Visible to the public International Conferences: SACMAT 2015, Vienna

SoS Newsletter- Advanced Book Block


SoS Logo

International Conferences:

Access Control Models and Technologies 2015


The 20th ACM Symposium on Access Control Models and Technologies (SACMAT) was held June 1–3, 2015 in Vienna, Austria. The aims of the symposium were to share novel access control solutions that fulfil the needs of heterogeneous applications and environments, and to identify new directions for future research and development. The editors deem works cited here useful to the Science of Security community. 

Lionel Montrieux, Zhenjiang Hu; “Towards Attribute-Based Authorisation for Bidirectional Programming,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 185–196. doi:10.1145/2752952.2752963
Abstract: Bidirectional programming allows developers to write programs that will produce transformations that extract data from a source document into a view. The same transformations can then be used to update the source in order to propagate the changes made to the view, provided that the transformations satisfy two essential properties.  Bidirectional transformations can provide a form of authorisation mechanism. From a source containing sensitive data, a view can be extracted that only contains the information to be shared with a subject. The subject can modify the view, and the source can be updated accordingly, without risk of release of the sensitive information to the subject. However, the authorisation model afforded by bidirectional transformations is limited. Implementing an attribute-based access control (ABAC) mechanism directly in bidirectional transformations would violate the essential properties of well-behaved transformations; it would contradict the principle of separation of concerns; and it would require users to write and maintain a different transformation for every subject they would like to share a view with.  In this paper, we explore a solution to enforce ABAC on bidirectional transformations, using a policy language from which filters are generated to enforce the policy rules.
Keywords: access control, authorization, bidirectional transformation (ID#: 15-6910)


Jun Zhu, Bill Chu, Heather Lipford, Tyler Thomas; “Mitigating Access Control Vulnerabilities through Interactive Static Analysis,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 199–209. doi:10.1145/2752952.2752976
Abstract: Access control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.
Keywords: access control vulnerability, secure programming, static analysis (ID#: 15-6911)


Claudio Soriente, Ghassan O. Karame, Hubert Ritzdorf, Srdjan Marinovic, Srdjan Capkun; “Commune: Shared Ownership in an Agnostic Cloud,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 39–50. doi:10.1145/2752952.2752972
Abstract: Cloud storage platforms promise a convenient way for users to share files and engage in collaborations, yet they require all files to have a single owner who unilaterally makes access control decisions. Existing clouds are, thus, agnostic to shared ownership. This can be a significant limitation in many collaborations because, for example, one owner can delete files and revoke access without consulting the other collaborators.  In this paper, we first formally define a notion of shared ownership within a file access control model. We then propose a solution, called Commune, to the problem of distributed enforcement of shared ownership in agnostic clouds, so that access grants require the support of an agreed threshold of owners. Commune can be used in existing clouds without modifications to the platforms. We analyze the security of our solution and evaluate its performance through an implementation integrated with Amazon S3.
Keywords: cloud security, distributed enforcement, shared ownership (ID#: 15-6912)


Jingwei Li, Anna Squicciarini, Dan Lin, Shuang Liang, Chunfu Jia; “SecLoc: Securing Location-Sensitive Storage in the Cloud,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 51–61. doi:10.1145/2752952.2752965
Abstract: Cloud computing offers a wide array of storage services. While enjoying the benefits of flexibility, scalability and reliability brought by the cloud storage, cloud users also face the risk of losing control of their own data, in partly because they do not know where their data is actually stored. This raises a number of security and privacy concerns regarding one’s sensitive data such as health records. For example, according to Canadian laws, data related to personal identifiable information must be stored within Canada. Nevertheless, in contrast to the urgent demands, privacy requirements regarding to cloud storage locations have not been well investigated in the current cloud computing market, fostering security and privacy concerns among potential adopters. Aiming at addressing this emerging critical issue, we propose a novel secure location-sensitive storage framework, called SecLoc, which offers protection for cloud users’ data following the storage location restrictions, with minimum management overhead to existing cloud storage services. We conduct security analysis, complexity analysis and experimental evaluation on the proposed SecLoc system. Our results demonstrate both effectiveness and efficiency of our mechanism.
Keywords: access control, attribute-based encryption, cloud storage, location sensitive (ID#: 15-6913)


Zeqing Guo, Weili Han, Liangxing Liu, Wenyuan Xu, Ruiqi Bu, Minyue Ni; “SPA: Inviting Your Friends to Help Set Android Apps,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 221–231. doi:10.1145/2752952.2752974
Abstract: More and more powerful personal smart devices take users, especially the elder, into a disaster of policy administration where users are forced to set personal management policies in these devices. Considering a real case of this issue in the Android security, it is hard for users, even some programmers, to generally identify malicious permission requests when they install a third-party application. Motivated by the popularity of mutual assistance among friends (including family members) in the real world, we propose a novel framework for policy administration, referring to Socialized Policy Administration (SPA for short), to help users manage the policies in widely deployed personal devices. SPA leverages a basic idea that a user may invite his or her friends to help set the applications. Especially, when the size of invited friends increases, the setting result can be more resilient to a few malicious or unprofessional friends. We define the security properties of SPA, and propose an enforcement framework where users’ friends can help users set applications without the leakage of friends’ preferences with the supports of a privacy preserving mechanism. In our prototype, we only leverage partially homomorphic encryption cryptosystems to implement our framework, because the fully homomorphic encryption is not acceptable to be deployed in a practical service at the moment. Based on our prototype and performance evaluation, SPA is promising to support major types of policies in current popular applications with acceptable performance.
Keywords: android, policy administration, policy based management, social computing, socialized policy administration
(ID#: 15-6914)


Carlos E. Rubio-Medrano, Ziming Zhao, Adam Doupe, Gail-Joon Ahn; “Federated Access Management for Collaborative Network Environments: Framework and Case Study,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 125–134. doi:10.1145/2752952.2752977
Abstract: With the advent of various collaborative sharing mechanisms such as Grids, P2P and Clouds, organizations including private and public sectors have recognized the benefits of being involved in inter-organizational, multi-disciplinary, and collaborative projects that may require diverse resources to be shared among participants. In particular, an environment that often makes use of a group of high-performance network facilities would involve large-scale collaborative projects and tremendously seek a robust and flexible access control for allowing collaborators to leverage and consume resources, e.g., computing power and bandwidth. In this paper, we propose a federated access management scheme that leverages the notion of attributes. Our approach allows resource-sharing organizations to provide distributed provisioning (publication, location, communication, and evaluation) of both attributes and policies for federated access management purposes. Also, we provide a proof-of-concept implementation that leverages distributed hash tables (DHT) to traverse chains of attributes and effectively handle the federated access management requirements devised for inter-organizational resource sharing and collaborations.
Keywords: (not provided) (ID#: 15-6915)


Ha Thanh Le, Cu Duy Nguyen, Lionel Briand, Benjamin Hourte; “Automated Inference of Access Control Policies for Web Applications,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 27–37. doi:10.1145/2752952.2752969
Abstract: In this paper, we present a novel, semi-automated approach to infer access control policies automatically for web-based applications. Our goal is to support the validation of implemented access control policies, even when they have not been clearly specified or documented. We use role-based access control as a reference model. Built on top of a suite of security tools, our approach automatically exercises a system under test and builds access spaces for a set of known users and roles. Then, we apply a machine learning technique to infer access rules. Inconsistent rules are then analysed and fed back to the process for further testing and improvement. Finally, the inferred rules can be validated based on pre-specified rules if they exist. Otherwise, the inferred rules are presented to human experts for validation and for detecting access control issues. We have evaluated our approach on two applications; one is open source while the other is a proprietary system built by our industry partner. The obtained results are very promising in terms of the quality of inferred rules and the access control vulnerabilities it helped detect.
Keywords: access control policies, inference, machine learning (ID#: 15-6916)


Syed Zain R. Rizvi, Philip W.L. Fong, Jason Crampton, James Sellwood; “Relationship-Based Access Control for an Open-Source Medical Records System,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 113–134. doi:10.1145/2752952.2752962
Abstract: Inspired by the access control models of social network systems, Relationship-Based Access Control (ReBAC) was recently proposed as a general-purpose access control paradigm for application domains in which authorization must take into account the relationship between the access requestor and the resource owner. The healthcare domain is envisioned to be an archetypical application domain in which ReBAC is sorely needed: e.g., my patient record should be accessible only by my family doctor, but not by all doctors.  In this work, we demonstrate for the first time that ReBAC can be incorporated into a production-scale medical records system, OpenMRS, with backward compatibility to the legacy RBAC mechanism. Specifically, we extend the access control mechanism of OpenMRS to enforce ReBAC policies. Our extensions incorporate and extend advanced ReBAC features recently proposed by Crampton and Sellwood. In addition, we designed and implemented the first administrative model for ReBAC. In this paper, we describe our ReBAC implementation, discuss the system engineering lessons learnt as a result, and evaluate the experimental work we have undertaken. In particular, we compare the performance of the various authorization schemes we implemented, thereby demonstrating the feasibility of ReBAC.
Keywords: administrative model, authorization graph, authorization principal, medical records system, relationship-based access control (ID#: 15-6917)


Weili Han, Yin Zhang, Zeqing Guo, Elisa Bertino; “Fine-Grained Business Data Confidentiality Control in Cross-Organizational Tracking,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 135–145. doi:10.1145/2752952.2752973
Abstract: With the support of the Internet of Things (IoT for short) technologies, tracking systems are being widely deployed in many companies and organizations in order to provide more efficient and trustworthy delivery services. Such systems usually support easy-to-use interfaces, by which users can visualize the shipping status and progress of merchandise, according to business data which are collected directly from the merchandise through sensing technologies. However, these business data may include sensitive business information, which should be strongly protected in cross-organizational scenarios. Thus, it is critical for suppliers that the disclosure of such data to unauthorized users is prevented in the context of the open environment of these tracking systems. As business data from different suppliers and organizations are usually associated together with merchandise being shipped, it is also important to support fine-grained confidentiality control. In this paper, we articulate the problem of fine-grained business data confidentiality control in IoT-enabled cross-organizational tracking systems. We then propose a fine-grained confidentiality control mechanism, referred to as xCP-ABE, to address the problem in the context of open environment. The xCP-ABE mechanism is a novel framework which makes suppliers in tracking systems able to selectively authorize specific sets of users to access their sensitive business data and satisfies the confidentiality of transmission path of goods. We develop a prototype of the xCP-ABE mechanism, and then evaluate its performance. We also carry out a brief security analysis of our proposed mechanism. Our evaluation and analysis show that our framework is an effective and efficient solution to ensure the confidentiality of business data in cross-organizational tracking systems.
Keywords: access control, ciphertext-policy attribute-based encryption (cp-abe), cross-organizational, electronic pedigree, fine-grained, internet of things (iot), tracking system (ID#: 15-6918)


Khalid Bijon, Ram Krishnan, Ravi Sandhu; ”Mitigating Multi-Tenancy Risks in IaaS Cloud Through Constraints-Driven Virtual Resource Scheduling,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 63–74. doi:10.1145/2752952.2752964
Abstract: A major concern in the adoption of cloud infrastructure-as-a-service (IaaS) arises from multi-tenancy, where multiple tenants share the underlying physical infrastructure operated by a cloud service provider. A tenant could be an enterprise in the context of a public cloud or a department within an enterprise in the context of a private cloud. Enabled by virtualization technology, the service provider is able to minimize cost by providing virtualized hardware resources such as virtual machines, virtual storage and virtual networks, as a service to multiple tenants where, for instance, a tenant’s virtual machine may be hosted in the same physical server as that of many other tenants. It is well-known that separation of execution environment provided by the hypervisors that enable virtualization technology has many limitations. In addition to inadvertent misconfigurations, a number of attacks have been demonstrated that allow unauthorized information flow between virtual machines hosted by a hypervisor on a given physical server. In this paper, we present attribute-based constraints specification and enforcement as a mechanism to mitigate such multi-tenancy risks that arise in cloud IaaS. We represent relevant properties of virtual resources (e.g., virtual machines, virtual networks, etc.) as their attributes. Conflicting attribute values are specified by the tenant or by the cloud IaaS system as appropriate. The goal is to schedule virtual resources on physical resources in a conflict-free manner. The general problem is shown to be NP-complete. We explore practical conflict specifications that can be efficiently enforced. We have implemented a prototype for virtual machine scheduling in OpenStack, a widely-used open-source cloud IaaS software, and evaluated its performance overhead, resource requirements to satisfy conflicts, and resource utilization.
Keywords: cloud iaas, constraint, multi-tenancy, virtual-resource scheduling, vm co-residency management, vm migration
(ID#: 15-6919)


David Lorenzi, Pratik Chattopadhyay, Emre Uzun, Jaideep Vaidya, Shamik Sural, Vijayalakshmi Atluri; “Generating Secure Images for CAPTCHAs Through Noise Addition,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 169–172. doi:10.1145/2752952.2753065
Abstract: As online automation, image processing and computer vision become increasingly powerful and sophisticated, methods to secure online assets from automated attacks (bots) are required. As traditional text based CAPTCHAs become more vulnerable to attacks, new methods for ensuring a user is human must be devised. To provide a solution to this problem, we aim to reduce some of the security shortcomings in an alternative style of CAPTCHA — more specifically, the image CAPTCHA. Introducing noise helps image CAPTCHAs thwart attacks from Reverse Image Search (RIS) engines and Computer Vision (CV) attacks while still retaining enough usability to allow humans to pass challenges. We present a secure image generation method based on noise addition that can be used for image CAPTCHAs, along with 4 different styles of image CAPTCHAs to demonstrate a fully functional image CAPTCHA challenge system.
Keywords: (not provided) (ID#: 15-6920)


Jason Crampton, Gregory Gutin, Daniel Karapetyan; “Valued Workflow Satisfiability Problem,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 3–13. doi:10.1145/2752952.2752961
Abstract: A workflow is a collection of steps that must be executed in some specific order to achieve an objective. A computerised workflow management system may enforce authorisation policies and constraints, thereby restricting which users can perform particular steps in a workflow. The existence of policies and constraints may mean that a workflow is unsatisfiable, in the sense that it is impossible to find an authorised user for each step in the workflow and satisfy all constraints. In this paper, we consider the problem of finding the “least bad” assignment of users to workflow steps by assigning a weight to each policy and constraint violation. To this end, we introduce a framework for associating costs with the violation of workflow policies and constraints and define the valued workflow satisfiability problem (Valued WSP), whose solution is an assignment of steps to users of minimum cost. We establish the computational complexity of Valued WSP with user-independent constraints and show that it is fixed-parameter tractable. We then describe an algorithm for solving Valued WSP with user-independent constraints and evaluate its performance, comparing it to that of an off-the-shelf mixed integer programming package.
Keywords: parameterized complexity, valued workflow satisfiability problem, workflow satisability (ID#: 15-6921)


Federica Paci, Nicola Zannone; “Preventing Information Inference in Access Control,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 87–97. doi:10.1145/2752952.2752971
Abstract: Technological innovations like social networks, personal devices and cloud computing, allow users to share and store online a huge amount of personal data. Sharing personal data online raises significant privacy concerns for users, who feel that they do not have full control over their data. A solution often proposed to alleviate users’ privacy concerns is to let them specify access control policies that reflect their privacy constraints. However, existing approaches to access control often produce policies which either are too restrictive or allow the leakage of sensitive information. In this paper, we present a novel access control model that reduces the risk of information leakage. The model relies on a data model which encodes the domain knowledge along with the semantic relations between data. We illustrate how the access control model and the reasoning over the data model can be automatically translated in XACML. We evaluate and compare our model with existing access control models with respect to its effectiveness in preventing leakage of sensitive information and efficiency in authoring policies. The evaluation shows that the proposed model allows the definition of effective access control policies that mitigate the risks of inference of sensitive data while reducing users’ effort in policy authoring compared to existing models.
Keywords: comparison study, inference control, information leakage, semantic approach, xacml (ID#: 15-6922)


Jafar Haadi Jafarian, Hassan Takabi, Hakim Touati, Ehsan Hesamifard, Mohamed Shehab; “Towards a General Framework for Optimal Role Mining: A Constraint Satisfaction Approach,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 211–220. doi:10.1145/2752952.2752975
Abstract: Role Based Access Control (RBAC) is the most widely used advanced access control model deployed in a variety of organizations. To deploy an RBAC system, one needs to first identify a complete set of roles, including permission role assignments and role user assignments. This process, known as role engineering, has been identified as one of the costliest tasks in migrating to RBAC. Since many organizations already have some form of user permission assignments defined, it makes sense to identify roles from this existing information. This process, known as role mining, has gained significant interest in recent years and numerous role mining techniques have been developed that take into account the characteristics of the core RBAC model, as well as its various extended features and each is based on a specific optimization metric. In this paper, we propose a generic approach which transforms the role mining problem into a constraint satisfaction problem. The transformation allows us to discover the optimal RBAC state based on customized optimization metrics. We also extend the RBAC model to include more context-aware and application specific constraints. These extensions broaden the applicability of the model beyond the classic role mining to include features such as permission usage, hierarchical role mining, hybrid role engineering approaches, and temporal RBAC models. We also perform experiments to show applicability and effectiveness of the proposed approach.
Keywords: access control, constraint satisfaction problem, rbac, role mining, smt solver (ID#: 15-6923)


Masoud Narouei, Hassan Takabi; “Towards an Automatic Top-down Role Engineering Approach Using Natural Language Processing Techniques,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 157–160. doi:10.1145/2752952.2752958
Abstract: Role Based Access Control (RBAC) is the most widely used model for access control due to the ease of administration as well as economic benefits it provides. In order to deploy an RBAC system, one requires to first identify a complete set of roles. This process, known as role engineering, has been identified as one of the costliest tasks in migrating to RBAC. In this paper, we propose a top-down role engineering approach and take the first steps towards using natural language processing techniques to extract policies from unrestricted natural language documents. Most organizations have high-level requirement specifications that include a set of access control policies which describes allowable operations for the system. However, it is very time consuming, labor-intensive, and error-prone to manually sift through these natural language documents to identify and extract access control policies. Our goal is to automate this process to reduce manual efforts and human errors. We apply natural language processing techniques, more specifically semantic role labeling to automatically extract access control policies from unrestricted natural language documents, define roles, and build an RBAC model. Our preliminary results are promising and by applying semantic role labeling to automatically identify predicate-argument structure, and a set of predefined rules on the extracted arguments, we were able correctly identify access control policies with a precision of 75%, recall of 88%, and F1 score of 80%.
Keywords: natural language processing, privacy policy, role based access control, role engineering, semantic role labeling
(ID#: 15-6924)


Rainer Fischer; “A Prototype to Reduce the Amount of Accessible Information,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 147–149. doi:10.1145/2752952.2752953
Abstract: Authorized insiders downloading mass data via their user interface are still a problem. In this paper a prototype to prevent mass data extractions is proposed. Access control models efficiently protect security objects but fail to define subsets of data which are narrow enough to be harmless if downloaded. Instead of controlling access to security objects the prototype limits the amount of accessible information. A heuristic approach to measures the amount of information is used. The paper describes the implementation of the prototype which is an extension of an SAP system as an example for a large enterprise information system.
Keywords: access control, data leakage protection, sap security, security policy (ID#: 15-6925)


Alessandro Armando, Silvio Ranise, Riccardo Traverso, Konrad Wrona; “A SMT-based Tool for the Analysis and Enforcement of NATO Content-based Protection and Release Policies,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 151–155. doi:10.1145/2752952.2752954
Abstract: NATO is developing a new IT infrastructure for automated information sharing between different information security domains and supporting dynamic and flexible enforcement of the need-to-know principle. In this context, the Content-based Protection and Release (CPR) model has been introduced to support the specification and enforcement of NATO access control policies. While the ability to define fine-grained security policies for a large variety of users, resources, and devices is desirable, their definition, maintenance, and enforcement can be difficult, time-consuming, and error prone. In this paper, we give an overview of a tool capable of assisting NATO security personnel in these tasks by automatically solving several policy analysis problems of practical interest. The tool levarages state-of-the-art SMT solvers.
Keywords: attribute-based access control, nato information sharing infrastructure, xacml (ID#: 15-6926)


Nima Mousavi, Mahesh Tripunitara; “Hard Instances for Verification Problems in Access Control,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 161–164. doi:10.1145/2752952.2752959
Abstract: We address the generation and analysis of hard instances for verification problems in access control that are NP-hard. Given the customary assumption that P ≠ NP, we know that such classes exist. We focus on a particular problem, the user-authorization query problem (UAQ) in Role-Based Access Control (RBAC). We show how to systematically generate hard instances for it. We then analyze what we call the structure of those hard instances. Our work brings the important aspect of systematic investigation of hard input classes to access control research.
Keywords: hard instances, intractability, role-based access control, user authorization query (ID#: 15-6927)


Jason Crampton, Charles Morisset, Nicol Zannone; “On Missing Attributes in Access Control: Non-deterministic and Probabilistic Attribute Retrieval,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 99–109. doi:10.1145/2752952.2752970
Abstract: Attribute Based Access Control (ABAC) is becoming the reference model for the specification and evaluation of access control policies. In ABAC policies and access requests are defined in terms of pairs attribute names/values. The applicability of an ABAC policy to a request is determined by matching the attributes in the request with the attributes in the policy. Some languages supporting ABAC, such as PTaCL or XACML 3.0, take into account the possibility that some attributes values might not be correctly retrieved when the request is evaluated, and use complex decisions, usually describing all possible evaluation outcomes, to account for missing attributes.  In this paper, we argue that the problem of missing attributes in ABAC can be seen as a non-deterministic attribute retrieval process, and we show that the current evaluation mechanism in PTaCL or XACML can return a complex decision that does not necessarily match with the actual possible outcomes. This, however, is problematic for the enforcing mechanism, which needs to resolve the complex decision into a conclusive one. We propose a new evaluation mechanism, explicitly based on non-deterministic attribute retrieval for a given request. We extend this mechanism to probabilistic attribute retrieval and implement a probabilistic policy evaluation mechanism for PTaCL in PRISM, a probabilistic model-checker.
Keywords: missing attribute, policy evaluation, probabilistic model-checking, ptacl (ID#: 15-6928)


Marcos Cramer, Jun Pang, Yang Zhang; “A Logical Approach to Restricting Access in Online Social Networks,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 75–86. doi:10.1145/2752952.2752967
Abstract: Nowadays in popular online social networks users can blacklist some of their friends in order to disallow them to access resources that other non-blacklisted friends may access. We identify three independent binary decisions to utilize users’ blacklists in access control policies, resulting into eight access restrictions. We formally define these restrictions in a hybrid logic for relationship-based access control, and provide syntactical transformations to rewrite a hybrid logic access control formula when fixing an access restriction. This enables a flexible and user-friendly approach for restricting access in social networks. We develop efficient algorithms for enforcing a subset of access control policies with restrictions. The effectiveness of the access restrictions and the efficiency of our algorithms are evaluated on a Facebook dataset.
Keywords: access control, blacklist, hybrid logic, online social networks (ID#: 15-6929)


Feng Wang, Mathias Kohler, Andreas Schaad; “Initial Encryption of Large Searchable Data Sets Using Hadoop,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 165–168. doi:10.1145/2752952.2752960
Abstract: With the introduction and the widely use of external hosted infrastructures, secure storage of sensitive data becomes more and more important. There are systems available to store and query encrypted data in a database, but not all applications may start with empty tables rather than having sets of legacy data. Hence, there is a need to transform existing plaintext databases to encrypted form. Usually existing enterprise databases may contain terabytes of data. A single machine would require many months for the initial encryption of a large data set. We propose encrypting data in parallel using a Hadoop cluster which is a simple five step process including the Hadoop set up, target preparation, source data import, encrypting the data, and finally exporting it to the target. We evaluated our solution on real world data and report on performance and data consumption. The results show that encrypting data in parallel can be done in a very scalable manner. Using a parallelized encryption cluster compared to a single server machine reduces the encryption time from months down to days or even hours.
Keywords: database, hadoop, performance, searchable encryption (ID#: 15-6930)


Bart Preneel; “Post-Snowden Threat Models,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 1–1. doi:10.1145/2752952.2752978
Abstract: In June 2013 Edward Snowden leaked a large collection of documents that describe the capabilities and technologies of the NSA and its allies. Even to security experts the scale, nature and impact of some of the techniques revealed was surprising. A major consequence is the increased awareness of the public at large of the existence of highly intrusive mass surveillance techniques. There has also been some impact in the business world, including a growing interest in companies that (claim to) develop end-to-end secure solutions. There is no doubt that large nation states and organized crime have carefully studied the techniques and are exploring which ones they can use for their own benefit. But after two years, there is little progress in legal or governance measures to address some of the excesses by increasing accountability. Moreover, the security research community seems to have been slow to respond to the new threat landscape. In this lecture we analyze these threats and speculate how they could be countered.
Keywords: information security, mass surveillance, system security, threat models (ID#: 15-6931)


Anna Cinzia Squicciarini, Ting Yu; “Privacy and Access Control: How are These Two Concepts Related?,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 197–198. doi:10.1145/2752952.2752980
Abstract: (not provided). Panel description and references available at URL:
Keywords: access control, privacy, security (ID#: 15-6932)


Jonathan Shahen, Jianwei Niu, Mahesh Tripunitara; “Mohawk+T: Efficient Analysis of Administrative Temporal Role-Based Access Control (ATRBAC) Policies,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 15–26. doi:10.1145/2752952.2752966
Abstract: Safety analysis is recognized as a fundamental problem in access control. It has been studied for various access control schemes in the literature. Recent work has proposed an administrative model for Temporal Role-Based Access Control (TRBAC) policies called Administrative TRBAC (ATRBAC). We address ATRBAC-safety. We first identify that the problem is PSPACE-Complete. This is a much tighter identification of the computational complexity of the problem than prior work, which shows only that the problem is decidable. With this result as the basis, we propose an approach that leverages an existing open-source software tool called Mohawk to address ATRBAC-safety. Our approach is to efficiently reduce ATRBAC-safety to ARBAC-safety, and then use Mohawk. We have conducted a thorough empirical assessment. In the course of our assessment, we came up with a “reduction toolkit,” which allows us to reduce Mohawk+T input instances to instances that existing tools support. Our results suggest that there are some input classes for which Mohawk+T outperforms existing tools, and others for which existing tools outperform Mohawk+T. The source code for Mohawk+T is available for public download.
Keywords: administration, role-based access control, safety analysis, temporal (ID#: 15-6933)


Marcos Cramer, Diego Agustín Ambrossio, Pieter Van Hertum; “A Logic of Trust for Reasoning about Delegation and Revocation,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 173–184. doi:10.1145/2752952.2752968
Abstract: In ownership-based access control frameworks with the possibility of delegating permissions and administrative rights, chains of delegated accesses will form. There are different ways to treat these delegation chains when revoking rights, which give rise to different revocation schemes. Hagström et al. [8] proposed a framework for classifying revocation schemes, in which the different revocation schemes are defined graph-theoretically; they motivate the revocation schemes in this framework by presenting various scenarios in which the agents have different reasons for revocating. This paper is based on the observation that there are some problems with Hagström et al.’s definitions of the revocation schemes, which have led us to propose a refined framework with new graph-theoretic definitions of the revocation schemes. In order to formally study the merits and demerits of various definitions of revocation schemes, we propose to apply the axiomatic method originating in social choice theory to revocation schemes. For formulating an axiom, i.e. a desirable property of revocation frameworks, we propose a logic, Trust Delegation Logic (TDL), with which one can formalize the different reasons an agent may have for performing a revocation. We show that our refined graph-theoretic definitions of the revocation schemes, unlike Hagström et al.’s original definitions, satisfy the desirable property that can be formulated using TDL.
Keywords: access control, delegation, logic, revocation, trust (ID#: 15-6934)


Trent Jaeger; “Challenges in Making Access Control Sensitive to the ‘Right’ Contexts,” in SACMAT ’15 Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Pages 111–111. doi:10.1145/2752952.2752979
Abstract: Access control is a fundamental security mechanism that both protects processes from attacks and confines compromised processes that may try to propagate an attack. Nonetheless, we still see an ever increasing number of software vulnerabilities. Researchers have long proposed that improvements in access control could prevent many vulnerabilities, many of which capture contextual information to more accurately detect obviously unsafe operations. However, developers are often hesitant to extend their access control mechanisms to use more sensitive access control policies. My experience leads me to propose that it is imperative that an access control systems be able to extract context accurately and efficiently and be capable of inferring any non-trivial policies. In this talk, I will discuss some recent research that enforces context-sensitive policies by either extracting process context, integrating code to extract context from programs, or extracting user context. We find that context-sensitive mechanisms can prevent some obviously unsafe operations from being authorized efficiently and discuss our experiences in inferring access control policies. Based on this research, we are encouraged that future research may enable context-sensitive access control policies to be produced and enforced to prevent vulnerabilities.
Keywords: capabilities, context-sensitive, program analysis (ID#: 15-6935)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.