Access Control and Information Flow Control for Web Services Security

2016 ◽  
Vol 11 (1) ◽  
pp. 44-76 ◽  
Author(s):  
Saadia Kedjar ◽  
Abdelkamel Tari ◽  
Peter Bertok
Keyword(s):  
Web Services ◽  
Access Control ◽  
Flow Control ◽  
Information Flow ◽  
Information Flow Control ◽  
User Access ◽  
Web Services Security ◽  
Information Confidentiality ◽  
Security Standards

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

Access Control and Information Flow Control for Web Services Security

2020 ◽  
pp. 185-219
Author(s):  
Saadia Kedjar ◽  
Abdelkamel Tari ◽  
Peter Bertok
Keyword(s):  
Web Services ◽  
Access Control ◽  
Flow Control ◽  
Information Flow ◽  
Information Flow Control ◽  
User Access ◽  
Web Services Security ◽  
Information Confidentiality ◽  
Security Standards

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

LOCKING PROTOCOL FOR INFORMATION FLOW CONTROL

2004 ◽  
Vol 05 (03) ◽  
pp. 233-247 ◽  
Author(s):  
RYUNG CHON ◽  
KOUHEI TAKEDA ◽  
TOMOYA ENOKIDO ◽  
MAKOTO TAKIZAWA
Keyword(s):  
Access Control ◽  
Flow Control ◽  
Information Flow ◽  
Single Server ◽  
Role Based Access Control ◽  
Information Flow Control ◽  
Server Systems ◽  
Locking Protocol ◽  
Role Based ◽  
Multi Server

We discuss a novel role locking protocol (RLP) to prevent illegal information flow among objects in a role-based access control (RBAC) model. In this paper, we define a conflicting relation among roles "a role R1 conflicts with another role R2" to show that illegal information flow may occur if a transaction associated with role R1 is performed before another transaction with role R2. Here, we introduce a role lock on an object to abort a transaction with role R1 if another transaction with role R2 had been already performed on the object. Role locks are not released even if transactions issuing the role locks commit. After data in an object o1 flow to another object o2, if the object o1 is updated, the data in the object o2 is independent of the object o1, i.e. obsolete. A role lock on an object can be released if information brought into the object is obsolete. We discuss how to release obsolete role locks. We also discuss how to implement the role locking protocol in single-server and multi-server systems.

Sign in / Sign up

Export Citation Format

Share Document