SampleServer …"> SampleServer …">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shriram Krishnamurthi Brown University

Published byShannon Lawson Modified over 6 years ago

Similar presentations

Presentation on theme: "Shriram Krishnamurthi Brown University"— Presentation transcript:

1 Shriram Krishnamurthi Brown University
Policy Languages Shriram Krishnamurthi Brown University

2

3 Designated TAs can write homework grades
Delegation Designated TAs can write homework grades Separation of Duty Creating a course requires authorization from two distinct people Information Filtering Professor group gets network priority Mon 12-1 Information Flow One student cannot learn another's grade information Composition Department's building access rules override the university's Administrative Nobody can change their own privileges Obligation TAs who check out assignment blocks must submit grades for them Authorization A professor can modify grades

4 <Policy PolicyId="SamplePolicy"
RuleCombiningAlgId=”…s:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=“…/XMLSchema#string">SampleServer</AttributeValue> <ResourceAttributeDesignator DataType=”….w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions> </Target>

5 hostname int interface in_dmz ip address ip nat outside interface in_lan ip access-group 102 in ip address ip nat inside access-list 102 deny ip host access-list 102 permit tcp any host eq 25 access-list 102 permit tcp any any eq 80 access-list 102 deny any ip nat inside source list 1 interface in_dmz overload ip route access-list 1 permit

6 Independent Composition
faculty (s)  Permit(s, grades, assign) student(s)  -Permit(s, grades, assign) -faculty(s)  Permit(s, course, enroll) Safety Independent Composition Monotonicity

7 System Structure

8 System Structure = +

9 Access-Control Policies
Policy maps requests to decisions: <subject, action, resource> g {permit, deny} Depends on the domain role not-applicable First-applicable, Permit-overrides, Deny-overrides university policy on building access department policy: undergrad TAs get night access

10 System Structure = +

11 Good Verification Target
Sub-Turing-complete languages High-level operators Not very large programs Accessible to non-technical users

12 What Makes This Domain Hard/Interesting?

13 Program or Property? The balance between enforcement and verification

14 A professor can modify grades Delegation
Authorization A professor can modify grades Delegation Designated TAs can write homework grades Information Filtering Professor group gets network priority Mon 12-1 Composition Department's building access rules override the university's Information Flow One student cannot learn another's grade information Administrative Nobody can change their own privileges Separation of Duty Creating a course requires authorization from two distinct people Obligation TAs who check out assignment blocks must submit grades for them

15 Linking Ontologies

16 A professor can modify grades
Authorization A professor can modify grades Delegation Designated TAs can write homework grades Information Filtering Professor group gets network priority Mon 12-1 Composition Department's building access rules override the university's

17 Dynamics

18 Dynamic/Temporal Policies
Coarse-grained: Fine-grained: Don’t allow access to a paper’s other reviews until the PC member has submitted their own review Submit Review Meet Respond

19 Mutual Dependence

20 func UploadReview(a, p) { if Permit == CheckReq (a,submit-review,p)
Reviews := Review U (a, p) …} During submission phase, author may submit a paper During review phase, a reviewer r may submit review for paper p if r is assigned to p ….

21 What is the State Space?

22 Access Control Business Rules

23

Download ppt "Shriram Krishnamurthi Brown University"

Similar presentations

1 1 Finding the Dark Cloud: Static Analysis of Cloud Configurations Shriram Krishnamurthi Brown University.

1 1 Finding the Dark Cloud: Static Analysis of Cloud Configurations Shriram Krishnamurthi Brown University.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.

Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.
Putting the User in Usable Verification Kathi Fisler, WPI Joint work with Shriram Krishnamurthi.

Putting the User in Usable Verification Kathi Fisler, WPI Joint work with Shriram Krishnamurthi.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Sybex CCNA 640-802 Chapter 11: Network Address Translation Instructor & Todd Lammle.

Sybex CCNA Chapter 11: Network Address Translation Instructor & Todd Lammle.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Lecture 7 Access Control

Lecture 7 Access Control
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Virtual Company Group 8 Presentation Date: June /04/2017

Virtual Company Group 8 Presentation Date: June /04/2017
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
NAT (Network Address Translation) Natting means Translation of private IP address into public IP address . In order to communicate with internet we must.

NAT (Network Address Translation) Natting means "Translation of private IP address into public IP address ". In order to communicate with internet we must.

Similar presentations

Ads by Google