Dynamic adaptation to object state change in an information flow control model

Abstract Dynamic adaptation to object state change is necessary for an information flow control model because object state may change in an unpredictable manner during runtime. To accomplish the adaptation, an information flow control model should offer the following features: (a) access rights can be dynamically changed according to object state change, (b) purpose-oriented method invocation can be achieved, and (c) information flows among variables can be controlled. According to our survey, no existing model offers the adaptation well. This paper proposes a solution to the adaptation, which is offered by the information flow control model object-oriented role-based access control.

[1]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[2]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[3]  Makoto Takizawa,et al.  Information flow control in role-based model for distributed objects , 2001, Proceedings. Eighth International Conference on Parallel and Distributed Systems. ICPADS 2001.

[4]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[5]  Grady Booch,et al.  Object-Oriented Analysis and Design with Applications , 1990 .

[6]  Simon N. Foley A model for secure information flow , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[7]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[8]  Dan Thomsen,et al.  Role-Based Application Design and Enforcement , 1990, Database Security.

[9]  Vijay Varadharajan,et al.  A multilevel security model for a distributed object-oriented system , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[10]  William E. Lorensen,et al.  Object-Oriented Modeling and Design , 1991, TOOLS.

[11]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[12]  Sylvia L. Osborn,et al.  Modeling Mandatory Access Control in Role-Based Security Systems , 1995, DBSec.

[13]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[14]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[15]  Shih-Chien Chou,et al.  Embedding role-based access control model in object-oriented systems to protect privacy , 2004, J. Syst. Softw..

[16]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[17]  Elisa Bertino,et al.  Providing flexibility in information flow control for object oriented systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[18]  Simon L. Peyton Jones,et al.  Imperative functional programming , 1993, POPL '93.

[19]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.

[20]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[21]  Makoto Takizawa,et al.  Purpose-Oriented Access Control Model in Object-Based Systems , 1997, ACISP.

[22]  Zahir Tari,et al.  A Role-Based Access Control for Intranet Security , 1997, IEEE Internet Comput..

[23]  Pietro Iglio,et al.  A formal model for role-based access control with constraints , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[24]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[25]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[26]  Chang Nian Zhang,et al.  An object-oriented RBAC model for distributed system , 2001, Proceedings Working IEEE/IFIP Conference on Software Architecture.

[27]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[28]  Makoto Takizawa,et al.  A purpose-oriented access control model , 1998, Proceedings Twelfth International Conference on Information Networking (ICOIN-12).

[29]  Sylvia L. Osborn Mandatory access control and role-based access control revisited , 1997, RBAC '97.

[30]  Roberto Gorrieri,et al.  The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties , 1997, IEEE Trans. Software Eng..

[31]  Warwick Ford,et al.  Secure electronic commerce , 1997 .

[32]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[33]  Elisa Bertino,et al.  Information Flow Control in Object-Oriented Systems , 1997, IEEE Trans. Knowl. Data Eng..

[34]  Trent Jaeger,et al.  Proceedings of the Fourth ACM Workshop on Role-Based Access Control, RBAC 1999, Fairfax, VA, USA, October 28-29, 1999 , 1997, RBAC.

[35]  Sushil Jajodia,et al.  Integrating an object-oriented data model with multilevel security , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[36]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[37]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[38]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[39]  Andrew C. Myers,et al.  Untrusted hosts and confidentiality: secure program partitioning , 2001, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[40]  Elisa Bertino,et al.  Exception-based information flow control in object-oriented systems , 1998, TSEC.

[41]  Makoto Takizawa,et al.  Information flow in a purpose-oriented access control model , 1997, Proceedings 1997 International Conference on Parallel and Distributed Systems.