Symposium On Usable Privacy and Security Carnegie Mellon University 25 July 2008 Expressions of Expertness The Virtuous Circle of Natural Language for.

Slides:

Advertisements

Similar presentations

Testing Relational Database

Advertisements

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

SPECIFYING AND MONITORING GUARANTEES IN COMMERCIAL GRIDS THROUGH SLA Sven Graupner Vijay MachirajuAad van Moorsel IEEE/ACM International Symposium on Clustering.

Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

EIS Theme 8: Trust and Security Second Workshop Usability and Interoperability in AuthN/AuthZ Angela Sasse Philip Inglesant.

The EC PERMIS Project David Chadwick

Xyleme A Dynamic Warehouse for XML Data of the Web.

System Design and Analysis

The MetaDater Model and the formation of a GRID for the support of social research John Kallas Greek Social Data Bank National Center for Social Research.

Case-based Reasoning System (CBR)

21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.

User Domain Policies.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Course Instructor: Aisha Azeem

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

BIS310: Week 7 BIS310: Structured Analysis and Design Data Modeling and Database Design.

Domain Modelling the upper levels of the eframework Yvonne Howard Hilary Dexter David Millard Learning Societies LabDistributed Learning, University of.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

PowerPoint Presentation for Dennis, Wixom & Tegarden Systems Analysis and Design Copyright 2001 © John Wiley & Sons, Inc. All rights reserved. Slide 1.

1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.

Switch off your Mobiles Phones or Change Profile to Silent Mode.

Introduction to XML. XML - Connectivity is Key Need for customized page layout – e.g. filter to display only recent data Downloadable product comparisons.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 7 Slide 1 Requirements Engineering Processes.

Domain Modeling In FREMA David Millard Yvonne Howard Hugh Davis Gary Wills Lester Gilbert Learning Societies Lab University of Southampton, UK.

Software. Records Fields Each record is made up of fields – categories of information. The fields here are Name, Surname, Address, Telephone and Date.

The Brain Project – Building Research Background Part of JISC Virtual Research Environments (Phase 3) Programme Based at Coventry University with Leeds.

1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,

Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.

Slide 1-1 Chapter 1 Terms Information Systems Overview Introduction to Information Systems Judith C. Simon.

1 What is OO Design? OO Design is a process of invention, where developers create the abstractions necessary to meet the system’s requirements OO Design.

____________________________ XML Access Control for Semantically Related XML Documents & A Role-Based Approach to Access Control For XML Databases BY Asheesh.

Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.

Date : 2013/03/18 Author : Jeffrey Pound, Alexander K. Hudek, Ihab F. Ilyas, Grant Weddell Source : CIKM’12 Speaker : Er-Gang Liu Advisor : Prof. Jia-Ling.

Delegation of Authority David Chadwick

About OlaTech We create web based custom software applications for businesses.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

ESIP Semantic Web Products and Services ‘triples’ “tutorial” aka sausage making ESIP SW Cluster, Jan ed.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Policy Authoring Matthew Dunlop Usable Security – CS 6204 – Fall, 2009 – Dennis.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Academic Year 2014 Spring Academic Year 2014 Spring.

INFORMATION SYSTEM ANALYSIS & DESIGN

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE September Integrating Policy with Applications.

Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.

Of 24 lecture 11: ontology – mediation, merging & aligning.

22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.

Activity Design Goal: work from problems and opportunities of problem domain to envision new activities.

Day 8 Usability testing.

Database and Cloud Security

Normalized bubble chart for Data in the Instructor’s View

Lan Zhou, Vijay Varadharajan, and Michael Hitchens

Chapter 13 Designing Forms and Reports

Validating Access Control Policies with Alloy

Systems Analysis and Design

Privilege Management: the Big Picture

BCS Template Presentation February 22, 2018

Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi

Presentation transcript:

Symposium On Usable Privacy and Security Carnegie Mellon University 25 July 2008 Expressions of Expertness The Virtuous Circle of Natural Language for Access Control Policy Specification Philip Inglesant M Angela Sasse - University College London David Chadwick Lei Lei Shi - University of Kent, Canterbury, UK

SOUPS 2008Page 2 of 14 What do we mean by “Expressions of Expertness”? Need: Non-security specialists to express access control in formal terms But struggle to express this in formal terms which the computer can interpret They are experts concerning their own resources: they know who should be given access to what to do which action Only the user knows what they “really want” Grid computing – similar to cluster computing – linked computers working together Systems can be distributed geographically Across administrative domains

SOUPS 2008Page 3 of 14 Access control and authorization “Access control is the ability to permit or deny the use of a particular resource by a particular entity” - Wikipedia AuthZ is more important than AuthN but has been studied less Authorization is inherently complex but, for usability, “complexity is the enemy of success” - Karat Brodie & Karat 2005

SOUPS 2008Page 4 of 14 The Context of this research: PERMIS PERMIS is an integrated AuthZ infrastructure Open source Works with Grid, Apache Web servers,.Net, and others PERMIS makes access control decisions … … as defined by your access control policies … written in XML

SOUPS 2008Page 5 of 14 Role Based Access Control RBAC permissions are always positive Permissions to do actions on resources are assigned to roles, not users Assignment of Roles to Users by Administrators in (remote) Domains →RBAC model presents conceptual difficulties Policy specification User assignment UsersRolesPermissions Actions Resources Permission assignment PERMIS allows you to delegate the ability to assign roles to Role/Attribute Administrators Delegated assignment RBAC permissions are always positive, although there can be constraints. Permissions not granted are implicitly denied – “Deny all, except …”

SOUPS 2008Page 6 of 14 Overcoming conceptual difficulties: existing approaches PERMIS Editor: GUI-based approach –Conceptual Design - metaphors to match users’ mental models –Prominent warning: “this is DENY ALL, EXCEPT” Controlled natural language approaches –Fundamentally – reduce distance between user’s intentions  their expression –SPARCLE – for privacy and other policies –Virtuous Circle – input and output of AuthZ policies

SOUPS 2008Page 7 of 14 Our approach: Controlled natural language based on an ontology Permissions, actions, resources, roles, & other entities, and relations between them User’s world Computer’s world Requests and responses between user and computer Controlled natural language may be more “natural” and less ambiguous than full natural language X.509_PMI_RBAC_ Policy OID=" " >.... The user does not have to know about the computer’s world

SOUPS 2008Page 8 of 14 Carrying out our approach Phase 1: Interviews and focus groups –45+ Resource owners in Grid computing –How do they think about their AuthZ requirements? –How do they express them? Phase 2: Design of ontology and controlled language processing –From findings of Phase 1 –Keep it open but above all easy –Basic building blocks – users construct policies according to their needs

SOUPS 2008Page 9 of 14 Example Print is an action. Printers are a type of resource. Printer has print. HP Laserjet 1 is a printer. Manager and staff are roles. Manager is superior to staff. Staff can print on HP Laserjet 1. Manager can print on all printers. David and John are administrators. David can assign manager to all users. John can assign staff to users from DepartmentCS. read is an action. write is an action. records are a type of resource. records has read and write. name, dobs, addresses, postcodes are a resource. analyst and clerk are roles. analysts can read from dob and postcode. …

SOUPS 2008Page 10 of 14 Evaluation: can users express their real world intentions? Lab-based observations: 17 target users Neutral or application-specific scenarios Recorded and analysed for time and number of tries, classes of problem and comments →How usable is the basic interface? Are users daunted by the blank screen? →Can users understand the building blocks and use them to construct workable policies?

SOUPS 2008Page 11 of 14 Overall results Not daunted by controlled natural language interface Time and tries are higher than we would like: –mean 24:27 minutes in 4.47 tries Largely overcomes conceptual difficulties –No tendency to “deny” access to resources But: Problems with features of controlled natural language Difficulties constructing from the “building blocks”

SOUPS 2008Page 12 of 14 The underlying mechanism makes itself felt →Underlying model does not match the users’ expectation →What do they need to know? How can we overcome the problems? Not quite natural language –Having to declare elements –Prepositions after verbs Using the building blocks –classes and instances Clerks, Owners and Analysts are roles. Name, DoB, Address and Postcode are resources. Clerks can write to Name, DoB, Address and Postcode. Owners can read all fields. Address is a type of resource. … instead of Field is a type of resource. Address is a field. Printers are a type of resource. HP Laserjet 1 is a printer. from

SOUPS 2008Page 13 of 14 What do they need to know? How can they know it? More informative timely feedback –Line by line parsing –Don’t silently fix problems – only the user knows what they “really want” –Drop-down boxes to disambiguate 2-way street between GUI and controlled language –An integrated interface

SOUPS 2008Page 14 of 14 Review and conclusions Need: expression of formal AuthZ by non-experts Question: Is controlled natural language is more “natural” than GUI? Design and evaluation of controlled language Can users express access control needs? –Overall: well understood and usable, but - –Underlying mechanisms make themselves felt Meeting the needs of the user in their own terms –Feedback –Integrated interface

SOUPS Human Centred Systems Group Information Systems Security Group

SOUPS 2008 SPARCLEPERMIS Privacy policies (although other types envisioned) Authorization policies by resource owners Protects data items in an organisation Protects any collection of resources, actions and roles Supports a generic privacy control Supports PERMIS with delegation of authorities Bespoke privacy modelRole Based Access Control Based on predefined User Categories, Actions, etc Based on formal OWL ontology

SOUPS 2008 Name Date of Birth Address Postcode Department A Department B Database Analysts can see only DoB and Postcode Clerks in Dept A can add and change date of birth, name, address and postcode Process owners cannot change any data but can read it all Users cannot see the whole of the Database; what they can see depends on their roles:

SOUPS 2008 Department A Department B When Clerks and Process owners join Department A … … John assigns their roles to them When Analysts join Department B, Anne assigns their roles to them