Jianwei Niu

R OWL BAC: representing role based access control in OWL

There have been two parallel themes in access control research in recent years. On the one hand there are efforts to develop new access control models to meet the policy needs of real world application domains. In parallel, and almost separately, researchers have developed policy languages for access control. This paper is motivated by the consideration that these two parallel efforts need to develop synergy. A policy language in the abstract without ties to a model gives the designer little guidance. Conversely a model may not have the machinery to express all the policy details of a given system or may deliberately leave important aspects unspecified. Our vision for the future is a world where advanced access control concepts are embodied in models that are supported by policy languages in a natural intuitive manner, while allowing for details beyond the models to be further specified in the policy language. This paper studies the relationship between the Web Ontology Language (OWL) and the Role Based Access Control (RBAC) model. Although OWL is a web ontology language and not specifically designed for expressing authorization policies, it has been used successfully for this purpose in previous work. OWL is a leading specification language for the Semantic Web, making it a natural vehicle for providing access control in that context. In this paper we show two different ways to support the NIST Standard RBAC model in OWL and then discuss how the OWL constructions can be extended to model attribute-based RBAC or more generally attribute-based access control. We further examine and assess OWLs suitability for two other access control problems: supporting attribute based access control and performing security analysis in a trust-management framework.

Template semantics for model-based notations

We propose a template-based approach to structuring the semantics of model-based specification notations. The basic computation model is a nonconcurrent, hierarchical state-transition machine (HTS), whose execution semantics are parameterized. Semantics that are common among notations (e.g., the concept of an enabled transition) are captured in the template, and a notations distinct semantics (e.g., which states can enable transitions) are specified as parameters. The template semantics of composition operators define how multiple HTSs execute concurrently and how they communicate and synchronize with each other by exchanging events and data. The definitions of these operators use the template parameters to preserve notation-specific behavior in composition. Our template is sufficient to capture the semantics of basic transition systems, CSP, CCS, basic LOTOS, a subset of SDL88, and a variety of statecharts notations. We believe that a description of a notations semantics using our template can be used as input to a tool that automatically generates formal analysis tools.

Group-Centric Secure Information-Sharing Models for Isolated Groups

Group-Centric Secure Information Sharing (g-SIS) envisions bringing users and objects together in a group to facilitate agile sharing of information brought in from external sources as well as creation of new information within the group. We expect g-SIS to be orthogonal and complementary to authorization systems deployed within participating organizations. The metaphors “secure meeting room” and “subscription service” characterize the g-SIS approach. The focus of this article is on developing the foundations of isolated g-SIS models. Groups are isolated in the sense that membership of a user or an object in a group does not affect their authorizations in other groups. Present contributions include the following: formal specification of core properties that at once help to characterize the family of g-SIS models and provide a “sanity check” for full policy specifications; informal discussion of policy design decisions that differentiate g-SIS policies from one another with respect to the authorization semantics of group operations; formalization and verification of a specific member of the family of g-SIS models; demonstration that the core properties are logically consistent and mutually independent; and identification of several directions for future extensions. The formalized specification is highly abstract. Besides certain well-formedness requirements that specify, for instance, a user cannot leave a group unless she is a member, it constrains only whether user-level read and write operations are authorized and it does so solely in terms of the history of group operations; join and leave for users and add, create, and remove for objects. This makes temporal logic one of the few formalisms in which the specification can be clearly and concisely expressed. The specification serves as a reference point that is the first step in deriving authorization-system component specifications from which a programmer with little security expertise could implement a high-assurance enforcement system for the specified policy.

Towards a framework for group-centric secure collaboration

The concept of groups is a natural aspect of most collaboration scenarios. Group-Centric Secure Information Sharing models (g-SIS) have been recently proposed in which users and objects are brought together to promote sharing and collaboration. Users may join, leave and re-join and objects may be added, removed and re-added. Furthermore, objects embodying new intellectual property may be created in the group during collaboration, some of which may flow back to the participating entities. Authorizations may depend on various aspects including time of join and add, the users role, etc. In this paper, we outline three example scenarios of inter-organizational collaboration. We develop a complete authorization model for one of these scenarios comprising administrative and operational components. We conclude the paper by proposing an initial framework for developing more sophisticated models for inter-organizational collaboration.

Stale-safe security properties for group-based secure information sharing

Attribute staleness arises due to the physical distribution of authorization information, decision and enforcement points. This is a fundamental problem in virtually any secure distributed system in which the management and representation of authorization state are not globally synchronized. This problem is so intrinsic, it is inevitable that access decision will be based on attribute values that are stale. While it may not be practical to eliminate staleness, we can limit unsafe access decisions made based on stale subject and object attributes. In this paper, we propose and formally specify four stale-safe security properties of varying strength which limit such incorrect access decisions. We use Linear Temporal Logic (LTL) to formalize these properties making them suitable to be verified, for example, using model checking. We show how these properties can be applied in the specific context of group-based Secure Information Sharing (g-SIS) as defined in this paper. We specify the authorization decision/enforcement points of the g-SIS system as a Finite State Machine (FSM) and show how this FSM can be modified so as to satisfy one of the stale-safe properties.

Toward a framework for detecting privacy policy violations in android application code

Mobile applications frequently access sensitive personal informa- tion to meet user or business requirements. Because such informa- tion is sensitive in general, regulators increasingly require mobile- app developers to publish privacy policies that describe what infor- mation is collected. Furthermore, regulators have fined companies when these policies are inconsistent with the actual data practices of mobile apps. To help mobile-app developers check their pri- vacy policies against their apps’ code for consistency, we propose a semi-automated framework that consists of a policy terminology- API method map that links policy phrases to API methods that pro- duce sensitive information, and information flow analysis to detect misalignments. We present an implementation of our framework based on a privacy-policy-phrase ontology and a collection of map- pings from API methods to policy phrases. Our empirical eval- uation on 477 top Android apps discovered 341 potential privacy policy violations.

Mapping template semantics to SMV

We show how to create a semantics-based, parameterized translator from model-based notations to SMV, using template semantics. Our translator takes as input a specification and a set of user-provided parameters that encode the specifications semantics; it produces an SMV model suitable for model checking. Using such a translator, we can model check a specification that has customized semantics. Our work also shows how to represent complex composition operators, such as rendezvous, in the SMV language, in which there is no matching language construct.

Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule

Organizations collect personal information from individuals to carry out their business functions. Federal privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), mandate how this collected information can be shared by the organizations. It is thus incumbent upon the organizations to have means to check compliance with the applicable regulations. Prior work by Barth et. al. introduces two notions of compliance, weak compliance (WC) and strong compliance (SC). WC ensures that present requirements of the policy can be met whereas SC also ensures obligations can be met. An action is compliant with a privacy policy if it is both weakly and strongly compliant. However, their definitions of compliance are restricted to only propositional linear temporal logic (pLTL), which cannot feasibly specify HIPAA. To this end, we present a policy specification language based on a restricted subset of first order temporal logic (FOTL) which can capture the privacy requirements of HIPAA. We then formally specify WC and SC for policies of our form. We prove that checking WC is feasible whereas checking SC is undecidable. We then formally specify the property WC entails SC, denoted by Δ, which requires that each weakly compliant action is also strongly compliant. To check whether an action is compliant with such a policy, it is sufficient to only check whether the action is weakly compliant with that policy. We also prove that when a policy ℘ has the Δ-property, the present requirements of the policy reduce to the safety requirements imposed by ℘. We then develop a sound, semi-automated technique for checking whether practical policies have the Δ-property. We finally use HIPAA as a case study to demonstrate the efficacy of our policy analysis technique.

Deconstructing the semantics of big-step modelling languages

With the popularity of model-driven methodologies and the abundance of modelling languages, a major question for a requirements engineer is: which language is suitable for modelling a system under study? We address this question from a semantic point-of-view for big-step modelling languages (BSMLs). BSMLs are a class of popular behavioural modelling languages in which a model can respond to an input by executing multiple transitions, possibly concurrently. We deconstruct the operational semantics of a large class of BSMLs into eight high-level, mostly orthogonal semantic aspects and their common semantic options. We analyse the characteristics of each semantic option. We use feature diagrams to present the design space of BSML semantics that arises from our deconstruction, as well as to taxonomize the syntactic features of BSMLs that exhibit semantic variations. We enumerate the dependencies between syntactic and semantic features. We also discuss the effects of certain combinations of semantic options when used together in a BSML semantics. Our goal is to empower a requirements engineer to compare and choose an appropriate BSML from the plethora of existing BSMLs, or to articulate the semantic features of a new desired BSML when such a BSML does not exist.

Group-centric models for secure and agile information sharing

To share information and retain control (share-but-protect) is a classic cyber security problem for which effective solutions continue to be elusive. Where the patterns of sharing are well defined and slow to change it is reasonable to apply the traditional access control models of lattice-based, role-based and attribute-based access control, along with discretionary authorization for further fine-grained control as required. Proprietary and standard rights markup languages have been developed to control what a legitimate recipient can do with the received information including control over its further discretionary dissemination. This dissemination-centric approach offers considerable flexibility in terms of controlling a particular information object with respect to already defined attributes of users, subjects and objects. However, it has many of the same or similar problems that discretionary access control manifests relative to role-based access control. In particular specifying information sharing patterns beyond those supported by currently defined authorization attributes is cumbersome or infeasible. Recently a novel mode of information sharing called group-centric was introduced by these authors. Group-centric secure information sharing (g-SIS) is designed to be agile and accommodate ad hoc patterns of information sharing. In this paper we review g-SIS models, discuss their relationship with traditional access control models and demonstrate their agility relative to these.