Semantic Comparison of Security Policies: From Access Control Policies to Flow Properties

Author(s):  
Mathieu Jaume
2018 ◽  
Vol 2018 ◽  
pp. 1-22 ◽  
Author(s):  
Faouzi Jaïdi ◽  
Faten Labbene Ayachi ◽  
Adel Bouhoula

Substantial advances in Information and Communication Technologies (ICT) bring out novel concepts, solutions, trends, and challenges to integrate intelligent and autonomous systems in critical infrastructures. A new generation of ICT environments (such as smart cities, Internet of Things,edge-fog-social-cloudcomputing, and big data analytics) is emerging; it has different applications to critical domains (such as transportation, communication, finance, commerce, and healthcare) and different interconnections via multiple layers of public and private networks, forming a grid of critical cyberphysical infrastructures. Protecting sensitive and private data and services in critical infrastructures is, at the same time, a main objective and a great challenge for deploying secure systems. It essentially requires setting up trusted security policies. Unfortunately, security solutions should remain compliant and regularly updated to follow and track the evolution of security threats. To address this issue, we propose an advanced methodology for deploying and monitoring the compliance of trusted access control policies. Our proposal extends the traditional life cycle of access control policies with pertinent activities. It integrates formal and semiformal techniques allowing the specification, the verification, the implementation, the reverse-engineering, the validation, the risk assessment, and the optimization of access control policies. To automate and facilitate the practice of our methodology, we introduce our systemSVIRVROthat allows managing the extended life cycle of access control policies. We refer to an illustrative example to highlight the relevance of our contributions.


2011 ◽  
Vol 48-49 ◽  
pp. 470-473
Author(s):  
Jun Ma ◽  
Zhi Ying Wang ◽  
Jiang Chun Ren ◽  
Jiang Jiang Wu ◽  
Yong Cheng ◽  
...  

The existence of trusted subjects is a major complication in implementing multilevel secure (MLS) systems. In MLS, trusted subjects are granted with privileges to perform operations possibly violating mandatory access control policies. It is difficult to prevent them from data leakage with out too strict confinement. This paper reconsiders the privilege from the view of sensitive data and presents a dynamic trusted domain (DTD) mechanism for trusted subjects. In DTD, a domain is associated with a special label structure (LabelVector) distinguishing security policies and builds an isolated environment based on virtualization for a certain trusted subject. The channel for the trusted subject to communicate with outsider is controlled by a trusted request decision maker (TRDM). Only the request satisfies the rules on domain label and security levels can be passed through.


2008 ◽  
Vol 10 (4) ◽  
pp. 1-37 ◽  
Author(s):  
Luc Bouganim ◽  
Francois Dang Ngoc ◽  
Philippe Pucheral

2002 ◽  
Vol 5 (1) ◽  
pp. 1-35 ◽  
Author(s):  
Piero Bonatti ◽  
Sabrina De Capitani di Vimercati ◽  
Pierangela Samarati

Author(s):  
Thanh-Nhan Luong ◽  
Hanh-Phuc Nguyen ◽  
Ninh-Thuan Truong

The software security issue is being paid great attention from the software development community as security violations have emerged variously. Developers often use access control techniques to restrict some security breaches to software systems’ resources. The addition of authorization constraints to the role-based access control model increases the ability to express access rules in real-world problems. However, the complexity of combining components, libraries and programming languages during the implementation stage of web systems’ access control policies may arise potential flaws that make applications’ access control policies inconsistent with their specifications. In this paper, we introduce an approach to review the implementation of these models in web applications written by Java EE according to the MVC architecture under the support of the Spring Security framework. The approach can help developers in detecting flaws in the assignment implementation process of the models. First, the approach focuses on extracting the information about users and roles from the database of the web application. We then analyze policy configuration files to establish the access analysis tree of the application. Next, algorithms are introduced to validate the correctness of the implemented user-role and role-permission assignments in the application system. Lastly, we developed a tool called VeRA, to automatically support the verification process. The tool is also experimented with a number of access violation scenarios in the medical record management system.


Sign in / Sign up

Export Citation Format

Share Document