Abstract
Access control is a crucial concern to build secure IT systems and, more specifically, to protect the confidentiality of information. However, access control is necessary, but not sufficient. Actually, IT systems can manipulate data to provide services to users. The results of a data processing may disclose information concerning the objects used in the data processing itself. Therefore, the control of information flow results fundamental to guarantee data protection. In the last years many information flow control models have been proposed. However, these frameworks mainly focus on the detection and prevention of improper information leaks and do not provide support for the dynamical creation of new objects.
In this paper we extend our previous work to automatically support the dynamical creation of objects by verifying the conditions under which objects can be created and automatically associating an access control policy to them. Moreover, our proposal includes mechanisms tailored to control the usage of information once it has been accessed.
Keywords
- Access Control
- Integrity Constraint
- Access Control Policy
- Covert Channel
- Role Base Access Control
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This material is based upon work supported by the National Science Foundation under grants IIS-0242237 and IIS-0430402. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. This work was partly supported by the projects RBNE0195K5 FIRB-ASTRO, 016004 IST-FP6-FET-IP-SENSORIA, 27587 IST-FP6-IP-SERENITY, 2003-S116-00018 PAT-MOSTRO.
Chapter PDF
References
Bell, D.E., LaPadula, L.J.: Secure Computer System: Unified Exposition and MULTICS Interpretation. Technical Report MTR-2997 Rev. 1, The MITRE Corporation, Bedford, MA (1976)
Brewer, D.F.C., Nash, M.J.: The chinese wall security policy. In: Proc. of Symp. on Sec. and Privacy, pp. 206–214. IEEE Press, Los Alamitos (1989)
Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. CACM 20(7), 504–513 (1977)
Downs, D., Rub, J., Kung, K., Jordan, C.: Issues in Discretionary Access Control. In: Proc. of Symp.on Sec. and Privacy, pp. 208–218. IEEE Press, Los Alamitos (1985)
Griffiths, P.P., Wade, B.W.: An authorization mechanism for a relational database system. TODS 1(3), 242–255 (1976)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Comp. 29(2), 38–47 (1996)
Sabelfeld, A., Myers, A.C.: Language-Based Information-Flow Security. IEEE J. on Selected Areas in Comm. 21(1), 5–19 (2003)
Chong, S., Myers, A.C.: Security Policies for Downgrading. In: Proc. of CCS 2004, pp. 198–209. ACM Press, New York (2004)
Bertino, E., Samarati, P., Jajodia, S.: High assurance discretionary access control for object bases. In: Proc.of CCS 1993, pp. 140–150. ACM Press, New York (1993)
Samarati, P., Bertino, E., Ciampichetti, A., Jajodia, S.: Information flow control in object-oriented systems. TKDE 9(4), 524–538 (1997)
McCollum, C.D., Messing, J.R., Notargiacomo, L.: Beyond the pale of MAC and DAC-defining new forms of access control. In: Proc. of Symp. on Sec. and Privacy, pp. 190–200. IEEE Press, Los Alamitos (1990)
Stoughton, A.: Access flow: A protection model which integrates access control and information flow. In: Proc. of Symp. on Sec. and Privacy, pp. 9–18. IEEE Press, Los Alamitos (1981)
Zannone, N., Jajodia, S., Massacci, F., Wijesekera, D.: Maintaining Privacy on Derived Objects. In: Proc. of WPES 2005, pp. 10–19. ACM Press, New York (2005)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. TODS 26(2), 214–260 (2001)
Baral, C.R., Subrahmanian, V.S.: Stable and extension class theory for logic programs and default logics. J. of Autom. Reas. 8(3), 345–366 (1992)
Gelfond, M., Lifschitz, V.: The stable model semantics for logic programming. In: Proc. of ICLP 1988, pp. 1070–1080. MIT Press, Cambridge (1988)
Scott, D.S.: Identity and existence in intuitionistic logic. In: Application of Sheaves. Lecture Notes in Mathematics, vol. 753, pp. 660–696. Springer, Heidelberg (1993)
Liskov, B.H., Wing, J.M.: A Behavioral Notion of Subtyping. TOPLAS 16(6), 1811–1841 (1994)
van Gelder, A.: The alternating fixpoint of logic programs with negation. In: Proc. of PODS 1989, pp. 1–10. ACM Press, New York (1989)
Ferrari, E., Samarati, P., Bertino, E., Jajodia, S.: Providing flexibility in information flow control for object oriented systems. In: Proc. of Symp. on Sec. and Privacy, pp. 130–140. IEEE Press, Los Alamitos (1997)
Focardi, R., Gorrieri, R.: The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties. TSE 23(9), 550–571 (1997)
Samarati, P., di Vimercati, S.D.C.: Access Control: Policies, Models, and Mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2001. LNCS, vol. 2946, pp. 137–196. Springer, Heidelberg (2001)
He, J., Gligor, V.D.: Information-Flow Analysis for Covert-Channel Identification in Multilevel Secure Operating Systems. In: Proc. of the 3rd IEEE Comp. Sec. Found. Workshop, pp. 139–149. IEEE Press, Los Alamitos (1990)
National Computer Security Center: A Guide to Understanding Covert Channel Analysis of Trusted Systems. Technical Report NCSC-TG-030, Library No. S-240,572, National Security Agency (1993)
Pernul, G.: Database Security. Advances in Computers 38, 1–72 (1994)
Osborn, S.L.: Information flow analysis of an RBAC system. In: Proc. of SACMAT 2002, pp. 163–168. ACM Press, New York (2002)
Nyanchama, M., Osborn, S.: The role graph model and conflict of interest. TISSEC 2(1), 3–33 (1999)
Yasuda, M., Tachikawa, T., Takizawa, M.: Information Flow in a Purpose-Oriented Access Control Model. In: Proc. of ICPADS 1997, pp. 244–249. IEEE Press, Los Alamitos (1997)
Izaki, K., Tanaka, K., Takizawa, M.: Information flow control in role-based model for distributed objects. In: Proc. of ICPADS 2001, pp. 363–370. IEEE Press, Los Alamitos (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Zannone, N., Jajodia, S., Wijesekera, D. (2006). Creating Objects in the Flexible Authorization Framework. In: Damiani, E., Liu, P. (eds) Data and Applications Security XX. DBSec 2006. Lecture Notes in Computer Science, vol 4127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11805588_1
Download citation
DOI: https://doi.org/10.1007/11805588_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-36796-3
Online ISBN: 978-3-540-36799-4
eBook Packages: Computer ScienceComputer Science (R0)