the next generation of distributed applications. Our daily activities increasingly rely on remote resources and services - specifically, on interactions between different, remotely located parties. Because these parties might (and sometimes should) know little about each other, digital identities - electronic representations of individuals' or organizations' sensitive information - help introduce them to each other and control the amount of information transferred. In its broadest sense, identity management encompasses definitions and life-cycle management for digital identities and profiles, as well as environments for exchanging and validating such information. Digital identity management - especially support for identity dependability and multiplicity - is crucial for building and maintaining trust relationships in today's globally interconnected society. We investigate the problems inherent in identity management, emphasizing the requirements for multiplicity and dependability. We enable a new generation of advanced MDDI services on the global information infrastructure.

Published

2003

6. Managing and sharing servents' reputations in P2P systems

Author

Ernesto Damiani, S. De Capitani di Vimercati, Pierangela Samarati, and Stefano Paraboschi

Subjects

Information privacy, business.industry, Computer science, Information sharing, media_common.quotation_subject, Internet privacy, Computer security, computer.software_genre, Computer Science Applications, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Resource (project management), Computational Theory and Mathematics, Credibility, The Internet, Polling, business, computer, Information Systems, Reputation, media_common, Anonymity

Abstract

Peer-to-peer information sharing environments are increasingly gaining acceptance on the Internet as they provide an infrastructure in which the desired information can be located and downloaded while preserving the anonymity of both requestors and providers. As recent experience with P2P environments such as Gnutella shows, anonymity opens the door to possible misuses and abuses by resource providers exploiting the network as a way to spread tampered-with resources, including malicious programs, such as Trojan Horses and viruses. We propose an approach to P2P security where servants can keep track, and share with others, information about the reputation of their peers. Reputation sharing is based on a distributed polling algorithm by which resource requestors can assess the reliability of perspective providers before initiating the download. The approach complements existing P2P protocols and has a limited impact on current implementations. Furthermore, it keeps the current level of anonymity of requestors and providers, as well as that of the parties sharing their view on others' reputations.

Published

2003

7. [Untitled]

Author

Ernesto Damiani, Pierangela Samarati, S. De Capitani di Vimercati, and Stefano Paraboschi

Subjects

Computer Networks and Communications, Computer science, business.industry, XML-RPC, SOAP, computer.internet_protocol, XML Signature, Access control, computer.file_format, Computer security, computer.software_genre, World Wide Web, ebXML, XML Protocol, ComputingMethodologies_DOCUMENTANDTEXTPROCESSING, The Internet, Safety, Risk, Reliability and Quality, business, computer, Software, XML, Information Systems

Abstract

Remote service invocation via HTTP and XML promises to become an important component of the Internet infrastructure. Work is ongoing in the W3C XML Protocol Working Group to define a common standard, and solutions like SOAP and XML-RPC are already used in a few situations, demonstrating the potential. However, no standard technique for access control security is currently defined for these protocols. In this paper, we propose an approach that relies on the XML structure of SOAP requests to support fine-grained authorizations at the level of individual XML elements and attributes that comprise a SOAP call. The result is a simple yet general technique to specify and enforce fine-grained access control for e-services.

Published

2002

8. Controlling access to XML documents

Author

Ernesto Damiani, Stefano Paraboschi, S. De Capitani di Vimercati, and Pierangela Samarati

Subjects

XML Encryption, Information retrieval, Computer Networks and Communications, Computer science, Efficient XML Interchange, XML Signature, XML validation, computer.file_format, World Wide Web, XML Protocol, XML Schema Editor, Streaming XML, ComputingMethodologies_DOCUMENTANDTEXTPROCESSING, XML schema, computer, computer.programming_language

Abstract

Access control techniques for XML provide a simple way to protect confidential information at the same granularity level provided by XML schemas. In this article, we describe our approach to these problems and the design guidelines that led to our current implementation of an access control system for XML information.

Published

2001

9. Towards Flexible Credential Negotiation Protocols

Author

BONATTI, PIERO ANDREA, S. De Capitani di Vimercati, P. Samarati, B. Christianson, B. Crispo, J.A. Malcolm, M. Roe, Bonatti, PIERO ANDREA, S., De Capitani di Vimercati, and P., Samarati

Published

2003

10. On information leakage by indexes over data fragments

Author

S. De Capitani di Vimercati, S. Paraboschi, Sara Foresti, Pierangela Samarati, and Sushil Jajodia

Subjects

021110 strategic, defence & security studies, Information privacy, business.industry, Computer science, Search engine indexing, 0211 other engineering and technologies, Fragmentation (computing), Cryptography, 02 engineering and technology, computer.software_genre, Encryption, 020204 information systems, Information leakage, 0202 electrical engineering, electronic engineering, information engineering, Confidentiality, Data mining, Settore ING-INF/05 - Sistemi di Elaborazione delle Informazioni, business, computer

Abstract

Data fragmentation has recently emerged as a complementary approach to encryption for protecting confidentiality of sensitive associations when storing data at external parties. In this paper, we discuss how the use of indexes, typically associated with the encrypted portion of the data, while desirable for providing effectiveness and efficiency in query execution, can - combined with fragmentation - cause potential leakage of confidential (encrypted or fragmented) information. We illustrate how the exposure to leakage varies depending on the kind of indexes. Such observations can result useful for the design of approaches assessing information exposure and for the definition of safe (free from inferences) indexes in fragmented data.

Published

2013

11. An Access Control Model for Data Archives

Author

Piero A. Bonatti, S. De Capitani di Vimercati, Ernesto Damiani, Pierangela Samarati, M. Dupuy, P. Paradinas, Bonatti, PIERO ANDREA, E., Damiani, S., De Capitani di Vimercati, and P., Samarati

Subjects

World Wide Web, Computer access control, Computer science, business.industry, Extended Access Control, Role-based access control, Access control, business, Computer security, computer.software_genre, computer

Abstract

We present an approach to enforce access control at data archives that need to make their data selectively available on the Web. The paper discusses protection requirements and access control policies for regulating access to the stored data. It presents a model for enforcing access control regulations and related language for expressing these regulations.

Published

2001

12. Expressive and deployable access control in open web service applications

Author

Claudio Agostino Ardagna, S. De Capitani di Vimercati, Pierangela Samarati, Mario Verdicchio, S. Paraboschi, and Eros Pedrini

Subjects

Information Systems and Management, Markup language, Computer Networks and Communications, Computer science, deployable access control, Interoperability, 0211 other engineering and technologies, XACML, Access control, 02 engineering and technology, computer.software_genre, World Wide Web, Consistency (database systems), web services, credentials, security policy communication, Server, 0202 electrical engineering, electronic engineering, information engineering, computer.programming_language, 021110 strategic, defence & security studies, Authentication, business.industry, 020206 networking & telecommunications, Computer Science Applications, Hardware and Architecture, Web service, business, Settore ING-INF/05 - Sistemi di Elaborazione delle Informazioni, computer

Abstract

Traditional access control solutions, based on preliminary identification and authentication of the access requester, are not adequate for the context of open web service systems, where servers generally do not have prior knowledge of the requesters. The research community has acknowledged such a paradigm shift and several investigations have been carried out for new approaches to regulate access control in open dynamic settings. Typically based on logic, such approaches, while appealing for their expressiveness, result not applicable in practice, where simplicity, efficiency, and consistency with consolidated technology are crucial. The eXtensible Access Control Markup Language (XACML) has established itself as the emerging technological solution for controlling access in an interoperable and flexible way. Although supporting the most common policy representation mechanisms and having acquired a significant spread in the research community and the industry, XACML still suffers from some limitations which impact its ability to support actual requirements of open web-based systems. In this paper, we provide a simple and effective formalization of novel concepts that have to be supported for enforcing the new access control paradigm needed in open scenarios, toward the aim of providing an expressive solution actually deployable with today's technology. We illustrate how the concepts of our model can be deployed in the XACML standard by exploiting its extension points for the definition of new functions, and introducing a dialog management framework to enable access control interactions between web service clients and servers.

Published

2011

13. Encryption-based policy enforcement for cloud storage

Author

Pierangela Samarati, Gerardo Pelosi, Sara Foresti, S. De Capitani di Vimercati, Sushil Jajodia, and S. Paraboschi

Subjects

Service (business), Access control policies, business.industry, Computer science, Internet privacy, Client-side encryption, 020206 networking & telecommunications, Access control, Cloud computing, 02 engineering and technology, Policy enforcement, Service provider, Computer security, computer.software_genre, Encryption, Access control policies, Authorization management, Policy enforcement, Service provider, User-generated content, Authorization management, External storage, User-generated content, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer, Cloud storage

Abstract

Nowadays, users are more and more exploiting external storage and connectivity for sharing and disseminating user-generated content. To this aim, they can benefit of the services offered by Internet companies, which however assume that the service provider is entitled to access the resources. To overcome this limitation, we present an approach that does not require complete trust in the external service w.r.t. both resource content and authorization management, while at the same time allowing users to delegate to the provider the enforcement of the access control policy on their resources. Our solution relies on the translation of the access control policy into an equivalent encryption policy on resources and on a hierarchical key structure that limits both the number of keys to be maintained and the amount of encryption to be enforced.

Published

2010

14. Access Control Models for XML

Author

Sara Foresti, Pierangela Samarati, S. De Capitani di Vimercati, and Stefano Paraboschi

Subjects

Xpath expression, Structure (mathematical logic), Settore INF/01 - Informatica, business.industry, Computer science, computer.internet_protocol, Access control, Path expression, World Wide Web, Computer data storage, ComputingMethodologies_DOCUMENTANDTEXTPROCESSING, business, computer, XML

Abstract

XML has become a crucial tool for data storage and exchange. In this chapter, after a brief introduction on the basic structure of XML, we illustrate the most important characteristics of access control models. We then discuss two models for XML documents, pointing out their main characteristics. We finally present other proposals, describing their main features and their innovation compared to the previous two models.

Published

2008

15. Privacy-Enhanced Location Services Information

Author

Marco Cremonini, Pierangela Samarati, S. De Capitani di Vimercati, Claudio Agostino Ardagna, and Ernesto Damiani

Subjects

Computer science, business.industry, Location-based service, Internet privacy, business

Published

2007

16. Recent Advances in Access Control

Author

Pierangela Samarati, S. De Capitani di Vimercati, and Sara Foresti

Subjects

Process (engineering), business.industry, Computer science, Access control, Limiting, business, Computer security, computer.software_genre, computer, Field (computer science)

Abstract

Access control is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. Traditional access control models and languages result limiting for emerging scenarios, whose open and dynamic nature requires the development of new ways of enforcing access control. Access control is then evolving with the complex open environments that it supports, where the decision to grant an access may depend on the properties (attributes) of the requestor rather than her dentity and where the access control restrictions to be enforced may come from different authorities. These issues pose several new challenges to the design and implementation of access control systems. In this chapter, we present the emerging trends in the access control field to address the new needs and desiderata of today’s systems.

Published

2007

17. Privacy-enhanced Location-based Access Control

Author

Marco Cremonini, Claudio Agostino Ardagna, Pierangela Samarati, and S. De Capitani di Vimercati

Subjects

business.industry, Computer science, Privacy protection, Position (finance), Access control, Location based access control, business, Computer security, computer.software_genre, computer, Reliability (statistics)

Abstract

Advancements in location technologies reliability and precision are fostering the development of location-based services that make use of the location information of users. An increasingly important category of such services is represented by Location-based Access Control (LBAC) systems that integrate traditional access control mechanisms with access conditions based on the physical position of users and other attributes related to the users location. Since privacy is extremely important for users, protection of their location information is paramount to the success of such emerging location-based services.

Published

2007

18. Access Control Policies and Languages in Open Environments

Author

Sushil Jajodia, Pierangela Samarati, S. De Capitani di Vimercati, and Sara Foresti

Subjects

Discretionary access control, Computer access control, business.industry, Network Access Control, Role-based access control, Network security policy, Access control, Business, Computer security model, Security policy, Computer security, computer.software_genre, computer

Abstract

Access control is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. Access control plays an important role in overall system security. The development of an access control system requires the definition of the regulations (policies) according to which access is to be controlled and their implementation as functions executable by a computer system. The access control policies are usually formalized through a security model, stated through an appropriate specification language, and then enforced by the access control mechanism enforcing the access control service. The separation between policies and mechanisms introduces an independence between protection requirements to be enforced on the one side, and mechanisms enforcing them on the other. It is then possible to: i) discuss protection requirements independently of their implementation, ii) compare different access control policies as well as different mechanisms that enforce the same policy, and iii) design mechanisms able to enforce multiple policies. This latter aspect is particularly important: if a mechanism is tied to a specific policy, a change in the policy would require changing the whole access control system; mechanisms able to enforce multiple policies avoid this drawback. The formalization phase between the policy definition and its implementation as a mechanism allows the definition of a formal model representing the policy and its working, making it possible to define and prove security properties that systems enforcing the model will enjoy [30].

Published

2007

19. Location Privacy Protection Through Obfuscation-Based Techniques

Author

S. De Capitani di Vimercati, Pierangela Samarati, Claudio Agostino Ardagna, Marco Cremonini, and Ernesto Damiani

Subjects

Engineering, Information privacy, Privacy by Design, business.industry, Privacy software, Privacy protection, Internet privacy, Computer security, computer.software_genre, User privacy, Obfuscation, Mobile telephony, Metric (unit), business, computer

Abstract

The widespread adoption of mobile communication devices combined with technical improvements of location technologies are fostering the development of a new wave of applications that manage physical positions of individuals to offer location-based services for business, social or informational purposes. As an effect of such innovative services, however, privacy concerns are increasing, calling for more sophisticated solutions for providing users with different and manageable levels of privacy. In this work, we propose a way to express users privacy preferences on location information in a straightforward and intuitive way. Then, based on such location privacy preferences, we discuss a new solution, based on obfuscation techniques, which permits us to achieve, and quantitatively estimate through a metric, different degrees of location privacy.

Published

2007

20. κ-Anonymity

Author

V. Ciriani, S. De Capitani di Vimercati, S. Foresti, and P. Samarati

Published

2007

21. Selective Data Encryption in Outsourced Dynamic Environments

Author

Sara Foresti, Sushil Jajodia, Stefano Paraboschi, Pierangela Samarati, S. De Capitani di Vimercati, and Ernesto Damiani

Subjects

General Computer Science, Computer science, Data management, Dynamic, Cryptography, Access control, Computer security, computer.software_genre, Encryption, Theoretical Computer Science, Outsourcing, Hierarchy, Key derivation function, Key derivation, Database, Settore INF/01 - Informatica, Encrypted databases, business.industry, Authorization, Client-side encryption, access control, dynamic, encrypted databases, hierarchy, key derivation, 56-bit encryption, 40-bit encryption, Attribute-based encryption, business, computer, Computer Science(all)

Abstract

The amount of information held by organizations' databases is increasing very quickly. A recently proposed solution to the problem of data management, which is becoming increasingly popular, is represented by database outsourcing. Several approaches have been presented to database outsourcing management, investigating the application of data encryption together with indexing information to allow the execution of queries at the third party, without the need of decrypting the data. These proposals assume access control to be under the control of the data owner, who has to filter all the access requests to data.In this paper, we put forward the idea of outsourcing also the access control enforcement at the third party. Our approach combines cryptography together with authorizations, thus enforcing access control via selective encryption. The paper describes authorizations management investigating their specification and representation as well as their enforcement in a dynamic scenario.

Published

2007

22. Microdata Protection

Author

V. Ciriani, S. De Capitani di Vimercati, S. Foresti, and P. Samarati

Published

2007

23. An Experimental Evaluation of Multi-Key Strategies for Data Outsourcing

Author

Sara Foresti, Sushil Jajodia, S. De Capitani di Vimercati, Stefano Paraboschi, Ernesto Damiani, and Pierangela Samarati

Subjects

Settore INF/01 - Informatica, Exploit, Database, business.industry, Process (engineering), Computer science, media_common.quotation_subject, Plaintext, Cryptography, Encryption, Computer security, computer.software_genre, Data outsourcing, Quality (business), business, computer, Host (network), media_common

Abstract

Data outsourcing is emerging today as a successful solution for organizations looking for a cost-effective way to make their data available for on-line querying. To protect outsourced data from unauthorized accesses, even from the (honest but curious) host server, data are encrypted and indexes associated with them enable the server to execute queries without the need of accessing cleartext. Current solutions consider the whole database as encrypted with a single key known only to the data owner, which therefore has to be kept involved in the query execution process. In this paper, we propose different multi-key data encryption strategies for enforcing access privileges. Our strategies exploit different keys, which are distributed to the users, corresponding to the different authorizations. We then present some experiments evaluating the quality of the proposed strategies with respect to the amount of cryptographic information to be produced and maintained.

Published

2007

24. Session details: Software and network exploits

Author

S. De Capitani di Vimercati

Subjects

Software, Exploit, Computer science, business.industry, Session (computer science), Routing (electronic design automation), business, Path stability, Computer network

Published

2006

25. A Mobile Agent Platform for Remote Measurement

Author

S. De Capitani di Vimercati, A. Ferrero, M. Lazzaroni, and M. Agents

Subjects

Engineering, Web server, business.industry, Computer security, computer.software_genre, Application software, law.invention, law, Control system, Systems engineering, Mobile agent, Instrumentation (computer programming), Resource consumption, business, Network availability, computer, Remote control

Abstract

Nowadays, remote control of instrumentation and remote measurement techniques represent a particularly interesting topic. Mature technologies are able to fully control devices and, in particular, help in remote measurement processes and calibrations. Now the attention is moved to other questions, such as resource consumption, network availability, client-server communication link etc. The mobile agents technology is capable of providing interesting solutions to the aforementioned problems and an investigation concerning the possibility to migrate this technology to the measurement world is advisable. This paper reports some preliminary considerations and examples of application about this interesting issue

Published

2006

26. Enhancing User Privacy Through Data Handling Policies

Author

S. De Capitani di Vimercati, Pierangela Samarati, and Claudio Agostino Ardagna

Subjects

Information privacy, Privacy by Design, Computer science, Privacy software, business.industry, Privacy policy, Context (language use), Access control, Service provider, Computer security, computer.software_genre, Information protection policy, Informed consent, Data Protection Act 1998, business, Personally identifiable information, computer

Abstract

The protection of privacy is an increasing concern in today's global infrastructure. One of the most important privacy protection principles states that personal information collected for one purpose may not be used for any other purpose without the specific informed consent of the person it concerns. Although users provide personal information for use in one specific context, they often have no idea on how such a personal information may be used subsequently. In this paper, we introduce a new type of privacy policy, called data handling policy, which defines how the personal information release will be (or should be) dealt with at the receiving party. A data handling policy allows users to define simple and appropriate levels of control over who sees what information about them and under which circumstances.

Published

2006

27. Extending Context Descriptions in Semantics-Aware Access Control

Author

Cristiano Fugazza, Pierangela Samarati, Ernesto Damiani, and S. De Capitani di Vimercati

Subjects

Context model, Description logic, Knowledge representation and reasoning, Computer science, business.industry, Entity–relationship model, Information access, Information system, Context (language use), Artificial intelligence, Ontology (information science), business, Data science

Abstract

Security is a crucial concern for commercial and mission critical applications in Web-based environments. In our model, context information associated with Access Control management policies is defined according to basic operators that can be represented using the Web Ontology Language. Standard inference procedures of Description Logics are being used to check the consistency of context information referred to by policy conditions and, more interestingly, to pre-process context information for grounding policy propagation and enabling conflict resolution. In this paper, we extend the model to encompass part-of relations between entities in context descriptions and, consequently, revise the policy propagation criteria being applied to the model to take into account the newly introduced relations. Finally, we exemplify modality conflicts arising from part-of relations, a category of extensional conflicts (i.e., inconsistencies related to individuals) that cannot be foreseen by looking at the terminology underlying context information.

Published

2006

28. Implementation of a Storage Mechanism for Untrusted DBMSs

Author

Sushil Jajodia, S. De Capitani di Vimercati, M. Finetti, S. Paraboschi, Pierangela Samarati, and Ernesto Damiani

Subjects

business.product_category, Database, Relational database, business.industry, Computer science, Cryptography, Software prototyping, Encryption, computer.software_genre, Database-centric architecture, Internet access, The Internet, business, Software architecture, computer

Abstract

Several architectures have been recently proposed that store relational data in encrypted form on untrusted relational databases. Such architectures permit the creation of novel Internet services and also offer an opportunity for a better construction of ASP solutions. Environments where there are limited resources that do not permit an efficient management of databases or where it is critical to offer a robust Internet access to private data may all benefit from the above architectures. In this paper we analyze the impact that this architecture has on the typical services of a database. The analysis is based on the experience gained in the construction of a prototype of a complete architecture for the management of encrypted databases. Specifically, we illustrate the impact on query translation and optimization, and the main components of the software architecture of the prototype.

Published

2005

29. Metadata Management in Outsourced Encrypted Databases

Author

Ernesto Damiani, Sara Foresti, Sushil Jajodia, S. De Capitani di Vimercati, Pierangela Samarati, and Stefano Paraboschi

Subjects

Database, Range query (data structures), business.industry, Computer science, Information processing, Usability, Access control, Service provider, computer.software_genre, Outsourcing, Metadata repository, Client–server model, Metadata, World Wide Web, Metadata management, business, computer

Abstract

Database outsourcing is becoming increasingly popular introducing a new paradigm, called database-as-a-service, where a client’s database is stored at an external service provider. Outsourcing databases to external providers promises higher availability and more effective disaster protection than in-house operations. This scenario presents new research challenges on which the usability of the system is based. In particular, one important aspect is the metadata that must be provided to support the proper working of the system. In this paper, we illustrate the metadata that are needed, at the client and server, to store and retrieve mapping information for processing a query issued by a client application to the server storing the outsourced database. We also present an approach to develop an efficient access control technique and the corresponding metadata needed for its enforcement.

Published

2005

30. Advanced Metadata for Privacy-Aware Representation of Credentials

Author

Pierangela Samarati, Cristiano Fugazza, S. De Capitani di Vimercati, Ernesto Damiani, and Paolo Ceravolo

Subjects

Context model, Information privacy, Computer science, business.industry, RDF Schema, computer.file_format, Ontology (information science), Metadata, World Wide Web, Ontology, The Internet, RDF, business, computer, Personally identifiable information, Semantic Web

Abstract

SemanticWeb languages like OWL and RDFS promise to be viable means for representing metadata describing users and resources available over the Internet. Recently, interest has been raised on the use of such languages to represent individual data items contained in Personally Identifiable Information (PII), supporting fine-grained release. To achieve this goal, the informative content of a credential must be dissected into atomic components so that users can selectively single out those to be released. In this paper, we outline methodologies for taking advantage of a distributed ontology-based framework for controlled release at both policy writing and evaluation time.

Published

2005

31. Key-management for multi-user encrypted databases

Author

Sushil Jajodia, S. De Capitani di Vimercati, Sara Foresti, Pierangela Samarati, Ernesto Damiani, and Stefano Paraboschi

Subjects

Focus (computing), Database, Encrypted databases, Computer science, business.industry, media_common.quotation_subject, Cryptography, Threats, Access control, Client-server architecture, Service provider, Computer security, computer.software_genre, Multi-user, Encryption, World Wide Web, Presentation, Key management, business, Settore ING-INF/05 - Sistemi di Elaborazione delle Informazioni, computer, Publication, media_common

Abstract

Database outsourcing is becoming increasingly popular introducing a new paradigm, called database-as-a-service (DAS), where an organization's database is stored at an external service provider. In such a scenario, access control is a very important issue, especially if the data owner wishes to publish her data for external use.In this paper, we first present our approach for the implementation of access control through selective encryption. The focus of the paper is then the presentation of the experimental results, which demonstrate the applicability of our proposal.

Published

2005

32. Access Control of SVG Documents

Author

Ernesto Damiani, Pierangela Samarati, S. De Capitani di Vimercati, and Eduardo Fernández-Medina

Subjects

Multimedia, business.industry, computer.internet_protocol, Computer science, Interoperability, Scalable Vector Graphics, Access control, computer.file_format, computer.software_genre, Vector graphics, ComputingMethodologies_DOCUMENTANDTEXTPROCESSING, The Internet, Raster graphics, Graphics, business, computer, XML

Abstract

The monolithic nature of traditional raster images makes controlled dissemination of their internal features a difficult task. Recently, however, XML-based graphics formats such as the Scalable Vector Graphics (SVG) standard are becoming increasingly popular due to their recognized advantages in terms of application interoperability. In this paper we exploit the XML-based data model of SVG to present a model and a syntax aimed at selectively controlling access to graphic information on the Internet.

Published

2003

33. Designing a three-layer ontology in a Web-based interconnection scenario

Author

Silvana Castano, V. De Antonellis, Michele Melchiori, and S. De Capitani di Vimercati

Subjects

Collaborative software, business.industry, computer.internet_protocol, Computer science, Ontology-based data integration, Information sharing, Ontology (information science), Domain (software engineering), World Wide Web, Ontology, Web application, business, computer, XML, Electronic data interchange

Abstract

We consider an interconnection scenario over the Web, where diverse pre-existing and independent companies wish to cooperate and use XML as a common language for information interchange. To effectively support cooperation and information sharing, we propose an integration approach to design a three-layer ontology providing a semantic representation of the interorganizational knowledge in the considered domain. The ontology is organized into global concepts and concept relationships at different levels of detail, with a topic-based view. Global concepts are derived by analyzing exchange information and associated descriptions provided by each involved company, using integration techniques. Subject categories are superimposed to global concepts to give a summary, topic-based view of the interorganizational knowledge of the considered scenario, and to provide involved users with a meaningful way for information search and localization.

Published

2002

34. Secure access wrapper: mediating security between heterogeneous databases

Author

M. Bilello, Y. Tan, J. Akella, Patrick Lincoln, Steven Dawson, G. Wiederhold, S. De Capitani di Vimercati, and Pierangela Samarati

Subjects

Database, Computer science, Information sharing, Information security, computer.software_genre, Computer security, Asset (computer security), Security information and event management, World Wide Web, Information sensitivity, Information security audit, Information security management, computer, Information exchange

Abstract

Organizations today are faced with an ever-increasing need to become more efficient in their methods for exchange of information with consumers, collaborators, and partners. Unfortunately existing mechanisms for such information exchange provide nowhere near the levels of both security and automation required to satisfy this need. Effective information sharing and dissemination can take place only if the data holders have assurance that access constraints on the information they own or manage will be respected and that, while releasing information, disclosure of sensitive information is not a risk. The Secure Access Wrapper (SAW) project is a collaborative effort between SRI International and Stanford University to develop techniques that provide substantially more automation and assurance than has previously been available for secure, selective information sharing. The SAW project is sponsored by DARPA ITO under the Wrappers and Composition focus area of the Information Survivability program.

Published

2002

35. Measuring inference exposure in outsourced encrypted databases

Author

Ernesto Damiani, Pierangela Samarati, Sara Foresti, Marco Viviani, S. De Capitani di Vimercati, Gollmann, D, Massacci, F, Yautsiukhin, A, Damiani, E, De Capitani Di Vimercati, S, Foresti, S, Samarati, P, and Viviani, M

Subjects

Database, Computer science, business.industry, Association (object-oriented programming), Search engine indexing, Hash function, InformationSystems_DATABASEMANAGEMENT, Inference, Plaintext, Service provider, Encryption, computer.software_genre, Aggregation Operators, Fuzzy Logic, Privacy, Security, Tuple, business, computer

Abstract

Database outsourcing is becoming increasingly popular introducing a new paradigm, called database-as-a-service, where an encrypted client's database is stored at an external service provider. Existing proposals for querying encrypted databases are based on the association, with each encrypted tuple, of additional indexing information obtained from the plaintext values of attributes that can be used in the queries. However, the relationship between indexes and data should not open the door to inference and linking attacks that can compromise the protection granted by encryption.

36. Specification and enforcement of classification and inference constraints

Author

Pierangela Samarati, S. De Capitani di Vimercati, and Steven Dawson

Subjects

Set (abstract data type), Information privacy, Data element, Computer science, Data classification, Inference, Data mining, computer.software_genre, Database design, computer, Mandatory access control, Data administration

Abstract

Although mandatory access control in database systems has been extensively studied in recent years, and several models and systems have been proposed, capabilities for enforcement of mandatory constraints remain limited. Lack of support for expressing and combating inference channels that improperly leak protected information remains a major limitation in today's multilevel systems. Moreover the working assumption that data are classified at insertion time makes previous approaches inapplicable to the classification of existing, possibly historical, data repositories that need to be classified for release. Such a capability would be of great benefit to, and appears to be in demand by, governmental, public and private institutions. We address the problem of classifying existing data repositories by taking into consideration explicit data classification as well as association and inference constraints. Constraints are expressed in a unified, DBMS- and model-independent framework, making the approach largely applicable. We introduce the concept of minimal classification as a labeling of data elements that while satisfying the constraints, ensures that no data element is classified at a level higher than necessary. We also describe a technique and present an algorithm for generating data classifications that are both minimal and preferred according to certain criteria. Our approach is based on preprocessing, or compiling, constraints to produce a set of simple classification assignments that can then be efficiently applied to classify any database instance.

37. Supporting Users in Data Outsourcing and Protection in the Cloud

Author

Giovanni Livraga, Sara Foresti, S. De Capitani di Vimercati, and Pierangela Samarati

Subjects

business.industry, Computer science, media_common.quotation_subject, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, 020204 information systems, Data outsourcing, 0202 electrical engineering, electronic engineering, information engineering, Quality (business), business, computer, media_common

Abstract

Moving data and applications to the cloud allows users and companies to enjoy considerable benefits. However, these benefits are also accompanied by a number of security issues that should be addressed. Among these, the need to ensure that possible requirements on security, costs, and quality of services are satisfied by the cloud providers, and the need to adopt techniques ensuring the proper protection of their data and applications. In this paper, we present different strategies and solutions that can be applied to address these issues.

38. Towards privacy-enhanced authorization policies and languages

Author

Ernesto Damiani, Pierangela Samarati, Claudio Agostino Ardagna, and S. De Capitani di Vimercati

Subjects

Computer science, business.industry, Authorization, Public policy, Access control, Legislation, Confidentiality, Project management, business, Computer security, computer.software_genre, computer, Identity management

Abstract

The protection of privacy in today's global infrastructure requires the combined application solution from technology (technical measures), legislation (law and public policy), and organizational and individual policies and practices. Emerging scenarios of user-service interactions in the digital world are also pushing toward the development of powerful and flexible privacy-enhanced models and languages. This paper aims at introducing concepts and features that should be investigated to fulfill this demand. In particular, the content of this paper is a result of our ongoing activity in the framework of the PRIME project (Privacy and Identity Management for Europe), funded by the European Commission, whose objective is the development of privacy-aware solutions for enforcing security.

39. Balancing confidentiality and efficiency in untrusted relational DBMSs

Author

Stefano Paraboschi, Pierangela Samarati, S. De Capitani di Vimercati, Sushil Jajodia, and Ernesto Damiani

Subjects

Database, Computer science, business.industry, Search engine indexing, Cryptography, Database encryption, Service provider, computer.software_genre, Encryption, Computer security, Server, Secrecy, Data center, business, computer

Abstract

The scope and character of today's computing environments are progressively shifting from traditional, one-on-one client-server interaction to the new cooperative paradigm. It then becomes of primary importance to provide means of protecting the secrecy of the information, while guaranteeing its availability to legitimate clients. Operating on-line querying services securely on open networks is very difficult; therefore many enterprises outsource their data center operations to external application service providers. A promising direction towards prevention of unauthorized access to outsourced data is represented by encryption. However, data encryption is often supported for the sole purpose of protecting the data in storage and assumes trust in the server, that decrypts data for query execution.In this paper, we present a simple yet robust single-server solution for remote querying of encrypted databases on untrusted servers. Our approach is based on the use of indexing information attached to the encrypted database which can be used by the server to select the data to be returned in response to a query without the need of disclosing the database content. Our indexes balance the trade off between efficiency requirements in query execution and protection requirements due to possible inference attacks exploiting indexing information. We also investigate quantitative measures to model inference exposure and provide some related experimental results.

40. Managing privacy in LBAC systems

Author

Marco Cremonini, Pierangela Samarati, Ernesto Damiani, Claudio Agostino Ardagna, and S. De Capitani di Vimercati

Subjects

Obfuscation (software), Information privacy, Computer science, Location-based service, Key (cryptography), Mobile computing, Data security, Relevance (information retrieval), Information security, Computer security, computer.software_genre, computer

Abstract

One of the main challenges for privacy-aware location-based systems is to strike a balance between privacy preferences set by users and location accuracy needed by location-based services (LBSs). To this end, two key requirements must be satisfied: the availability of techniques providing for different degrees of user location privacy and the possibility of quantifying such privacy degrees. To address the first requirement, we describe two obfuscation techniques. For the second requirement, we introduce the notion of relevance as the estimator for the degree of location obfuscation. This way, location obfuscation can be adjusted to comply with both user preferences and LBS accuracy requirements.

41. Automated derivation of global authorizations for database federations

Author

S. De Capitani di Vimercati, Silvana Castano, and Mariagrazia Fugini

Subjects

Discretionary access control, Database, Computer Networks and Communications, Hardware and Architecture, Computer science, Authorization, Safety, Risk, Reliability and Quality, computer.software_genre, computer, Software

42. Security, Privacy, and Trust in Mobile Systems and Applications

Author

Pierangela Samarati, Marco Cremonini, Angelo Corallo, Ernesto Damiani, SABRINA DE CAPITANI DI VIMERCATI, Gianluca ELIA, MARGHERITA PAGANI, Corallo, Angelo, M., Cremonini, E., Damiani, S., DE CAPITANI DI VIMERCATI, Elia, Gianluca, and P., Samarati

Subjects

Information privacy, Cloud computing security, Privacy by Design, Privacy software, business.industry, Internet privacy, Mobile computing, Identity management system, Digital Rights Management, Computer security, computer.software_genre, Personal Identity Management, Security service, Business, Computational trust, computer, Personally identifiable information

Abstract

Mobile systems and applications are raising some important information security and privacy issues. This chapter discusses the need for privacy and security in mobile systems and presents technological trends which highlight that this issue is of growing concern.

Published

2011