access control enforcement access control enforcement for
play

Access Control Enforcement Access Control Enforcement for - PowerPoint PPT Presentation

Jul 02, 2023 •98 likes •375 views

The Cyber Center The Cyber Center Access Control Enforcement Access Control Enforcement for Conversation- -based based for Conversation Web Services Web Services Massimo Mecella * Mourad Ouzzani Univ. Roma LA SAPIENZA, Italy Purdue

  1. The Cyber Center The Cyber Center Access Control Enforcement Access Control Enforcement for Conversation- -based based for Conversation Web Services Web Services Massimo Mecella * Mourad Ouzzani Univ. Roma LA SAPIENZA, Italy Purdue University, USA Federica Paci Elisa Bertino Univ. Milano, Italy Purdue University, USA * while a visiting researcher (fall 2005) in the Department of Computer Science and CERIAS, Purdue University, USA

  2. Overview Overview The Cyber Center The Cyber Center • The conversational model of Web services • Security concerns • Access control based on conversations – K-trustworthiness • The technique • The architecture • Conclusions WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  3. Web Services Services Web The Cyber Center The Cyber Center • A Web service is characterized by the set of (atomic) operations that requestQuote (1) it exports … (2) orderGoods Service Client • … and possibly by constraints on the possible conversations confirmOrder (3) – Using a service typically involves (4) makePayment performing sequences of operations in a particular order (conversations) [requestQuote] – During a conversation, the client typically chooses the next QuoteRequested operation to invoke on the basis [orderGoods] of previous results, among the ones that the service allows at GoodsOrdered that point [confirmOrder(TRUE)] [confirmOrder(FALSE)] OrderConfirmed [makePayment] WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  4. Web Services Services Web The Cyber Center The Cyber Center • A service is characterized by the requestQuote set of (atomic) operations that it (1) exports … (2) orderGoods Service Client • … and possibly by constraints on confirmOrder the possible conversations (3) – Using a service typically involves (4) makePayment performing sequences of operations in a particular order (conversations) [requestQuote] – During a conversation, the client Transition typically chooses the next system QuoteRequested operation to invoke on the basis [orderGoods] of previous results, among the ones that the service allows at GoodsOrdered that point [confirmOrder(TRUE)] [confirmOrder(FALSE)] OrderConfirmed [makePayment] WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  5. Transition Systems Systems Transition The Cyber Center The Cyber Center • A transition system (TS) collect B is a tuple collect L T = < A, S, S 0 , δ , F > Ven where: 2p 1p – A is the set of actions 2pInserted – S is the set of states big 1pInserted – S 0 � S is the set of initial states Choice B little – δ � S � A � S is the Choice L transition relation – F � S is the set of final - Initial state: the client starts states the interaction - Final state(s): the client can terminate the interaction (it has reached its own goal and the service is not “dangling”) WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  6. The Conversational Conversational The Model Model The Cyber Center The Cyber Center Online Music Store initiate search search Front-end listen listen cart search init cart Back- end buy cart buy search search end Abstract Behavior of the Service: Client Do until Client selects “end” 1. Give Client a choice of actions to be performed 2. Wait for Client choice on-line 3. Perform action chosen by Client Service music Conversations supported by the service as a TS store WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  7. Security Concerns Concerns Security The Cyber Center The Cyber Center • Access Control – Credentials • signed assertions describing properties of a subject that are used to establish trust between two unknown communicating parties before allowing access to information or services – Access control policies • rules stating that only subjects with certain credentials satisfying specific conditions can invoke a given operation of the Web service WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  8. Current Approaches Approaches (1) (1) Current The Cyber Center The Cyber Center • Single operation model – operations are not related to (“independent” from) each other • Access control is enforced – at the level of the entire Web service • the Web service could ask the client, in advance, to provide all the credentials associated with all operations of that Web Service – A subject will always arrive at the end of whichever conversation – The subject will become aware of all policies on the basis of which access control is enforced – The client may have to submit more credentials than needed WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  9. Current Approaches Approaches (2) (2) Current The Cyber Center The Cyber Center – at the level of single operations • to require only the credentials associated with the next operation that the client wants to perform – Asking from the subject only the credentials necessary to gain access to the requested operation – The subject is continuously solicited to provide credentials for each transition – After several steps, the client may reach a state in which it cannot progress because the lack of credentials (and the service provider has wasted resources ) WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  10. Challenges Challenges The Cyber Center The Cyber Center – Access control not only at the level of single operation – Should consider conversations • Willingness of the client to reach a “goal” • Willingness of the service provider not to waste resources • Willingness of the service provider to limit disclosure of access control policies WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  11. The Idea The Idea The Cyber Center The Cyber Center • Considering access control mainly at the level of conversations (sequences of operations leading to a final state of the TS) • The service provider gives a k-trustworthiness level k to a client in a given state • On the basis of such a k, asks the client to provide credentials for the conversations of length less/equal k (starting from the current state and with operations not yet “controlled”) WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  12. The Rationale Rationale (1) (1) The The Cyber Center The Cyber Center • The approach maximizes the likelihood that a client reaches a final state and doesn’t drop off due to lack of authorization – Likelihood and not guarantee as the client is free, and can take different conversations • The approach maximizes also the likelihood that the service provider doesn’t waste resources, even without disclosing the access policies WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  13. Example Example The Cyber Center The Cyber Center S 0 completeTransaction chooseItem S 1 Conversations from S 0 : addToCart ─ chooseItem � addToCart � saveForLater S 2 ─ chooseItem � addToCart � checkOut � completeTransaction checkOut saveForLater Hence the k-levels for S 0 are {3,4} S 3 S 4 k-levels for S 2 are {1,2} WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  14. Interaction Model Interaction Model The Cyber Center The Cyber Center Client Web Service bind() Bind On the basis of invoke(op) Is an Authorized previosuly provided Invoke Operation credentials Operation op (op є conversations of k) ? It may be ┴ return result No No Yes Yes Execute Assign New K-Level Operation requireCredentials() Calculate Required Submit Credentials Evaluate Credentials Evaluate Credentials submitCredentials() Against Policies Against Policies Policies Not Satisfied Access Policies Denied Satisfied WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  15. Basic Concepts Concepts (1) (1) Basic The Cyber Center The Cyber Center • Credential – Attribute (pair <name, value>) • Attribute condition • A credential satisfies an attribute condition if one among its attributes makes true the condition • Operation access control policy – Rule specifying credentials and attribute conditions to grant access to the operation – Can be checked by a reasoning service that verifies if the access request is a logical consequence of the policy and the credentials WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

  16. Basic Concepts Concepts (2) (2) Basic The Cyber Center The Cyber Center • Conversation access control policy – Conjunction of the access control policies of the operations in the conversation • Trustworthiness level – Length of “allowed” conversations • k-trust policies – Given a state with different possible k- levels, defines which one to assign WWW2006 Conference @ Edinburgh (Scotland) – May 25, 2006 Massimo Mecella

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
LISA 09 Federated access control and workflow enforcement in systems configuration Bart

LISA 09 Federated access control and workflow enforcement in systems configuration Bart

LISA 09 Federated access control and workflow enforcement in systems configuration Bart Vanbrabant, Thomas Delaet and Wouter Joosen DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium November 6, 2009 1 / 40 Outline Systems

852 views • 40 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files &amp; processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
APPLICATIONS 1. Automatic toll collection 2. Traffic law enforcement 3. Parking lot access

APPLICATIONS 1. Automatic toll collection 2. Traffic law enforcement 3. Parking lot access

A UTOMATIC L ICENSE P LATE R ECOGNITION (ALPR) ON EMBEDDED SYSTEM Presented by Guanghan APPLICATIONS 1. Automatic toll collection 2. Traffic law enforcement 3. Parking lot access control 4. Road traffic monitoring ALPR SYSTEM : SEVERAL STAGES

550 views • 23 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a simple, modular approach to networked access control with scalability in mind. Easy management from a central location PC from anywhere with an

196 views • 9 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Multilevel and mandatory access control Stephen McCamant University of

324 views • 10 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
Compliance and Enforcement Updates Richard Swartz Air Pollution Control Program Chief of

Compliance and Enforcement Updates Richard Swartz Air Pollution Control Program Chief of

Compliance and Enforcement Updates Richard Swartz Air Pollution Control Program Chief of Compliance and Enforcement Section REGFORM air seminar March 7, 2019, Columbia, Mo. Overview of Presentation Compliance Assistance Enforcement

288 views • 18 slides
Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following authentication, we need to decide what the subject can access 1 Read F 1 OK 2 Bob Write to F Alice 2 F NO ! 3 Execute G G 3 OK

596 views • 56 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides
CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /fall2019/cs683/cs683_main.htm 1 Le Lecture 14 14 Access Control 2 Recall: Secu curity Service

943 views • 33 slides
Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise

Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise

Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise Artificial Intelligence Laboratory (AI-Lab) Security &amp; Trust Research Unit DIST, University of Genova FBK-IRST Genova Trento A. Armando (U.

879 views • 77 slides
IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for

IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for

IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for Neural Computation (INC), University of California San Diego irods.org, dice.unc.edu, diceresearch.org Outline General Comments What Guarding

210 views • 10 slides
Constraints in Role-Based Access Control Jason Crampton Information Security Group, Royal

Constraints in Role-Based Access Control Jason Crampton Information Security Group, Royal

Constraints in Role-Based Access Control Jason Crampton Information Security Group, Royal Holloway University of London jason.crampton@rhul.ac.uk www.isg.rhul.ac.uk/~jason Outline Introduction Separation of duty Role-based

482 views • 14 slides
HI MSS Cyb e rse c urity Co mmunity Spo nso r 1 Se c urity F unda me nta ls b a se d o n the

HI MSS Cyb e rse c urity Co mmunity Spo nso r 1 Se c urity F unda me nta ls b a se d o n the

HI MSS Cyb e rse c urity Co mmunity Spo nso r 1 Se c urity F unda me nta ls b a se d o n the NI ST Cyb e rse c urity F ra me wo rk 01.23.2020 Speaker I ntr oduction Ric k Spatafor e CPHI MS, GI SP, GCI H, HCI SPP Ma na g e r,

542 views • 18 slides
computation may someday be organized as a public utility John McCarthy, 1960 2

computation may someday be organized as a public utility John McCarthy, 1960 2

Security and Cloud Computing computation may someday be organized as a public utility John McCarthy, 1960 2 How did we get here? Security and Cloud Computing 3 What Is Cloud Computing? On-demand self-service Add or

603 views • 27 slides
CS 4803 Before we begin, some design principles Computer and Network Security Alexandra

CS 4803 Before we begin, some design principles Computer and Network Security Alexandra

Access to general objects Memory protection is only one example Need a way to protect more general objects CS 4803 Before we begin, some design principles Computer and Network Security Alexandra (Sasha) Boldyreva More on access

837 views • 7 slides

More recommend