National Industrial Security Program Information Systems Authorization: A Case Study

Michael Greene (20348601)

10 January 2025

<p dir="ltr">This case study addresses a timeliness and cost problem associated to attaining the Authorization to Operate (ATO) for National Industrial Security Program (NISP) information systems. Industry contractor organizations are required to attain ATOs to operate NISP computing systems processing classified information located at their facility locations. The origin of the case study problem is decades old, the problem prompted action from the Executive Office of the President to establish the NISP in 1993. The NISP programs intent is to promote security requirement uniformity between the defense industry and the U.S. government, and to reduce security costs. However, despite efforts to lessen the ATO process burden, the problem continues to impede timeliness and increases cost associated with NISP system ATOs today. The case study will focus on reasons the ATO problem is still prevalent today and why the cost saving attributes designed into the Risk Management Framework (RMF) remain an implementation challenge. First, a systematic multivocal literature review methodology is used to collect relevant formal research literature from academic databases, as well as gray literature from authoritative government resources. Second, a cost estimate comparison is used to examine a Department of Defense (DoD) and a NISP information system authorization. The RMF cybersecurity reciprocity and inheritance attributes are applied to the cost comparison to measure ATO impact analysis.</p>

National Industrial Security Program

Authorization to Operate

Risk Management Framework

Shepherding Network Security Protocols as They Transition to New Atmospheres: A New Paradigm in Network Protocol Analysis

Talkington, Gregory Joshua

12 1900

The solutions presented in this dissertation describe a new paradigm in which we shepherd these network security protocols through atmosphere transitions, offering new ways to analyze and monitor the state of the protocol. The approach involves identifying a protocols transitional weaknesses through adaption of formal models, measuring the weakness as it exists in the wild by statically analyzing applications, and show how to use network traffic analysis to monitor protocol implementations going into the future. Throughout the effort, we follow the popular Open Authorization protocol in its attempts to apply its web-based roots to a mobile atmosphere. To pinpoint protocol deficiencies, we first adapt a well regarded formal analysis and show it insufficient in the characterization of mobile applications, tying its transitional weaknesses to implementation issues and delivering a reanalysis of the proof. We then measure the prevalence of this weakness by statically analyzing over 11,000 Android applications. While looking through source code, we develop new methods to find sensitive protocol information, overcome hurdles like obfuscation, and provide interfaces for later modeling, all while achieving a false positive rate of below 10 percent. We then use network analysis to detect and verify application implementations. By collecting network traffic from Android applications that use OAuth, we produce a set of metrics that when fed into machine learning classifiers, can identify if the OAuth implementation is correct. The challenges include encrypted network communication, heterogeneous device types, and the labeling of training data.

Network Protocols

Open Authorization

Network Analysis

Static Analysis

Formal Models

Machine Learning

Evaluation of Single Sign-On Frameworks, as a Flexible Authorization Solution : OAuth 2.0 Authorization Framework / Esnek Yetkilendirme Çözümü Olarak, Tek Oturum Açma Çerçevelerinin Değerlendirilmesi : OAuth 2.0 Yetkilendirme Çerçevesi

Odyurt, Uraz

January 2014

This work introduces the available authorization frameworks for the purpose of Single Sign-On functionality within an enterprise, along with the fundamental technicalities. The focus of the work is on SAML 2.0 and OAuth 2.0 frame- works. Following the details related to available protocol flows, supported client profiles and security considerations, the two frameworks are compared in accordance with a set of factors given in a criteria. The report discusses the possibilities provided by a Microsoft Windows based infrastructure, as well as different scenarios and their feasibility in an enterprise environment. The preferred framework, OAuth 2.0, is selected according to the given criteria and the comparative discussions.

Single Sign-On (SSO)

Authorization

SAML 2.0

OAuth 2.0

OAuth 2.0 flow

Federated authentication

Delegated authorization

Tek Oturum Açma (TOA)

Yetkilendirme

SAML 2.0

OAuth 2.0

OAuth 2.0 akımı

Birleşik kimlik doğrulama

Devredilmiş yetkilendirme

Computer Sciences

Datavetenskap (datalogi)

WTO爭端解決機制下貿易制裁手段缺失及改革方案之探討 / The Study of the Problems and Reform Proposals of Trade Sanctions Authorized by WTO Dispute Settlement Mechanism

王韋傑, Wang Wei-chieh

Unknown Date

摘 要 「世界貿易組織」（World Trade Organization，以下簡稱WTO）爭端解決下之貿易制裁，對於確保其任務之達成，扮演著十分重要的角色。惟自WTO成立後至今的數年間，所出現之「爭端解決機構」（The Dispute Settlement Body）授權貿易制裁之實例，透露了本機制之引發之問題，例如除了被制裁國強力反彈外，採取制裁措施之國自身也倍嚐其苦。針對上述問題，不論是學界或WTO會員國均有一些檢討改革的方案。 上述改革方案包括倡議以其他手段完全取代現行「爭端解決程序與規則瞭解書」（Understanding on Rules and Procedures Governing the Settlement of Disputes，以下簡稱DSU）之貿易制裁者，經過本文之分析，發現此等手段縱然取代DSU之貿易制裁，仍無法解決問題，蓋彼等或不具可行性、或有強制執行之困難。 鑑於貿易制裁對WTO規範遵循之確保，目前無可取代，故本文肯定其繼續存在之必要，同時強調貿易制裁之法制化並無礙WTO協定整體架構之邏輯一貫性。此外，法制化的結果，不但可確保貿易制裁受到監督，降低濫用的空間，更可藉由內建之定期檢討與修正，促使授權貿易制裁得以持續獲得改善，將負面影響降到最低。 / The authorization of trade sanction, which secures the objectives of the World Trade Organization (hereinafter the “WTO”) to be achieved, plays a very important role in WTO dispute settlement mechanism. However, since the establishment of the WTO, the DSB authorization of trade sanctions in some cases has revealed some problems. In some instances, the exercise of the trade sanctions triggers counter-measures of the respondent member, while in others, the complaint member also suffers for the trade sanction it imposes as authorized. In response to the aforementioned problems, commentators as well as WTO members have proposed some ideas of reform. The reform proposals include replacing the WTO trade sanctions with alternative measures. Nevertheless, after careful analyses of these proposals for alternatives, it is found in this thesis that the replacement of the WTO trade sanctions cannot resolve the aforementioned problems, in the sense that those alternatives suggested are not feasible or lack of ways to enforce them. In light of the fact that currently no feasible alternative can have the function as trade sanction has in assuring the compliance of the WTO rules, this thesis argues that it needs to be preserved. Besides, this thesis believes that it does not cause any conflict in the current WTO legal framework. To preserve it under the WTO framework, the abuse can be avoided through the surveillance of the DSB. Moreover, the built-in review mechanism, which will continue reform trade sanction measures, can minimize their negative effects.

貿易制裁

WTO爭端解決

授權制裁

Trade Sanction

WTO Dispute Settlement

Authorization of Sanctions

Problematika staveb na cizích pozemcích / The issue of constructions on the land of another

Novotná, Veronika

January 2012

Diploma thesis deals with the issue of constructions on the land of another. At first the thesis focuses on definition of basic terms, i.e. the construction and the building plot. In the following text is concerned about permission to build. Attention is focused on three types of titles of use - lease, easement and of peripheral importance, loan of land, which is not given a full explanation, but only focusing on issues related to the topic of work. To the previous issues link two institutes which deal with third and fourth chapter - authorized and unauthorized construction. Authorized construction is current problem in the future and therefore it is very noticeable lack of explicit rules that must be compensated for general rules of unjust enrichment. The chapter on unauthorized construction is divided into sections according to the character of each "type", i.e. whether the construction is movable thing or realty and whether the authorization to construction lacked from outset or dropped out after the construction was built. Last but not least the work deals with public-law issues and also the role of public law in the formation of conditions for the rise of construction - in the chapter devoted to building plot, and also issues permission to build as a public-law act, which makes possible to...

Selective disclosure and inference leakage problem in the Linked Data / Exposition sélective et problème de fuite d’inférence dans le Linked Data

Sayah, Tarek

08 September 2016

L'émergence du Web sémantique a mené à une adoption rapide du format RDF (Resource Description Framework) pour décrire les données et les liens entre elles. Ce modèle de graphe est adapté à la représentation des liens sémantiques entre les objets du Web qui sont identifiés par des IRI. Les applications qui publient et échangent des données RDF potentiellement sensibles augmentent dans de nombreux domaines : bio-informatique, e-gouvernement, mouvements open-data. La problématique du contrôle des accès aux contenus RDF et de l'exposition sélective de l'information en fonction des privilèges des requérants devient de plus en plus importante. Notre principal objectif est d'encourager les entreprises et les organisations à publier leurs données RDF dans l'espace global des données liées. En effet, les données publiées peuvent être sensibles, et par conséquent, les fournisseurs de données peuvent être réticents à publier leurs informations, à moins qu'ils ne soient certains que les droits d'accès à leurs données par les différents requérants sont appliqués correctement. D'où l'importance de la sécurisation des contenus RDF est de l'exposition sélective de l'information pour différentes classes d'utilisateurs. Dans cette thèse, nous nous sommes intéressés à la conception d'un contrôle d'accès pertinents pour les données RDF. De nouvelles problématiques sont posées par l'introduction des mécanismes de déduction pour les données RDF (e.g., RDF/S, OWL), notamment le problème de fuite d'inférence. En effet, quand un propriétaire souhaite interdire l'accès à une information, il faut également qu'il soit sûr que les données diffusées ne pourront pas permettre de déduire des informations secrètes par l'intermédiaire des mécanismes d'inférence sur des données RDF. Dans cette thèse, nous proposons un modèle de contrôle d'accès à grains fins pour les données RDF. Nous illustrons l'expressivité du modèle de contrôle d'accès avec plusieurs stratégies de résolution de conflits, y compris la Most Specific Takes Precedence. Nous proposons un algorithme de vérification statique et nous montrons qu'il est possible de vérifier à l'avance si une politique présente un problème de fuite d'inférence. De plus, nous montrons comment utiliser la réponse de l'algorithme à des fins de diagnostics. Pour traiter les privilèges des sujets, nous définissons la syntaxe et la sémantique d'un langage inspiré de XACML, basé sur les attributs des sujets pour permettre la définition de politiques de contrôle d'accès beaucoup plus fines. Enfin, nous proposons une approche d'annotation de données pour appliquer notre modèle de contrôle d'accès, et nous montrons que notre implémentation entraîne un surcoût raisonnable durant l'exécution / The emergence of the Semantic Web has led to a rapid adoption of the RDF (Resource Description Framework) to describe the data and the links between them. The RDF graph model is tailored for the representation of semantic relations between Web objects that are identified by IRIs (Internationalized Resource Identifier). The applications that publish and exchange potentially sensitive RDF data are increasing in many areas: bioinformatics, e-government, open data movement. The problem of controlling access to RDF content and selective exposure to information based on privileges of the requester becomes increasingly important. Our main objective is to encourage businesses and organizations worldwide to publish their RDF data into the linked data global space. Indeed, the published data may be sensitive, and consequently, data providers may avoid to release their information, unless they are certain that the desired access rights of different accessing entities are enforced properly, to their data. Hence the issue of securing RDF content and ensuring the selective disclosure of information to different classes of users is becoming all the more important. In this thesis, we focused on the design of a relevant access control for RDF data. The problem of providing access controls to RDF data has attracted considerable attention of both the security and the database community in recent years. New issues are raised by the introduction of the deduction mechanisms for RDF data (e.g., RDF/S, OWL), including the inference leakage problem. Indeed, when an owner wishes to prohibit access to information, she/he must also ensure that the information supposed secret, can’t be inferred through inference mechanisms on RDF data. In this PhD thesis we propose a fine-grained access control model for RDF data. We illustrate the expressiveness of the access control model with several conict resolution strategies including most specific takes precedence. To tackle the inference leakage problem, we propose a static verification algorithm and show that it is possible to check in advance whether such a problem will arise. Moreover, we show how to use the answer of the algorithm for diagnosis purposes. To handle the subjects' privileges, we define the syntax and semantics of a XACML inspired language based on the subjects' attributes to allow much finer access control policies. Finally, we propose a data-annotation approach to enforce our access control model, and show that our solution incurs reasonable overhead with respect to the optimal solution which consists in materializing the user's accessible subgraph to enforce our access control model, and show that our solution incurs reasonable overhead with respect to the optimal solution which consists in materializing the user's accessible subgraph

RDF

Autorisation

Raisonnement sémantique

Fuite d'inférence

Application

Linked Data

RDF

Authorization

Semantic Reasoning

Inference Leakage

Enforcement

Linked Data

025.4

Modelo de autenticaÃÃo e autorizaÃÃo baseado em certificados de atributos para controle de acesso de aplicaÃÃes em ambiente distribuÃdo utilizando redes de petri coloridas / Model of authentical and authorization based on certifyd of attributes for control of acess of applicationa in distributd environment using coloured petri nets

Melissa Vieira Fernandes Villar

06 August 2007

Devido Ãs crescentes ameaÃas inerentes aos sistemas de informaÃÃo, o uso de mecanismos de autenticaÃÃo e autorizaÃÃo baseados em identificador de usuÃrio e senha nÃo à mais suficiente para garantir a seguranÃa das informaÃÃes. Este trabalho propÃe um novo modelo de autenticaÃÃo e autorizaÃÃo para controle de acesso de aplicaÃÃes distribuÃdas, baseado em resumos criptogrÃficos e certificados de atributos. Os resumos criptogrÃficos sÃo utilizados no processo de autenticaÃÃo da aplicaÃÃo, enquanto os certificados de atributos especificam privilÃgios e outras informaÃÃes de autorizaÃÃo associadas ao seu proprietÃrio. Os certificados de atributos sÃo gerenciados pela infra-estrutura de gerenciamento de privilÃgios (IGP). A arquitetura e o funcionamento do modelo bem como os processos de geraÃÃo do certificado de atributos, autenticaÃÃo e autorizaÃÃo da aplicaÃÃo sÃo descritos. O modelo proposto foi especificado em Redes de Petri Coloridas e validado por meio de simulaÃÃes. / Due to increasing threats inherent to the information systems, the use of authentication and authorization mechanisms based in login and password does not enough to assure the information security. This work proposes a new model of authentication and authorization for distributed applications, based in hash and attributes certificates. Hash is used in the application authentication process, while certificates of attributes specify privileges and other authorization information. Its use is managed by the privilege management infrastructure (PMI). In this work, we describe the architecture and the functioning of the model, as well the processes of the attributes certificates generation, authentication and authorization of the application. The proposed model was specified in Coloured Petri Nets and validated by simulation.

certificado de atributos

IGP

autenticaÃÃo

autorizaÃÃo

privilÃgios

controle de acesso

seguranÃa

attribute certificate

PMI

authentication

authorization

privileges

access control

security

TELEINFORMATICA

Gesällbrevet hänger på håret : Sex gymnasieelevers uppfattningar om gesällbrevet på frisörprogrammet / The apprentice letter : Six upper secondary students understanding of the apprentice letter in the hairdresser program

Abrahamsson, Agneta

January 2009

Syftet med studien är att undersöka frisörelevers uppfattningar om gesällbrevet. Det är ett yrkesbevis för frisörens kunskap och kompetens och det är det enda bevis med vilken branschen kan mäta elevers kunskap. På ett frisörprogram med trettio elever valde tre elever 2009 att ta sitt gesällbrev. Av dessa siffror att döma, ska jag med kvalitativa intervjuer undersöka 6 avgångselevers uppfattningar. En strävan är också att informera och väcka intresse om gesällen. Resultatet visar det som tidigare forskning gjort att det bl.a. beror på att eleverna inte har det praktiska kunnandet som man tidigare haft och att det är därför elever får svårigheter att komma ut på praktikplats och därefter ta sitt gesällbrev. Missnöje från skola, bransch växer. Håller frisöryrket på att mista sin profession eller är det ”okey” att kalla sig professionell utan sin legitimation? / The purpose with this lucubration is to investigate hairstylist student’s apprehension about the apprentice diploma. The apprentice diploma is an occupation verification indicating on the hairstylist’s knowledge and competence, and it is the only verification in the business that you can use in order to measure the students knowledge. Three students out of thirty, in year 2009, chose to graduate with an apprentice diploma. Based on these figures I am to investigate six graduating students opinion using qualitative interviews. Another quest is to inform and gain interest about the apprentice diploma.  The result demonstrate what earlier research already shows, amongst other things, that the students no longer have the practical knowledge needed in order to come to a worksite and therefore find it difficult to work as an apprentice. The business expects the students to be self-driven and dissatisfaction from the school and the business increases. Is the occupation as a hairstylist about to loose its profession or are you allowed to call yourself a professional without a proper diploma?

Artificer

Authorization

Competence

Evidence of occupation

Hairdresser

Knowledge

Occupation

Professional identity

behörighet

frisör

gesäll

kompetens

kunskap

profession

yrkesbevis

yrkesidentitet

yrkeslärare

Sino-EU Trade Relations and the Environment: The Influence of the European Union`s Environmental Directives on China

Ibitz, Armin

26 July 2011

Volumes of trade between the European Union and China have increased tremendously over the last decades, with the EU becoming China`s largest trading partner. Among the academic world there are serious concerns about the impacts of trade on national environmental regulation setting. There is fear that international trade will not only put advanced nations under strong competitive pressure to lower their environmental standards in order to stay competitive (race to the bottom) but also provide developing nations no incentives to strengthen their environmental protection measures as this would carry costs and reduce their global competitiveness (stuck at the bottom). In contrast to that believe, some scholars, such as David Vogel, argue that engaging in international trade can ¡V under certain assumptions ¡V result in tighter national regulation setting among trading partners (trading-up). This study sets out to analyze the linkage of trade and environmental standards between two major trading powers ¡V the EU and China. China`s integration with the world economy has spurred concerns among environmentalists as it was feared that the country`s national environmental regulatory system will be kept at low levels due to competitiveness considerations. However, China, the opposite can be observed. The EU has adopted strict environmental directives in several areas, and China has upgraded its environmental regulatory system. This study aims to find answers to the question if in the case of trade between the EU and China a situation of trading-up can be identified. In order to bring in domestic as well as international developments, the study applies a two-level games approach. The research is based on recent environmental directives that have been adopted by the EU. A selection of three directives forms the basis of the case studies: the Restriction of Hazardous Substances (RoHS), car emissions standards, and the Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH). The study provides insights into how China is affected by these external regulations, how it responded to them and how it tries to utilize them to boost its economic development and enhance the quality of its environment. As the study reveals, European environmental directives have positive impacts on China`s national environmental regulatory setting processes, since the EU regulations not only raise the awareness of the issue among China`s policy makers and public interest groups but they also called for responses from affected domestic constituents. The external regulations raised the stakes of numerous domestic actors which then had to decide how to react adequately. All in all, the study concludes that EU environmental directives have worked in favor of stricter regulation setting in China.

European Union

China

regulatory standards

vehicle emissions standards

Gesällbrevet hänger på håret : Sex gymnasieelevers uppfattningar om gesällbrevet på frisörprogrammet / The apprentice letter : Six upper secondary students understanding of the apprentice letter in the hairdresser program

Abrahamsson, Agneta

January 2009

<p>Syftet med studien är att undersöka frisörelevers uppfattningar om gesällbrevet. Det är ett yrkesbevis för frisörens kunskap och kompetens och det är det enda bevis med vilken branschen kan mäta elevers kunskap. På ett frisörprogram med trettio elever valde tre elever 2009 att ta sitt gesällbrev. Av dessa siffror att döma, ska jag med kvalitativa intervjuer undersöka 6 avgångselevers uppfattningar. En strävan är också att informera och väcka intresse om gesällen. Resultatet visar det som tidigare forskning gjort att det bl.a. beror på att eleverna inte har det praktiska kunnandet som man tidigare haft och att det är därför elever får svårigheter att komma ut på praktikplats och därefter ta sitt gesällbrev. Missnöje från skola, bransch växer. Håller frisöryrket på att mista sin profession eller är det ”okey” att kalla sig professionell utan sin legitimation?</p> / <p>The purpose with this lucubration is to investigate hairstylist student’s apprehension about the apprentice diploma. The apprentice diploma is an occupation verification indicating on the hairstylist’s knowledge and competence, and it is the only verification in the business that you can use in order to measure the students knowledge. Three students out of thirty, in year 2009, chose to graduate with an apprentice diploma. Based on these figures I am to investigate six graduating students opinion using qualitative interviews. Another quest is to inform and gain interest about the apprentice diploma.  The result demonstrate what earlier research already shows, amongst other things, that the students no longer have the practical knowledge needed in order to come to a worksite and therefore find it difficult to work as an apprentice. The business expects the students to be self-driven and dissatisfaction from the school and the business increases. Is the occupation as a hairstylist about to loose its profession or are you allowed to call yourself a professional without a proper diploma?</p><p> </p>

Artificer

Authorization

Competence

Evidence of occupation

Hairdresser

Knowledge

Occupation

Professional identity

behörighet

frisör

gesäll

kompetens

kunskap

profession

yrkesbevis

yrkesidentitet

yrkeslärare