Abstract
Business solutions and security solutions are designed by different authorities at different coordinates of space and time. This engineering approach not only makes the lives of security and the business solution developers easy but also provide a proof of concept that the concerned business solution will have all the security features as expected.But it doesn’t provide a proof that the integration process will not lead to conflicts between the security features in the security solution and also between security features and the functional features of the business solution. For providing a conflict-free secured business solution, both the developers of security solution as well as of the secure business solution need a mechanism to identify all possible cases of conflicts, so that the developers can redesign the corresponding solutions and thus resolve the conflicts if any. Conflict arises due to different authorities and configuration and other resource sharing among the solutions under integration. In this chapter, we discuss conflicts during integration of security solutions with business solutions covering the wide spectrum of social, socio-technical and purely technical perspectives. The investigated recent approaches for automated detection of conflicts are also discussed in brief. The ultimate objective of the chapter is to discover the best suited approaches for detecting conflicts by software developers. It spans over approaches from cryptographic level to policy level weaving over the feature interaction problem typically suited for software systems. The assessment of these approaches is demonstrated by a remote healthcare application.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Simon, R., Zurko, M.E.: Separation of duty in role based access control environments. In: Proceedings of the 10th IEEE Workshop on Computer Security Foundations, Rockport, MA, June 10-12, pp. 183–194. IEEE Computer Society Press, Los Alamitos (1997)
Kuhn, D.R.: Mutual exclusion as a means of implementing separation of duty requirements in role-based access control systems. In: Proceedings of the 2nd ACM Workshop on Role-Based Access Control, Fairfax, VA, pp. 23–30. ACM Press, New York (1997)
Nyanchama, M., Osborn, S.: Role-based security, object oriented databases and separation of duty. SIGMOD Rec. 22(4), 45–51 (1993)
Nyanchama, M., Osborn, S.: The role graph model and conflict of interest. ACM Transactions on Information and System Security (TISSEC) 2(1), 3–33 (1999)
Nyanchama, M., Osborn, S.: Access rights administration in role-based security systems. In: Proceedings of the IFIP Working Group 11.3 Working Conference on Database Security. Elsevier North-Holland, Inc., Amsterdam (1994)
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling Security Requirements Through Ownership, Permission and Delegation. In: Proceedings of the 13th IEEE International Requirements Engineering Conference (RE 2005), pp. 167–176. IEEE Computer Society Press, Los Alamitos (2005)
Johnston, D.: Russian accused of citibank computer fraud, August 18. The New York Times (2007)
van Lamsweerde, A., Darimont, R., Letier, E.: Managing Conflicts in Goal-Driven Requirements Engineering. TSE 24(11), 908–926 (1998)
Benameur, A., Khoury, P.E., Seguran, M., Sinha, K.S.: Serenity in e-Business and Smart Items Scenarios. In: Spanoudakis, G., Mana Gomez, A., Spyros, K. (eds.) The Security and Dependability for Ambient Intelligence Series: Advances in Information Security, vol. 55, pp. 375–392. illus (2009) ISBN: 978-0-387-88774-6
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Detecting Conflicts of Interest. In: Proceedings of the 14th IEEE International Requirements Engineering Conference (RE 2006), pp. 315–318. IEEE Computer Society Press, Los Alamitos (2006)
Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security: from UML Models to Access Control Infrastructures. TOSEM 15(1), 39–91 (2006)
Shin, M.E., Ahn, G.-J.: UML-Based Representation of Role-Based Access Control. In: Proc. of WETICE 2000, pp. 195–200. IEEE Press, Los Alamitos (2000)
Ray, I., Li, N., France, R., Kim, D.-K.: Using UML to visualize role-based access control constraints. In: Proc. of SACMAT 2004, pp. 115–124. ACM Press, New York (2004)
Trimarchi, P.: Istituzioni di diritto privato, XVI edn. Giuffr‘e Editore (2005)
Mazzoleni, P., Bertino, E., Crispo, B., Sivasubramanian, S.: XACML policy integration algorithms: not to be confused with XACML policy combination algorithms! In: Proceedings of the eleventh ACM symposium on Access control models and technologies, Lake Tahoe, California, USA, June 07-09 (2006)
European Parliament. European directive on data privacy 95/46/CE (1995), http://www.cdt.org/privacy/eudirective/EUDirective.html (accessed December 1, 2008)
Fusaro, P.C., Miller, R.M.: What Went Wrong at Enron: Everyone’s Guide to the Largest Bankruptcy in U.S. History. Wiley, Chichester (2002)
HIPAA. U.s. government department of health and human services health. Insurance Portability and Accountability Act (1996)
OASIS. Security services technical committee. eXtendible Access Control Markup Language Committee specification 2.0 (2005)
Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using xacml for access control in distributed systems. In: XMLSEC 2003: Proceedings of the 2003 ACM workshop on XML security, pp. 25–37. ACM Press, New York (2003)
Bertino, E., Bettini, C., Ferrari, E., Samarati, P.: An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems (TODS) 23(3), 231–285 (1998)
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. Computer 29(2), 38–47 (1996)
Joshi, J., Bertino, E., Latif, U., Ghafoor, A.: Generalized Temporal Role Based Access Control Model. IEEE Transactions on Knowledge and Data Engineering 7(1) (2005)
Abou El Kalam, A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: IEEE 4th International Workshop on Policies for Distributed Systems and Networks, Policy 2003 (2003)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. TODS 26(2), 214–260 (2001)
Samak, T., Al-Shaer, E., Li, H.: QoS Policy Modeling and Conflict Analysis. POLICY (2008)
Cuppens, F., Cuppens-Boulahia, N., Ben Ghorbel, M.: High-level conflict management strategies in advanced access control models. In: Workshop on Information and Computer Security, Timisoara, Romania (2006)
Cuppens, F., Miège, A.: Conflict management in the Or-BAC model, Technical report, ENST Bretagne, France (2003)
Kamoda, H., Yamaoka, M., Matsuda, S., Broda, K., Sloman, M.: Policy Conflict Analysis Using Free Variable Tableaux for Access Control in Web Services Environments. In: WWW2005 Workshop 14th International World Wide Web Conference (2005)
Lupu, E.C., Sloman, M.: Conflicts in policy-based distributed systems management. IEEE Transactions on Software Engineering 25(6), 852–869 (1999)
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory IT-29, 198–208 (1983)
Derek, A.: Formal Analysis of Security Protocols: Protocol Composition Logic, Ph.D thesis, Computer Science Department, Stanford University (2006)
Cremers, C.: Scyther - Semantics and Verification of Security Protocols. Ph.D thesis, Computer Science Department, Eindhoven University of Technology (2006)
Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, L., Drielsma, P.H., Heam, P., Kouchnarenko, O., Mantovani, J., Modershei, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Vigano, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)
Holzmann, G.: Design and Validation of Computer Protocols. Prentice Hall, Englewood Cliffs (1991)
Cremers, C.: Compositionality of security protocols: a research agenda. In: Vodca 2004, Bertinoro, Italy. ENTCS, vol. 142(3), pp. 99–110 (2006)
Cremers, C.: Feasibility of Multi-Protocol Attacks. In: Proceedings of The First International Conference on Availability, Reliability and Security, pp. 287–294. IEEE Computer Society Press, Los Alamitos (2006)
Kelsey, J., Schneier, B., Wagner, D.: Protocol interactions and the chosen protocol attack. In: Security Protocols Workshop, pp. 91–104 (1997)
Tzeng, W., Hu, C.: Inter-protocol interleaving attacks on some authentication and key distribution protocols. Inf. Process. Lett. 69(6), 297–302 (1999)
Gong, L., Syverson, P.: Fail-stop protocols: An approach to designing secure protocols. In: Proc. of the 5th International Working Conference on Dependable Computing for Critical Applications, pp. 44–55 (1995)
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report (2000)
Guttman, J., Thayer, F.: Protocol independence through disjoint encryption. In: PCSFW: Proc. of the 13th Computer Security Foundations Workshop IEEE (2000)
Datta, A., Derek, A., Mitchell, J.C., Roy, A.: Protocol Composition Logic (PCL). Electronic Notes in Theoretical Computer Science, vol. 172, pp. 311–358 (2007)
Cremers, C.: On the Protocol Composition Logic PCL. In: ASIACCS 2008: Proceedings of the ACM Symposium on Information, Computer and Communications Security, Tokyo, Japan, pp. 66–76 (2008)
Datta, A., Derek, A., Mitchell, J., Pavlovic, D.: A derivation system and compositional logic for security protocols. Journal of Computer Security 13(3), 423–482 (2005)
Backes, M., Pfitzmann, B., Waidner, M.: A universally composable cryptographic library. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (2003)
Ngo, L., Tarkoma, S., Laud, P.: Extending a universally composable cryptographic library. Master thesis. Helsinki University of Technology (2008)
Beltagui, F.: Features and Aspects: Exploring feature-oriented and aspect-oriented programming interactions. Technical Report No: COMP-003-2003. Computing Department, Lancaster University (2003)
Kojarski, S., Lorenz, D.: FIdentifying Feature Interactions in Multi-Language Aspect-Oriented Frameworks. In: Proceedings of the 29th International Conference on Software Engineering (ICSE 2007), Minneapolis, MN, May 20-26, pp. 147–157. IEEE Computer Society, Los Alamitos (2007)
Liu, Z.: Manage Component-Specific Access Control with Differentiation and Composition, Technical Report Indiana University (2001)
Sanchez-Cid, F., Munoz, A., El Khoury, P., Compagna, L.: XACML as a Security and Dependability (S&D) pattern for Access Control in AmI environments. In: Proc. of AmI.d 2007, pp. 143–155. Springer, Heidelberg (2007)
Compagna, L., El Khoury, P., Massacci, F., Thomas, R., Zannone, N.: How to capture, communicate, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach. In: Proc. of ICAIL 2007, pp. 149–154. ACM Press, New York (2007)
Taentzer, G.: AGG: A Graph Transformation Environment for Modeling and Validation of Software. In: Applications of Graph Transformations with Industrial Relevance, pp. 446–453 (2004) ISBN: 978-3-540-22120-3
Cuevas, A., El Khoury, P., Gomez, L., Laube, A.: Security Patterns for Capturing Encryption-Based Access Control to Sensor Data. In: Proc. of SECURWARE 2008, pp. 62–67. IEEE Press, Los Alamitos (2008)
Braga, A., Dahab, R., Rubira, C.: Composing Cryptographic Services: A Comparison of Six Cryptographic APIs. Technical Report IC-99-05, Institute of Computing, State University of Campinas, Sao Paulo, Brazil (1999)
Braga, A., Dahab, R., Rubira, C.: A Meta-Object Library for Cryptography. Technical Report IC-99-06, Institute of Computing, State University of Campinas. Campinas, Sao Paulo, Brazil (1999)
Borisoff, D., Victor, D.: Conflict Management: A Communication Skills Approach, 2nd edn. Allyn & Bacon (October 24, 1997) ISBN-13: 978-0205272945
Schneier, B.: Applied Cryptography, 2nd edn. John Wiley and Sons, Chichester (1996)
Menezes, A., van Orschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)
Stroud, R., Wu, Z.: Using Metaobject Protocols to Satisfy Non-Functional Requirements. In: Object-Oriented Meta-Level Architectures and Reflection, ch. 3, pp. 31–52 (1996)
Fabre, J.-C., Perennou, T.: Friends: A Flexible Architecture for implementation of Fault Tolerant and Secure Distributed Applications. In: Hlawiczka, A., Simoncini, L., Silva, J.G.S. (eds.) EDCC 1996. LNCS, vol. 1150, pp. 3–20. Springer, Heidelberg (1996)
Davis, D.: Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML. In: USENIX Annual Technical Conference, General Track, pp. 65–78 (2001)
RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
Pfitzmann, B., Waidner, M.: Composition and Integrity Preservation of Secure Reactive Systems. CCS, Greece (2000)
Backes, M., Pfitzmann, B., Waidner, M.: Symmetric authentication within a simulatable cryptographic library. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 271–290. Springer, Heidelberg (2003)
Johnson, D., Dolan, G., Kelly, M., Le, A., Matyas, S.: Common Cryptographic Architecture Cryptographic Application Programming Interface. IBM Systems Journal 30(2), 130–150 (1991)
Kaliski, B.: Cryptoki: A Cryptographic Token Interface, Versopn 1.0 (1995), http://www.rssa.com/rsalabs/pubs/PKCS/html/pkcs-11.html
Microsoft Corporaton. Application Programmer’s Guide: Microsoft CryptoAPI. Version 2.0 (1996)
Al-Shaer, E., Hamed, H.: Taxonomy of Conflicts in Network Security Policies. IEEE Communications Magazine 44(3), 134–141 (2006)
Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict Classification and Analysis of Distributed Firewall Policies. IEEE Journal on Selected Areas in Communications 23(10), 2069–2084 (2005)
Nhalabatsi, A., Laney, R., Nseibeh, B.: Feature Interaction: The Security Threat from Within the Software Systems. Progress in Informatics, Special Issue: The future of software engineering for security and privacy 5, 75–89 (2008)
Busnel, P., Khoury, P.E., Giroux, S., Li, K.: Achieving Socio-Technical Confidentiality using Security Pattern in Smart Homes. In: Proceedings for the Third International Symposium on Smart Home (2008)
Pigot, H., Mayers, A., Giroux, S.: The intelligent habitat and everyday life activity support. In: Proceedings of the 5th international conference on Simulations in Biomedicine, Slovenia, pp. 507–516 (2003)
Khoury, P.E., Li, K., Busnel, P., Giroux, S.: Serenity demo: Secure remote healthcare environment using serenity. In: Information and Communication Technologies, Lyon, France (2008)
Bauer, L., Garriss, S., Reiter, M.K.: Detecting and resolving policy misconfigurations in access-control systems. In: SACMAT 2008: Proceedings of the 13th ACM symposium on Access control models and technologies, pp. 185–194. ACM, New York (2008)
Khoury, P.E., Coquery, E., Hacid, M.: Consistency Checking of Role Assignments in Inter-Organizational Collaboration. In: Proceedings for the 1st ACM GIS Workshop on Security and Privacy in GIS and LBS. ACM, New York (2008)
Anderson, R.: Why cryptosystems fail. COMM 37(11), 32–40 (1994)
Cheng, K.E., Ohta, T. (eds.): Feature Interactions in Telecommunications Systems III. IOS Press, Amsterdam (1995)
Dini, P., Boutaba, R., Logrippo, L. (eds.): Feature Interactions in Telecommunication Networks IV. IOS Press, Amsterdam (1997)
Felty, A., Namjoshi, K.: Feature Specification and Automated Conflict Detection. ACM Transactions on Software Engineering and Methodology 12(1), 3–27 (2003)
Kamoun, J., Logrippo, L.: Goal-oriented feature interaction detection in the intelligent network model. In: Feature Interactions in Telecommunications and Software Systems V (1998)
Keck, D.O., Kuehn, P.J.: The feature and service interaction problem in telecommunications systems: A survey. IEEE Trans. Softw. Eng. 24(10), 779–796 (1998)
Jayaraman, P., Whittle, J., Elkhodary, A., Gomaa, H.: Model Composition in Product Lines and Feature Interaction Detection Using Critical Pair Analysis. In: Engels, G., Opdyke, B., Schmidt, D.C., Weil, F. (eds.) MODELS 2007. LNCS, vol. 4735, pp. 151–165. Springer, Heidelberg (2007)
Douence, R., Fradet, P., Sudholt, M.: Composition, reuse, and interaction analisys of stateful aspects. In: Proceedings of the 3rd international Conference of Aspect-oriented Software Development, Lancaster, UK. ACM, New York (2004)
Kolberg, M., Magill, E., Marples, D., Tsang, S.: Feature interactions in services for networked appliances. In: IEEE International Conference on Communications, New York, USA (2002)
AGG Homepage, http://tfs.cs.tu-berlin.de/agg
Calder, M., Kolberg, M., Magill, E., Reiff-Marganiec, S.: Feature Interaction: A Critical Review and Considered Forecast. Computer Networks: The International Journal of Computer and Telecommunications Networking 41(1), 115–141 (2003)
Biggs, N., Lloyd, E., Wilson, R.: Graph Theory, pp. 1736–1936. Oxford University Press, Oxford (1986)
Gurgens, S., Rudolph, C., Mana, A., Munoz, A.: Facilitating the Use of TPM Technologies through S&D Patterns. In: SPatterns, DEXA Workshops, pp. 765–769 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
El Khoury, P., Hacid, MS., Sinha, S.K., Coquery, E. (2009). A Study on Recent Trends on Integration of Security Mechanisms. In: Ras, Z.W., Dardzinska, A. (eds) Advances in Data Management. Studies in Computational Intelligence, vol 223. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02190-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-02190-9_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02189-3
Online ISBN: 978-3-642-02190-9
eBook Packages: EngineeringEngineering (R0)