Kamel Adi

A new logic for electronic commerce protocols

The primary objective of this paper is to present the definition of a new dynamic, linear and modal logic for security protocols. The logic is compact, expressive and formal. It allows the specification of classical security properties (authentication, secrecy and integrity) and also electronic commerce properties (non-repudiation, anonymity, good atomicity, money atomicity, certified delivery, etc.). The logic constructs are interpreted over a trace-based model. Traces reflect valid protocol executions in the presence of a malicious smart intruder. The logic is endowed with a tableau-based proof system that leads to a modular denotational semantics.

Dynamic risk-based decision methods for access control systems

In traditional multi-level security systems, trust and risk values are pre-computed. Any change in these values requires manual intervention of an administrator. In many dynamic environments, however, these values should be auto-adaptive, and auto-tunable according to the usage history of the users. Moreover, occasional exceptions on resource needs, which are common in dynamic environments like healthcare, should be allowed if the subjects show a positive record of use toward resources they acquired in the past. Conversely, access of authorized users, who have negative record, should be restricted. These requirements are not taken into consideration in existing risk-based access control systems. In order to overcome these shortcomings and to meet different sensitivity requirements of various applications, we propose two dynamic risk-based decision methods for access control systems. We provide theoretical and simulation-based analysis and evaluation of both schemes. Also, we analytically prove that the proposed methods, not only allow exceptions under certain controlled conditions, but uniquely restrict legitimate access of bad authorized users.

A framework for risk assessment in access control systems

We describe a framework for risk assessment specifically within the context of risk-based access control systems, which make authorization decisions by determining the security risk associated with access requests and weighing such security risk against operational needs together with situational conditions. Our framework estimates risk as a product of threat and impact scores. The framework that we describe includes four different approaches for conducting threat assessment: an object sensitivity-based approach, a subject trustworthiness-based approach and two additional approaches which are based on the difference between object sensitivity and subject trustworthiness. We motivate each of the four approaches with a series of examples. We also identify and formally describe the properties that are to be satisfied within each approach. Each of these approaches results in different threat orderings, and can be chosen based on the context of applications or preference of organizations. We also propose formulae to estimate the threat of subject-object accesses within each of the four approaches of our framework. We then demonstrate the application of our threat assessment framework for estimating the risk of access requests, which are initiated by subjects to perform certain actions on data objects, by using the methodology of NIST Special Publication 800-30. We show that risk estimates for access requests actually differ based on the threat assessment approach that has been chosen. Therefore, organizations must make prudent judgement while selecting a threat assessment function for risk-based access control systems.

Typing for Conflict Detection in Access Control Policies

In this paper we present an access control model that considers both abstract and concrete access control policies specifications. Permissions and prohibitions are expressed within this model with contextual conditions. This situation may lead to conflicts. We propose a type system that is applied to the different rules in order to check for inconsistencies. If a resource is well typed, it is guaranteed that access rules to the resource contain no conflicts.

Inconsistency detection method for access control policies

In enterprise environments, the task of assigning access control rights to subjects for resources is not trivial. Because of their complexity, distribution and size, access control policies can contain anomalies such as inconsistencies, which can result in security vulnerabilities. A set of access control policies is inconsistent when, for specific situations different incompatible policies can apply. Many researchers have tried to address the problem of inconsistency using methods based on formal logic. However, this approach is difficult to implement and inefficient for large policy sets. Therefore, in this paper, we propose a simple, efficient and practical solution for detecting inconsistencies in access control policies with the help of a modified C4.5 data classification algorithm.

Using Edit Automata for Rewriting-Based Security Enforcement

Execution monitoring (EM) is a widely adopted class of security mechanisms. EM-enforceable security properties are usually characterized by security automata and their derivatives. However Edit automata (EA) have been recently proposed to specify more powerful EMs. Being able to feign the execution of sensitive program actions, these EMs are supposed to enforce more security properties. However, feigning program actions will usually make the program behaving in discordance with its specification since the effects of feigned actions are not reflected in the program states. In this paper we highlight this problem and show how program rewriting can be a reliable enforcement alternative. The paper contribution is mainly a semantics foundation for program rewriting enforcement of EA-enforceable security properties.

Designing flexible access control models for the cloud

In Cloud environments, Cloud users have the possibility to put their sensitive data on Cloud servers, which opens the door to security challenges concerning data protection. In this context, access control is of vital importance, since it provides security mechanisms to protect against inappropriate access to data. Unfortunately, classical access control models such as DAC, MAC, RBAC or ABAC are not sufficiently expressive for highly flexible and dynamic environments such as those found in the Cloud. Often, a combination of elements of these models is necessary in order to properly express varied data protection needs. In this paper, we present a new approach called CatBAC (Category Based Access Control), for building dedicated access control models starting from an abstract meta-model. Hence, in our approach, a meta-model can be refined in accordance with the high level security policies of each specific user. Our framework for building access control models can be implemented as a Cloud service and Cloud providers will then apply different concrete access control models produced by each user to process its incoming access requests.

A Data Classification Method for Inconsistency and Incompleteness Detection in Access Control Policy Sets

Access control policies may contain anomalies such as incompleteness and inconsistency, which can result in security vulnerabilities. Detecting such anomalies in large sets of complex policies automatically is a difficult and challenging problem. In this paper, we propose a novel method for detecting inconsistency and incompleteness in access control policies with the help of data classification tools well known in data mining. Our proposed method consists of three phases: firstly, we perform parsing on the policy data set; this includes ordering of attributes and normalization of Boolean expressions. Secondly, we generate decision trees with the help of our proposed algorithm, which is a modification of the well-known C4.5 algorithm. Thirdly, we execute our proposed anomaly detection algorithm on the resulting decision trees. The results of the anomaly detection algorithm are presented to the policy administrator who will take remediation measures. In contrast to other known policy validation methods, our method provides means for handling incompleteness, continuous values and complex Boolean expressions. In order to demonstrate the efficiency of our method in discovering inconsistencies, incompleteness and redundancies in access control policies, we also provide a proof-of-concept implementation.

Risk Analysis in Access Control Systems Based on Trust Theories

There is a need for research on the scientific base and engineering requirements for building trustworthy systems in dynamic environments. To address this need, we study risk analysis for access control from the viewpoint of trust and demonstrate how to extend access control architectures to incorporate trust-based reasoning. We present a theoretical model which allows to reason about and manage risk for access control systems. We also propose a formal approach for establishing and managing theories of trust. The approach can be used for assessing risk and decision making.

Detecting incompleteness in access control policies using data classification schemes

In a set of access control policies, incompleteness is the existence of situations for which no policy applies. Some of these situations can be exploited by attackers, to obtain unintended access or to compromise integrity. Such cases can be difficult to foresee, since typical policy sets consist of thousands of rules. In this paper, we adopt data classification techniques widely used in the machine learning community for detecting incompleteness in sets of access of control policies. To the best of our knowledge, we are the first ones to use data classification algorithms to detect incompleteness in sets of access control policies. We show that our proposed solution is simple, efficient and practical.