Sabrina De Capitani di Vimercati

A fine-grained access control system for XML documents

Web-based applications greatly increase information availability and ease of access, which is optimal for public information. The distribution and sharing of information via the Web that must be accessed in a selective way, such as electronic commerce transactions, require the definition and enforcement of security controls, ensuring that information will be accessible only to authorized entities. Different approaches have been proposed that address the problem of protecting information in a Web system. However, these approaches typically operate at the file-system level, independently of the data that have to be protected from unauthorized accesses. Part of this problem is due to the limitations of HTML, historically used to design Web documents. The extensible markup language (XML), a markup language promoted by the World Wide Web Consortium (W3C), is de facto the standard language for the exchange of information on the Internet and represents an important opportunity to provide fine-grained access control. We present an access control model to protect information distributed on the Web that, by exploiting XMLs own capabilities, allows the definition and enforcement of access restrictions directly on the structure and content of the documents. We present a language for the specification of access restrictions, which uses standard notations and concepts, together with a description of a system architecture for access control enforcement based on existing technology. The result is a flexible and powerful security system offering a simple integration with current solutions.

Access Control: Policies, Models, and Mechanisms

Access control is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. The access control decision is enforced by a mechanism implementing regulations established by a security policy. Different access control policies can be applied, corresponding to different criteria for defining what should, and what should not, be allowed, and, in some sense, to different definitions of what ensuring security means. In this chapter we investigate the basic concepts behind access control design and enforcement, and point out different security requirements that may need to be taken into consideration. We discuss several access control policies, and models formalizing them, that have been proposed in the literature or that are currently under investigation.

An algebra for composing access control policies

Despite considerable advancements in the area of access control and authorization languages, current approaches to enforcing access control are all based on monolithic and complete specifications. This assumption is too restrictive when access control restrictions to be enforced come from the combination of different policy specifications, each possibly under the control of independent authorities, and where the specifics of some component policies may not even be known apriori. Turning individual specifications into a coherent policy to be fed into the access control system requires a nontrivial combination and translation process. This article addresses the problem of combining authorization specifications that may be independently stated, possibly in different languages and according to different policies. We propose an algebra of security policies together with its formal semantics and illustrate how to formulate complex policies in the algebra and reason about them. A translation of policy expressions into equivalent logic programs is illustrated, which provides the basis for the implementation of the algebra. The algebras expressiveness is analyzed through a comparison with first-order logic.

Securing XML Documents

Web-based applications greatly increase information availability and ease of access, which is optimal for public information. The distribution and sharing by theWeb of information that must be accessed in a selective way requires the definition and enforcement of security controls, ensuring that information will be accessible only to authorized entities. Approaches proposed to this end level, independently from the semantics of the data to be protected and for this reason result limited. The eXtensible Markup Language (XML), a markup language promoted by the World Wide Web Consortium (W3C), represents an important opportunity to solve this problem. We present an access control model to protect information distributed on the Web that, by exploiting XMLs own capabilities, allows the definition and enforcement of access restrictions directly on the structure and content of XML documents. We also present a language for the specification of access restrictions that uses standard notations and concepts and briefly describe a system architecture for access control enforcement based on existing technology.

Computer Security – ESORICS 2005

Computerized Voting Machines: A View from the Trenches.- XML Access Control with Policy Matching Tree.- Semantic Access Control Model: A Formal Specification.- A Generic XACML Based Declarative Authorization Scheme for Java.- Specification and Validation of Authorisation Constraints Using UML and OCL.- Unified Index for Mobile Object Data and Authorizations.- On Obligations.- A Practical Voter-Verifiable Election Scheme.- Machine-Checked Security Proofs of Cryptographic Signature Schemes.- Sanitizable Signatures.- Limits of the Cryptographic Realization of Dolev-Yao-Style XOR.- Security-Typed Languages for Implementation of Cryptographic Protocols: A Case Study.- Augmented Oblivious Polynomial Evaluation Protocol and Its Applications.- Using Attack Trees to Identify Malicious Attacks from Authorized Insiders.- An Efficient and Unified Approach to Correlating, Hypothesizing, and Predicting Intrusion Alerts.- Towards a Theory of Intrusion Detection.- On Scalability and Modularisation in the Modelling of Network Security Systems.- Sybil-Resistant DHT Routing.- Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks.- Quantifying Probabilistic Information Flow in Computational Reactive Systems.- Enforcing Non-safety Security Policies with Program Monitors.- Soundness of Formal Encryption in the Presence of Key-Cycles.- Privacy Preserving Clustering.- Abstractions Preserving Parameter Confidentiality.- Minimal Disclosure in Hierarchical Hippocratic Databases with Delegation.- Security Notions for Disk Encryption.- Local View Attack on Anonymous Communication.- Browser Model for Security Analysis of Browser-Based Protocols.

Design and implementation of an access control processor for XML documents

Abstract More and more information is distributed in XML format, both on corporate Intranets and on the global Net. In this paper an Access Control System for XML is described allowing for definition and enforcement of access restrictions directly on the structure and content of XML documents, thus providing a simple and effective way for users to protect information at the same granularity level provided by the language itself.

Combining fragmentation and encryption to protect privacy in data storage

The impact of privacy requirements in the development of modern applications is increasing very quickly. Many commercial and legal regulations are driving the need to develop reliable solutions for protecting sensitive information whenever it is stored, processed, or communicated to external parties. To this purpose, encryption techniques are currently used in many scenarios where data protection is required since they provide a layer of protection against the disclosure of personal information, which safeguards companies from the costs that may arise from exposing their data to privacy breaches. However, dealing with encrypted data may make query processing more expensive. In this article, we address these issues by proposing a solution to enforce the privacy of data collections that combines data fragmentation with encryption. We model privacy requirements as confidentiality constraints expressing the sensitivity of attributes and their associations. We then use encryption as an underlying (conveniently available) measure for making data unintelligible while exploiting fragmentation as a way to break sensitive associations among attributes. We formalize the problem of minimizing the impact of fragmentation in terms of number of fragments and their affinity and present two heuristic algorithms for solving such problems. We also discuss experimental results, comparing the solutions returned by our heuristics with respect to optimal solutions, which show that the heuristics, while guaranteeing a polynomial-time computation cost are able to retrieve solutions close to optimum.

An Obfuscation-Based Approach for Protecting Location Privacy

The pervasive diffusion of mobile communication devices and the technical improvements of location techniques are fostering the development of new applications that use the physical position of users to offer location-based services for business, social, or informational purposes. In such a context, privacy concerns are increasing and call for sophisticated solutions able to guarantee different levels of location privacy to the users. In this paper, we address this problem and present a solution based on different obfuscation operators that, when used individually or in combination, protect the privacy of the location information of users. We also introduce an adversary model and provide an analysis of the proposed obfuscation operators to evaluate their robustness against adversaries aiming to reverse the obfuscation effects to retrieve a location that better approximates the location of the users. Finally, we present some experimental results that validate our solution.

Modeling and assessing inference exposure in encrypted databases

The scope and character of todays computing environments are progressively shifting from traditional, one-on-one client-server interaction to the new cooperative paradigm. It then becomes of primary importance to provide means of protecting the secrecy of the information, while guaranteeing its availability to legitimate clients. Operating online querying services securely on open networks is very difficult; therefore many enterprises outsource their data center operations to external application service providers. A promising direction toward prevention of unauthorized access to outsourced data is represented by encryption. However, data encryption is often supported for the sole purpose of protecting the data in storage while allowing access to plaintext values by the server, which decrypts data for query execution. In this paper, we present a simple yet robust single-server solution for remote querying of encrypted databases on external servers. Our approach is based on the use of indexing information attached to the encrypted database, which can be used by the server to select the data to be returned in response to a query without the need of accessing the plaintext database content. Our indexes balance the trade-off between efficiency requirements in query execution and protection requirements due to possible inference attacks exploiting indexing information. We investigate quantitative measures to model inference exposure and provide some related experimental results.

Data protection in outsourcing scenarios: issues and directions

Data outsourcing is an emerging paradigm that allows users and companies to give their (potentially sensitive) data to external servers that then become responsible for their storage, management, and dissemination. Although data outsourcing provides many benefits, especially for parties with limited resources for managing an ever more increasing amount of data, it introduces new privacy and security concerns. In this paper we discuss the main privacy issues to be addressed in data outsourcing, ranging from data confidentiality to data utility. We then illustrate the main research directions being investigated for providing effective data protection to data externally stored and for enabling their querying.