This paper identifies the main security requirements for Web services and it describes how such security requirements are ad- dressed by standards for Web services security recently developed or under development by various standardizations bodies. Standards are reviewed according to a conceptual framework that groups them by the main functionalities they provide. Standards that are covered include most of the standards encompassed by the WSS roadmap [2]; the Secu- rity Assertion Markup Language -SAML-, WS-Policy, XACML, that is related to access control and has been recently extended with a profile for Web services access control; XKMS and WS-Trust; WS-Federation, LibertyAlliance and Shibboleth, that address the important problem of identity management in federated organizations. Finally, issues related to the use of the standards are discussed and open research issues in the area of access control for Web services and innovative digital identity management techniques are outlined.

The work by Harrison, Ruzzo and Ullman (the HRU paper) on safety in the context of the access matrix model is widely considered to be foundational work in access control. In this paper, we address two errors we have discovered in the HRU paper. To our knowledge, these errors have not been previously reported in the literature. The first error regards a proof that shows that safety analysis for mono-operational HRU systems is in NP. The error stems from a faulty assumption that such systems are monotonic for the purpose of safety analysis. We present a corrected proof in this paper. The second error regards a mapping from one version of the safety problem to another that is presented in the HRU paper. We demonstrate that the mapping is not a reduction, and present a reduction that enables us to infer that the second version of safety introduced in the HRU paper is also undecidable for the HRU scheme. These errors lead us to ask whether the notion of safety as defined in the HRU paper is meaningful. We introduce other notions of safety that we argue have more intuitive appeal, and present the corresponding safety analysis results for the HRU scheme.

We introduce the notion of resiliency policies in the context of access control systems. Such policies require an access control system to be resilient to the absence of users. An example resiliency policy requires that, upon removal of any s users, there should still exist d disjoint sets of users such that the users in each set together possess certain permissions of interest. Such a policy ensures that even when emergency situations cause some users to be absent, there still exist independent teams of users that have the permissions necessary for carrying out critical tasks. The Resiliency Checking Problem determines whether an access control state satisfies a given resiliency policy. We show that the general case of the problem and several subcases are intractable (NP-hard), and identify two subcases that are solvable in linear time. For the intractable cases, we also identify the complexity class in the polynomial hierarchy to which these problems belong. We discuss the design and evaluation of an algorithm that can efficiently solve instances of nontrivial sizes that belong to the intractable cases of the problem. Finally, we study the consistency problem between resiliency policies and static separation of duty policies.

Web content filtering is a means to make an end user aware of the

Databases are increasingly being used to store information covered by heterogeneous policies, which require support for access control with great flexibility. It has been well recognized that traditional database-level or table-level access control is insufficient to meet this requirement. This has led to increased interest in using fine-grained access control, which may be extended down to such levels where different cells in a relation may be governed by different access control rules. Though several works have been done to support fine-grained access control, there is no formal notion of correctness with regards to the results of queries to such databases. In this paper, we describe a formal notion of correctness in fine-grained database access control, and discuss why existing approaches fall short in at least some circumstances. We then propose a query evaluation algorithm which better supports fine-grained access control.

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities—a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine’s hardware and software and the adoption of more rigorous election procedures.

Privacy and security in the context of the streaming systems largely have been overlooked. We now tackle this important problem in this paper. Our work focuses on contextaware security and user-centric privacy preservation in data stream management systems (DSMS) by exploiting security constraints (called security punctuations) that are dynamically embedded into data streams. The novelty of our proposed approach is that access control policies are not persistently stored in the DSMS but rather streamed together with the data. We present novel query operators, termed Security Shield (SS) and Security-Compliant Join (SCJoin) that are designed to make queries comply with the security policies of the streaming data while still guaranteeing near real-time response. As a proof of feasibility, we have implemented the security punctuation framework within a real DSMS. Our experimental results show that our proposed solution incurs low overhead.

Access control is a key security service at the foundation of information and system security. It has been extended with temporal constraints to support real-time considerations. Conformance testing of an access control implementation is crucial to ensure that it correctly enforces any required temporal and non-temporal policies for access control. We propose an approach for conformance testing of implementations required to enforce access control policies specified using Temporal Role Based Access Control (TRBAC) model. The proposed approach uses Timed Input Output Automata (TIOA) to model the behavior specified by a TRBAC policy. The TIOA model is then transformed to a deterministic se-FSA model that captures any temporal constraint by using two special events Set and Exp. Finally we adapt the W-method and use an integer programming based approach to construct a conformance test suite from the transformed model. The conformance test suite so generated provides complete fault coverage with respect to the proposed fault model for TRBAC specifications.

The problem of identity theft, that is, the act of impersonating others

An emerging approach to the problem of reducing the identity theft is represented by the adoption of biometric authentication systems. Such systems however present however several challenges, related to privacy, reliability, security of the biometric data. Inter-operability is also required among the devices used for the authentication. Moreover, very often biometric authentication in itself is not sufficient as a conclusive proof of identity and has to be complemented with multiple other proofs of identity like passwords, SSN, or other user identifiers. Multi-factor authentication mechanisms are thus required to enforce strong authentication based on the biometric and identifiers of other nature. In this paper we provide a two-phase authentication mechanism for federated identity management systems. The first phase consists of a two-factor biometric authentication based on zero knowledge proofs. We employ techniques from vector-space model to generate cryptographic biometric keys. These keys are kept secret, thus preserving the confidentiality of the biometric data, and at the same time exploit the advantages of a biometric authentication. The second authentication combines several authentication factors in conjunction with the biometric to provide a strong authentication. A key advantage of our approach is that any unanticipated combination of factors can be used. Such authentication system leverages the information of the user that are available from the federated identity management system.

WorkFlow Management Systems (WFMS) coordinate and streamline business processes. Acquiring workflow authorisations and managing workflow authorisation constraints is a challenging problem. CurrentWFMSs assume a centralised global workflow authorisation model. In this paper, we propose a distributed workflow authorisation model with no central authorisation manager for a mediator-free environment. We provide an on-demand task discovery protocol that enables domains to discover tasks available in other domains. We formulate the workflow authorisation problem as a constraint satisfaction problem to select access paths that satisfy all the workflow authorisation constraints.We propose the Workflow Minimal Authorisation Problem (WMAP), which selects minimal authorisations required to execute theworkflowtasks. In addition, we investigate access path overlaps to allow tasks in the same session to share authorisations and we present the Workflow Minimal Authorisation Problem with path Overlaps (WMAPO). Finally, we formulate integer programmes to solve both the WMAP and WMAPO. =

An important issue any organization or individual has to face when managing data containing sensitive information, is the risk that can be incurred when releasing such data. Even though data may be sanitized before being released, it is still possible for an adversary to reconstruct the original data using additional information thus resulting in privacy violations. To date, however, a systematic approach to quantify such risks is not available. In this paper we develop a framework, based on statistical decision theory, that assesses the relationship between the disclosed data and the resulting privacy risk. We model the problem of deciding which data to disclose, in terms of deciding which disclosure rule to apply to a database. We assess the privacy risk by taking into account both the entity identification and the sensitivity of the disclosed information. Furthermore, we prove that, under some conditions, the estimated privacy risk is an upper bound on the true privacy risk. Finally, we relate our framework with the k-anonymity disclosure method. The proposed framework makes the assumptions behind k-anonymity explicit, quantifies them, and extends them in several natural directions.

A role hierarchy defines semantics related to permission acquisitions and role activations through role-role relationships. It can be utilized for efficiently and effectively structuring functional roles of an organization having related access control needs. Temporal constraints on role enablings and role activations can have various implications on such a role hierarchy. The focus of this paper is the analysis of hybrid role hierarchies in the context of the Generalized Temporal Role Based Access Control (GTRBAC) model that allows specification of a comprehensive set of temporal constraints on role, user-role assignments and role-permission assignments. We introduce the notion of uniquely activable set (UAS) associated with a role hierarchy that indicates the access capabilities of a user resulting from his membership to a role in the hierarchy. Identifying such a role set is essential while making an authorization decision about whether or not a user should be allowed to activate a particular combination of roles in a single session. Furthermore, when separation-of-duty (SoD) constraints are present in the system, it is also essential to ensure that there are no role combinations that can be allowed to be activated in a single user session. In other words, knowledge about UAS can be used to facilitate enforcement of the principle of least privilege. Because of the separation of permission inheritance and role activation semantics in GTRBAC, a hybrid hierarchy that allows different hierarchy types to coexist, can give rise to a complex semantics and identifying what role combinations can be allowed to be activated in a session for a user may not be straight forward. We formally show how UAS can be determined for a hybrid hierarchy. Furthermore, within a hybrid hierarchy, various hierarchical relations may be derived between an arbitrary pair of roles. We present a set of inference rules that can be used to generate all the possible derived relations that can be inferred from a specified set of hierarchical relations and show that the set of these inference rules is sound and complete. Another key issue we address in this paper is that of the evolution of role hierarchies through hierarchical transformations. We present an analysis of hierarchy transformations with respect to role addition, deletion and partitioning, and show how various cases of these transformations allow the original permission acquisition and role activation semantics to be managed. The formal results presented here provide a basis for developing e