Ilaria Matteucci

CNL4DSA: a controlled natural language for data sharing agreements

A Data Sharing Agreement (DSA) is an agreement among contracting parties regulating how they share data. A DSA represents a flexible mean to assure privacy of data exchanged on the Web. As an example, a set of intelligent user agents may interact with each other, and by means of DSA, may negotiate privacy requirements on behalf of human users. However, a key factor for the adoption of privacys technologies is not only their reliability, but also their usability. Here, we propose CNL4DSA, a Controlled Natural Language for DSA aiming at lowering the barrier to adoption of DSA, and, at the same time, ensuring mapping to formal languages that enable the automatic verification of agreements.

Prioritized Execution of Privacy Policies

This paper addresses the issue of solving conflicts occurring in the authorization decision process among policies applicable to an access request. We propose a strategy for conflict resolution based on the evaluation of the specificity level of the elements constituting the policies. Operatively, the strategy is implemented by exploiting a well known decision making technique. Two practical examples of use in the healthcare scenario are given.

Security and Trust

Security and Trust offer two different prospectives on the problem of the correct interaction among software components. For many aspects, they represent complementary viewpoints. Moreover, in the study of the verification of non-functional properties of programs they represent a mainstream. Several security aspects, e.g., access control, could be based also on trust and, vice versa, trust models could update the level of trust of a (component of a ) system according to the satisfaction of a particular security policies. According to that, here we present the Security-by-Contract-with-Trust framework, S×C×T for short. It has been developed considering a system platform that has to execute an application whose developer is unknown in such a way that security policies set on it are not violated. The S×C×T mechanism is driven by both security and trust aspects. It is based of three main concepts: the application code, the application contract, and the system security policy The level of trust we consider measures the adherence of the application code to its contract, i.e., if the code respects its contract then the application is trusted, otherwise its level of trust decreases. According to the level of trust of the application, S×C×T decides if check the contract against the policies and if the answer is positive, execute the application just monitoring its contract, or directly enforce the security policy set on the platform.

Extending Security-by-Contract with Quantitative Trust on Mobile Devices

Security-by-Contract (SxC) is a paradigm providing security assurances for mobile applications. In this work, we present an extension of SxC enriched with an authomatic trust management infrastructure. Indeed, we enhance the already existing architecture by adding new modules and configurations for contracts managing. At deploy-time, our system decides the run-time configuration depending on the credentials of contract provider. Roughly, the run-time environment can both enforce a security policy and monitor the declared contract. According to the actual behaviour of the running program our architecture updates the trust level associated with the contract provider. The main advantage of this method is an authomatic management of the level of trust of software and contract releasers.

Controlling Usage in Business Process Workflows through Fine-Grained Security Policies

We propose a language for expressing fine-grained security policies for controlling orchestrated business processes modelled as a BPEL workflow. Our policies are expressed as a process algebra that permits a BPEL activity, denies it or force-terminates it. The outcome is evaluates with compensation contexts. Finally, we give an example of these policies in a distributed map processing scenario such that the policies constrain service interactions in the workflow according to the security requirements of each entity participating in the workflow.

A prototype for solving conflicts in XACML-based e-Health policies

The Electronic Patient Record (EPR) enables the sharing of medical documents among several and widespread healthcare organizations. To guarantee privacy properties, access control policies should be defined, regulating how the documents can be shared. Conflicts may occur among policies applicable to the same access request. We present a running prototype, based on an XACML engine, that implements a conflict resolution strategy as an extension to the standard combining algorithms of the XACML engine. We evaluate the efficiency of our proposal in terms of execution time, on a variable number of conflicting rules.

A design phase for data sharing agreements

The number of factories, service providers, retailers, and final users that create networks and establish collaborations for increasing their productivity and competitiveness is constantly growing, especially by effect of the globalization and outsourcing of industrial activities. This trend introduces new complexities in the value supply chain, not last the need for secure and private data sharing among the collaborating parties. A Data Sharing Agreement (DSA) represents a flexible means to assure privacy and security of electronic data exchange. DSA is a formal document regulating data exchange in a controlled manner, by defining a set of policies specifying what parties are allowed, or required, or denied to do with respect to data covered by the agreement. A key factor in the adoption of DSAs is their usability. Here, we propose an approach for a consistent and automated design phase of the agreements. In particular, we present an authoring tool for a user-friendly and cooperative editing of DSA and an analysis tool to identify possible conflicts or incompatibilities among the DSA policies.

A framework for automatic generation of security controller

This paper concerns the study, the development and the synthesis of mechanisms for guaranteeing the security of complex systems, i.e. systems composed of several interacting components. A complex system under analysis is described as an open system, i.e. a system in which an unspecified component (a component whose behaviour is not fixed in advance) interacts with the known part of the system. Within this formal approach, we propose techniques that aim at synthesize controller programs able to guarantee that, for all possible behaviours of the unspecified component, the system should work properly, e.g. it should be able to satisfy a certain property. For performing this task, we first need to identify the set of necessary and sufficient conditions that the unspecified component has to satisfy in order to ensure that the whole system is secure. Hence, by exploiting the satisfiability procedures for temporal logic, we automatically synthesize an appropriate controller program that forces the unspecified component to meet these conditions. This will ensure the security of the whole system. In particular, we contribute within the area of the enforcement of security properties by proposing a flexible and automated framework that goes beyond the definition of how a system should behave to work properly. Indeed, while the majority of the related work focuses on the definition of monitoring mechanisms, we also address the synthesis problem. Moreover, we describe a tool for the synthesis of secure systems which is able to generate appropriate controller programs. This tool is also able to translate the synthesized controller programs into the ConSpec language. ConSpec programs can be actually deployed for enforcing security policies on mobile Java applications by using the run‐time framework developed in the ambit of the European Project S3MS. Copyright

An Approach for the Specification, Verification and Synthesis of Secure Systems

In this paper we describe an approach based on open system analysis for the specification, verification and synthesis of secure systems. In particular, by using our framework, we are able to model a system with a possible intruder and verify whether the whole system is secure, i.e. whether the system satisfies a given temporal logic formula that describes its secure behavior. If necessary, we are also able to automatically synthesize a process that, by controlling the behavior of the possible intruder, enforces the desired secure behavior of the whole system.

A Framework for Contract-Policy Matching Based on Symbolic Simulations for Securing Mobile Device Application

There is a growing interest on programming models based on the notion of contract. In particular, in the security realm one could imagine the situation where either downloaded code or software service exposes their security-relevant behavior in a contract (that must to be fulfilled). Assuming to have already a mechanism to ensure that the program/service adheres to the contract, it just remains to check that the contract matches with the user security policy. We refer to this testing procedure as contract-policy matching.