Role-based Trust Management Security Policy Analysis and Correction Environment (RT-SPACE). Gregory T. Hoffer CS7323 – Research Seminar (Dr. Qi Tian)

Slides:

Advertisements

Similar presentations

Succeeding as a Systems Analysts

Advertisements

Secure Multiparty Computations on Bitcoin

Software Quality Assurance Plan

©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.

Security in Software Engineering PRESENTED BY ROHIT MUKHERJEE AND RAMAKRISHNA VEERAVALLI.

Security Controls – What Works

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

Aims and Motivation The goal of this project is to produce a secure and dependable way of distributing and storing data securely over a distributed system.

Writing Good Software Engineering Research Papers A Paper by Mary Shaw In Proceedings of the 25th International Conference on Software Engineering (ICSE),

Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:

Outline of Security Introduction Types of constraints Example Challenge Framework Methodology MMCTPN SMIL 2.0 implementation Contribution Future Work.

Software Configuration Management (SCM)

An Introduction to Decentralized Trust Management Sandro Etalle University of Twente thanks to William H. Winsborough – University of Texas S. Antonio.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

Information Systems Controls for System Reliability -Information Security-

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

1 Data Strategy Overview Keith Wilson Session 15.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.

Financial Resource Management Recommended Best Practices Training for Volunteers and Support Groups.

Typical Software Documents with an emphasis on writing proposals.

Topics Covered: Software requirement specification(SRS) Software requirement specification(SRS) Authors of SRS Authors of SRS Need of SRS Need of SRS.

1 Role-Based Cascaded Delegation: A Decentralized Delegation Model for Roles Roberto Tamassia Danfeng Yao William H. Winsborough Brown University Brown.

1 Process Engineering A Systems Approach to Process Improvement Jeffrey L. Dutton Jacobs Sverdrup Advanced Systems Group Engineering Performance Improvement.

2008 New York - Member Forum Council for Responsible Jewellery Practices, Ltd. Overview of CRJP.

Requirements Engineering CSE-305 Requirements Engineering Process Tasks Lecture-5.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Computer Science 725 – Software Security Presentation “Decentralized Trust Management” Decentralized Trust ManagementDecentralized Trust Management M.

WB Carbon Finance Project Cycle and Role of Key Players Introduction to Carbon Finance March 10, 2004.

Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.

IT Requirements Management Balancing Needs and Expectations.

Software Engineering Quality What is Quality? Quality software is software that satisfies a user’s requirements, whether that is explicit or implicit.

How to start research V. Jayalakshmi. Why do we research? – To solve a problem – To satisfy an itch – To gain more market share/ Develop and improve –

ISM 5316 Week 3 Learning Objectives You should be able to: u Define and list issues and steps in Project Integration u List and describe the components.

Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.

CS 3610: Software Engineering – Fall 2009 Dr. Hisham Haddad – CSIS Dept. Chapter 2 The Software Process Discussion of the Software Process: Process Framework,

ETHICS, POLICY & SECURITY ISSUES

11 World-Leading Research with Real-World Impact! Group-Centric Secure Information Sharing: A Lattice Interpretation Institute for Cyber Security Ravi.

IEEE CS SAB, May 2007 For Computer Society Internal Use Only Liaison Report - IEEE-CS Professional Practices Committee John Harauz Prepared.

SOFTWARE CONFIGURATION MANAGEMENT. Change is inevitable when computer software is built. And change increases the level of confusion among software engineers.

Page 1 ©1999 InfoGard Laboratories, Inc Centre for Applied Cryptographic Research workshop, Nov. 8, 1999 Third party evaluations of CA cryptographic implementations.

A Data-Reachability Model for Elucidating Privacy and Security Risks Related to the Use of Online Social Networks S. Creese, M. Goldsmith, J. Nurse, E.

Requirement Engineering for Trust Management : Model, Methodology Reasoning P. Giorgini, F. Massacci, J. Mylopoulos, N. Zannone, “Requirements Engineering.

Perspectives: Improving SSH- Style Host Authentication with Multi-Path Probing Analysis and Comments Gregory T. Hoffer CS7123 – Research Seminar (Dr. Qi.

University of British Columbia Towards Web 2.0 Content Sharing Beyond Walled Gardens San-Tsai Sun Supervisor: Kosta Beznosov Laboratory for Education and.

Slide 2-1 Chapter 2 Information Systems in Organizations Introduction to Information Systems Judith C. Simon.

Security Planning and Administrative Delegation Lesson 6.

Computer Science 1 Mining Likely Properties of Access Control Policies via Association Rule Mining JeeHyun Hwang 1, Tao Xie 1, Vincent Hu 2 and Mine Altunay.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Secret Sharing Nisarg Raval Sep 24, Material is adapted from CS513 lecture notes.

CPIS Computerisation of Personnel Information System

Trusted Platform Module as Security Enabler for Cloud Infrastructure as a Service (IaaS). Gregory T. Hoffer CS7323 – Research Seminar (Dr. Qi Tian)

PPTTEST 12/26/ :41 1 IT Ron Williams Information Technology Management Project Management.

Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010.

PolicyMorph: Interactive Policy Model Transformations for a Logical ABAC Framework Michael LeMay Omid Fatemieh Carl A. Gunter.

Rule based Trust management using RT – third lecture Sandro Etalle University of Twente & Eindhoven thanks to Ninghui Li - Purdue William H. Winsborough.

Erik Jonsson School of Engineering and Computer Science The University of Texas at Dallas Cyber Security Research on Engineering Solutions Dr. Bhavani.

CITY OF PHOENIX RECORDS MANAGEMENT AND E-PRIVACY Margie Pleggenkuhle City Clerk Department March 18, 2004.

Doc.: IEEE /0085r1 Submission June 2010 Tuncer Baykas, NICTSlide TG1 and System Design Document Notice: This document has been prepared.

Software Engineering Process - II 7.1 Unit 7: Quality Management Software Engineering Process - II.

Software Project Configuration Management

Succeeding as a Systems Analysts

CIS 515 STUDY Lessons in Excellence-- cis515study.com.

CS 8532: Advanced Software Engineering

Research Challenges in Enterprise Privacy Authorization Language

Beyond Proof-of-compliance: Security Analysis in Trust Management

Presentation transcript:

Role-based Trust Management Security Policy Analysis and Correction Environment (RT-SPACE). Gregory T. Hoffer CS7323 – Research Seminar (Dr. Qi Tian)

Overview  Role Based Trust by Example  Proposed Framework  Discussion  References

Role Based Trust by Example  Two principals involved in transaction – can they trust each other? Mortgage Alice Alice wants to see if she is eligible for a mortgage before she wastes time with the application process.

Role Based Trust by Example  Two principals involved in transaction – can they trust each other? Alice Bank The bank is willing to reveal that its loan-approval policy uses one’s Date of Birth (DoB), current salary, and length of current employment. Further details, though, are a trade secret and confidential. Alice does not wish to disclose DoB nor salary level – considers it sensitive.

Role Based Trust by Example  Two principals involved in transaction – can they trust each other? Alice Bank Winsborough, among others, have developed cryptographic credential schemes to address this. Imagine if both principals in communication had trust capabilities, and mechanism for exchanging information according to desired privacy? For example, Bank is certified by Better Business Bureau and FDIC, so Alice can trust it. Alice, on the other hand, is certified by DMV, or DoD, or similar.

Role Based Trust by Example 2  Bookstore that discounts for approved students. Andy Amazon.com offers discount to students under the age of 21 who attend UTSA. Role-based trust policies can be used to implement this.

Role Based Trust by Example 2  Bookstore that discounts for approved students. Andy The credentials and policies of Amazon.com (image from [2])

Role Based Trust by Example 3  Hostile / Friendly Identification. “Alan” Can “Alan” trust “Sgt. Sam”? Can “Sgt. Sam” trust “Alan”? “Sgt. Sam”

Formalizing Access Control Policies  Policies must be written and maintained for access- controlled services.  Policies are subject to change (consider last example – employees change frequently, as do roles and responsibilities, relationships, etc.)  Change introduces risk …

Proposal : Policy Analysis & Correction Framework “When access control policies are subject to change, analyzing them for security properties such as safety (e.g., access to the database is limited to employees) and liveness (e.g., managers will always have access to the database) requires significant tool support” [1]  RT-SPACE * is introduced as a tool for authoring, verifying, and correcting RT (Role-based Trust) policies. * Role-based Trust Management Security Policy Analysis and Correction Environment

RT-SPACE Process

 Policy author builds or changes policy, then submits.  Tool performs conservative conversion into one or more policy models.  Each model automatically verified  For model that fails to satisfy desired properties, the checker produces set of counterexamples.  Policy Correction component analyses counterexamples to generate set of suggested corrections, from which policy author may select appropriate one.  Modified policy serves as input to next iteration (to ensure other properties not invalidated).

Policy Analysis Framework Components  Graph Construction  Optimization  Translation  Model Checking  Correction  Visualization

RT-SPACE in Action

Summary  Role-based trust is important field for security and privacy in Access Control.  Policies can be tedious (and error-prone) to create and manage  RT-SPACE facilitates the creation and management process in order to achieve security and liveness efficiently and effectively.

Questions and Discussion  Any questions or comments?

References [1] Mark Reith, Jianwei Niu, and William H. Winsborough Role-based trust management security policy analysis and correction environment (RT-SPACE). In Companion of the 30th international conference on Software engineering (ICSE Companion '08). ACM, New York, NY, USA, DOI= / [2] M. Reith, J. Niu, and W. H. Winsborough. Policy analysis framework for verification and correction. Technical Report CS-TR , UTSA, [3] Jiangtao Li, Ninghui Li, and William H. Winsborough Automated trust negotiation using cryptographic credentials. ACM Trans. Inf. Syst. Secur. 13, 1, Article 2 (November 2009), 35 pages. DOI= / [4] Ninghui Li, John C. Mitchell, and William H. Winsborough. Design of a role-based trust management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 114–130. IEEE Computer Society Press, May 2002.