Creating Objects in the Flexible Authorization Framework

Access control is a crucial concern to build secure IT systems and, more specifically, to protect the confidentiality of information. However, access control is necessary, but not sufficient. Actually, IT systems can manipulate data to provide services to users. The results of a data processing may disclose information concerning the objects used in the data processing itself. Therefore, the control of information flow results fundamental to guarantee data protection. In the last years many information flow control models have been proposed. However, these frameworks mainly focus on the detection and prevention of improper information leaks and do not provide support for the dynamical creation of new objects. In this paper we extend our previous work to automatically support the dynamical creation of objects by verifying the conditions under which objects can be created and automatically associating an access control policy to them. Moreover, our proposal includes mechanisms tailored to control the usage of information once it has been accessed.

[1]  Roberto Gorrieri,et al.  The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties , 1997, IEEE Trans. Software Eng..

[2]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[3]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[4]  Allen Van Gelder,et al.  The Alternating Fixpoint of Logic Programs with Negation , 1993, J. Comput. Syst. Sci..

[5]  Makoto Takizawa,et al.  Information flow control in role-based model for distributed objects , 2001, Proceedings. Eighth International Conference on Parallel and Distributed Systems. ICPADS 2001.

[6]  Elisa Bertino,et al.  High assurance discretionary access control for object bases , 1993, CCS '93.

[7]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[8]  Makoto Takizawa,et al.  Information flow in a purpose-oriented access control model , 1997, Proceedings 1997 International Conference on Parallel and Distributed Systems.

[9]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[10]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[11]  Sushil Jajodia,et al.  Maintaining privacy on derived objects , 2005, WPES '05.

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  Sylvia L. Osborn Information flow analysis of an RBAC system , 2002, SACMAT '02.

[14]  V. S. Subrahmanian,et al.  Stable and extension class theory for logic programs and default logics , 2006, Journal of Automated Reasoning.

[15]  Elisa Bertino,et al.  Information Flow Control in Object-Oriented Systems , 1997, IEEE Trans. Knowl. Data Eng..

[16]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[17]  Elisa Bertino,et al.  Providing flexibility in information flow control for object oriented systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[18]  D. Scott Identity and existence in intuitionistic logic , 1979 .

[19]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[20]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[21]  Deborah Downs,et al.  Issues in Discretionary Access Control , 1985, 1985 IEEE Symposium on Security and Privacy.

[22]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[23]  Silvana Castano,et al.  Database Security , 1997, IFIP Advances in Information and Communication Technology.

[24]  Jingsha He,et al.  Information-flow analysis for covert-channel identification in multilevel secure operating systems , 1990, [1990] Proceedings. The Computer Security Foundations Workshop III.

[25]  Alley Stoughton Access Flow: A Protection Model which Integrates Access Control and Information Flow , 1981, 1981 IEEE Symposium on Security and Privacy.

[26]  Bradford W. Wade,et al.  An authorization mechanism for a relational database system , 1976, TODS.

[27]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[28]  Virgil D. Gligor,et al.  A guide to understanding covert channel analysis of trusted systems , 1993 .