11 |
Prieigos prie bevielio tinklo resursų valdymas panaudojant vietos informaciją / Wireless LAN location-based access controlPetrauskienė, Rasa 01 September 2011 (has links)
Tobulėjant mobilioms technologijoms vietos informacija tapo svarbi prieigos valdymui. Šiame darbe analizuojamos vietos informacijos derinimo su autentifikacijos ir prieigos valdymo mechanizmais galimybės. Darbe išskirti vietos informacijos įvedimo į autentifikacijos, prieigos valdymo ir atskaitomybės procesus privalumai. Pristatomas vietos informacija paremtas prieigos prie tinklo resursų valdymo modelis, kuris leidžia padidinti teisingo autentifikavimo tikimybę bei išplėsti prieigos valdymo galimybes. Suprojektuota prieigos prie bevielio tinklo valdymo sistema, pritaikyta veikti kelių aukštų pastate. Modelis yra suderinamas su OGC (Open GeoSpatial Consortium) ir Geo-RBAC (RBAC modelio išplėtimu), į jį įtraukti kitų tipų vietos informacija pagrįsti požymiai. Darbe pristatomi prieigos valdymo išplėtimai: periodiškumo algoritmas ir erdvinių požymių įvertinimo algoritmas, naudojantis susiejimo funkcijas ir įvertinantis vietos nustatymo patikimumą. Pasiūlyto prieigos valdymo modelio veikimas įvertinamas eksperimentais, nurodomi jo galimi pažeidžiamumai. / Location-based Access Control LBAC techniques allow taking users’ physical location into account when determining their access privileges. The analysis of possibilities of integrating location information into access control and authentication is provided. I show the advantages of using location information for authentication and access control. I present location-based access control model that can increase the probability of correct authentication. I design wireless LAN location-based access control system that is used in building of several floors. The model is compliant with OGC (Open GeoSpatial Consortium) and Geo-RBAC (the extent of RBAC model); it integrates other types of location-based features. I describe the periodicity algorithm of location-based access control and design the policy enforcement algorithm that uses location mapping functions and the evaluation of confidence. The model is evaluated by testing the speed of the system and computer resources used by the system. The vulnerabilities of location-based access control are discussed in the context of sniffing, highjacking, DoS and warmhole attacks.
|
12 |
A Platform for Assessing the Efficiency of Distributed Access Enforcement in Role Based Access Control (RBAC) and its ValidationKomlenovic, Marko 14 January 2011 (has links)
We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC's increasing adoption, and the proliferation of data that needs to be protected. We provide a platform for assessing candidates for access enforcement in a distributed architecture for enforcement. The platform provides the ability to encode data structures and algorithms for enforcement, and to measure time-, space- and administrative efficiency. To validate our platform, we use it to compare the state of the art in enforcement, CPOL [6], with two other approaches, the directed graph and the access matrix [9, 10]. We consider encodings of RBAC sessions in each, and propose and justify a benchmark for the assessment. We conclude with the somewhat surprising observation that CPOL is not necessarily the most efficient approach for access enforcement in distributed RBAC deployments.
|
13 |
Vers un cloud de confiance : modèles et algorithmes pour une provenance basée sur les contrôles d'accès / Towards a trusted Cloud : models and algorithms for a provenance based on access controlsLacroix, Julien 07 December 2015 (has links)
Ce document constitue l'aboutissement de trois années de thèse. Après avoir introduit et dégagé la problématique générale se rapportant à mon sujet de thèse, à savoir « comment utiliser les données de provenance pour favoriser un Cloud de confiance ? », je présente une description des concepts, modèles et langages se rapportant à ma thèse et l'état de l'art qui peut répondre en partie à cette problématique. En second lieu, je présente la solution basée sur la provenance que j'apporte aux contrôles d'accès, dans les systèmes distribués comme le Cloud : PBAC². Elle repose sur un système combinant à la fois des modèles de provenance (PROV-DM) et de contrôles d'accès (règles génériques de type RBAC avec des politiques d'embrigadement ou de réglementation). Ce système utilise un moteur d'exécution central appelé le médiateur pour renforcer la sécurité et favoriser la confiance dans le Cloud, via la vérification de règles sur une partie du graphe de provenance rétrospective qu'il a reçue. Par ailleurs, je décris l'étude que j'ai faite de trois extensions de PBAC² : (1) l'intégration de l'ontologie PROV-O et ses avantages et inconvénients quant à la taille du (sous-)graphe de provenance reçu par le médiateur ; (2) la construction de l'adaptation de PBAC² avec l'approche de sécurité qu'est la réglementation; (3) la traduction des règles PBAC² en contraintes PROV-CONSTRAINTS. De plus, PBAC² est appliqué sur un exemple réaliste propre au secteur médical. Un prototype de PBAC² et une démonstration sur des exemples concrets avec une machine locale et un système de Cloud réel illustrent la portée de ce travail. En conclusion de la thèse, je propose quatre perspectives de ce travail. / This document is the culmination of three years of thesis. Having introduced and cleared the general issue related to my thesis subject, i.e. « how to use provenance data to enforce trust in the Cloud? », I present a description of the concepts, models and languages related to my thesis and the state of the art that can partially address this issue. Secondly, I present the solution based on provenance that I bring to access controls, in distributed systems such as the Cloud: PBAC². It is based on a system combining both provenance models (PROV-DM) and access controls (generic rules of RBAC type with regimentation and regulation policies). This system uses a central execution engine denoted the mediator to enforce security and foster trust in the Cloud, via rule checking over a part of the retrospective provenance graph it received. Furthermore, I describe the study I made of three PBAC² extensions: (1) the integration of the PROV-O ontology and its pros and cons regarding the size of the (sub)graph received by the mediator; (2) the construction of the PBAC² adaptation with the regulation security approach; (3) the translation of PBAC² rules into PROV CONSTRAINTS constraints. Moreover, PBAC² is applied to a realistic example that belongs to the healthcare sector. A PBAC² prototype and a demonstration on some practical examples with a local machine and a real Cloud system illustrate the scope of this work. In conclusion of the thesis, I propose four perspectives of this work.
|
14 |
Evaluating finite state machine based testing methods on RBAC systems / Avaliação de métodos de teste baseado em máquinas de estados finitos em sistemas RBACCarlos Diego Nascimento Damasceno 09 May 2016 (has links)
Access Control (AC) is a major pillar in software security. In short, AC ensures that only intended users can access resources and only the required access to accomplish some task will be given. In this context, Role Based Access Control (RBAC) has been established as one of the most important paradigms of access control. In an organization, users receive responsibilities and privileges through roles and, in AC systems implementing RBAC, permissions are granted through roles assigned to users. Despite the apparent simplicity, mistakes can occur during the development of RBAC systems and lead to faults or either security breaches. Therefore, a careful verification and validation process becomes necessary. Access control testing aims at showing divergences between the actual and the intended behavior of access control mechanisms. Model Based Testing (MBT) is a variant of testing that relies on explicit models, such as Finite State Machines (FSM), for automatizing test generation. MBT has been successfully used for testing functional requirements; however, there is still lacking investigations on testing non-functional requirements, such as access control, specially in test criteria. In this Master Dissertation, two aspects of MBT of RBAC were investigated: FSM-based testing methods on RBAC; and Test prioritization in the domain of RBAC. At first, one recent (SPY) and two traditional (W and HSI) FSM-based testing methods were compared on RBAC policies specified as FSM models. The characteristics (number of resets, average test case length and test suite length) and the effectiveness of test suites generated from the W, HSI and SPY methods to five different RBAC policies were analyzed at an experiment. Later, three test prioritization methods were compared using the test suites generated in the previous investigation. A prioritization criteria based on RBAC similarity was introduced and compared to random prioritization and simple similarity. The obtained results pointed out that the SPY method outperformed W and HSI methods on RBAC domain. The RBAC similarity also achieved an Average Percentage Faults Detected (APFD) higher than the other approaches. / Controle de Acesso (CA) é um dos principais pilares da segurança da informação. Em resumo, CA permite assegurar que somente usuários habilitados terão acesso aos recursos de um sistema, e somente o acesso necessário para a realização de uma dada tarefa será disponibilizado. Neste contexto, o controle de acesso baseado em papel (do inglês, Role Based Access Control - RBAC) tem se estabelecido como um dos mais importante paradigmas de controle de acesso. Em uma organização, usuários recebem responsabilidades por meio de cargos e papéis que eles exercem e, em sistemas RBAC, permissões são distribuídas por meio de papéis atribuídos aos usuários. Apesar da aparente simplicidade, enganos podem ocorrer no desenvolvimento de sistemas RBAC e gerar falhas ou até mesmo brechas de segurança. Dessa forma, processos de verificação e validação tornam-se necessários. Teste de CA visa identificar divergências entre a especificação e o comportamento apresentado por um mecanismo de CA. Teste Baseado em Modelos (TBM) é uma variante de teste de software que se baseia em modelos explícitos de especificação para automatizar a geração de casos testes. TBM tem sido aplicado com sucesso no teste funcional, entretanto, ainda existem lacunas de pesquisa no TBM de requisitos não funcionais, tais como controle de acesso, especialmente de critérios de teste. Nesta dissertação de mestrado, dois aspectos do TBM de RBAC são investigados: métodos de geração de teste baseados em Máquinas de Estados Finitos (MEF) para RBAC; e priorização de testes para RBAC. Inicialmente, dois métodos tradicionais de geração de teste, W e HSI, foram comparados ao método de teste mais recente, SPY, em um experimento usando políticas RBAC especificadas como MEFs. As características (número de resets, comprimento médio dos casos de teste e comprimento do conjunto de teste) e a efetividade dos conjuntos de teste gerados por cada método para cinco políticas RBAC foram analisadas. Posteriormente, três métodos de priorização de testes foram comparados usando os conjuntos de teste gerados no experimento anterior. Neste caso, um critério baseado em similaridade RBAC foi proposto e comparado com a priorização aleatória e baseada em similaridade simples. Os resultados obtidos mostraram que o método SPY conseguiu superar os métodos W e HSI no teste de sistemas RBAC. A similaridade RBAC também alcançou uma detecção de defeitos superior.
|
15 |
Gestion de l'incertitude et codage des politiques de sécurité dans les systèmes de contrôle d'accès / Managing uncertainty and encoding security policies in access control systemsBouriche, Khalid 16 February 2013 (has links)
La présente thèse s'intéresse à coder la politique de sécurité SELinux en OrBAC et à proposer une extension de ce modèle. Nous avons commencé par présenter l'état de l'art des différents modèles de contrôles d'accès présents dans la littérature en mettant en exergue les limites de chacun de ces modèles. Ensuite nous avons présenté le modèle OrBAC comme étant une extension du modèle RBAC, car d'une part il a apporté la notion de contexte et d'organisation et d'autre part il permet d'exprimer, en plus des permissions, des interdictions et des obligations. Ensuite, nous avons présenté la solution de sécurité SELinux qui utilise un ensemble de modèles de contrôle d'accès comme DAC, RBAC et MAC. Nous avons recensé plusieurs centaines, voire des milliers, de règles dans la politique de sécurité SELinux, ces règles peuvent concerner des décisions d'accès ou des décisions de transition. Nous avons ensuite pu coder lesdites règles en modèle OrBAC, et ce en passant par le remplissage ses tables d'entité, pour ensuite les transformer en relations OrBAC. Notre thèse a aussi rappelé les fondements de la logique possibiliste, et a ensuite apportée une amélioration importante du modèle OrBAC, il s'agit de l'introduction de l'entité priorité au niveau de chaque relation du modèle OrBAC. L'entité priorité quantifie la certitude pour qu'une entité concrète soit injectée dans l'entité abstraite correspondante, ou en cas général, le degré de certitude pour qu'une relation soit réalisée. Nous avons proposé trois modes de combinaison (pessimiste, optimiste et avancé) qui peuvent être adoptés pour déterminer la valeur de la priorité de chaque relation concrète à partir des priorités des relations abstraites correspondantes. Enfin, nous avons implémenté, via une application développé par DELPHI, le codage des règles concernant les décisions d'accès de la politique de sécurité SELinux, en modèle OrBAC tout en introduisant la notion de priorité. / This thesis focuses on encoding default-based SELinux security policy in OrBAC and propose an extension of this model. We presented the state of the art of different models of access controls present in the literature underlining the limitations of each of these models. Then we presented the model OrBAC as an extension of the RBAC model, firstly because he brought the notion of context and organization and secondly it allows expressing, in addition to permissions, prohibitions and obligation. Then we presented the SELinux security solution that uses a set of access control models such as DAC, RBAC and MAC. We identified several hundreds or even thousands of rules in SELinux security policy, these rules may be access decisions or decisions of transition. We could then encode these rules in OrBAC model, and via filling its tables of entities, then transform relations OrBAC. Our thesis also reviewed the foundations of possibilistic logic, and then made an important enlargement in OrBAC model; it's to introduce an entity called "priority" in each relationship model OrBAC. The entity "priority" quantifies the certainty for concrete entity injection into the corresponding abstract entity, in general, it's meaning the degree of certainty that a relationship is performed. We proposed three modes of combination (pessimistic, optimistic and advanced) that can be adopted to determine the concrete relations priority value from priorities values of each corresponding abstract relationship. Finally, we implement, via an application developed by DELPHI, coding access decisions rules of the SELinux policy in OrBAC model introducing the priority entity.
|
16 |
Role based access control in a telecommunications operations and maintenance network / Rollbaserad behörighetskontroll i ett drift- och underhållssystem för telekommunikationGunnarsson, Peter January 2005 (has links)
<p>Ericsson develops and builds mobile telecommunication networks. These networks consists of a large number of equipment. Each telecommunication company has a staff of administrators appointed to manage respective networks. </p><p>In this thesis, we investigate the requirements for an access control model to manage the large number of permissions and equipment in telecommunication networks. Moreover, we show that the existing models do not satisfy the identified requirements. Therefore, we propose a novel RBAC model which is adapted for these conditions. </p><p>We also investigate some of the most common used commercial tools for administrating RBAC, and evaluate their effectiveness in coping with our new proposed model. However, we find the existing tools limited, and thereby design and partly implement a RBAC managing system which is better suited to the requirements posed by our new model.</p>
|
17 |
Access management in electronic commerce systemWang, Hua January 2004 (has links)
The definition of Electronic commerce is the use of electronic transmission mediums to engage in the exchange, including buying and selling, of products and services requiring transportation, either physically or digitally, from location to location. Electronic commerce systems, including mobile e-commerce, are widely used since 1990. The number of world-wide Internet users tripled between 1993 and 1995 to 60 million, and by 2000 there were 250 million users. More than one hundred countries have Internet access. Electronic commerce, especial mobile e-commerce systems, allows their users to access a large set of traditional (for example, voice communications) and contemporary (for example, e-shop) services without being tethered to one particular physical location. With the increasing use of electronic service systems for security sensitive application (for example, e-shop) that can be expected in the future, the provision of secure services becomes more important. The dynamic mobile environment is incompatible with static security services. Electronic service access across multiple service domains, and the traditional access mechanisms rely on cross-domain authentication using roaming agreements starting home location. Cross-domain authentication involves many complicated authentication activities when the roam path is long. This limits future electronic commerce applications. Normally, there are three participants in an electronic service. These are users, service providers, and services. Some services bind users and service providers as well as services such as flight services; other services do not bind any participants, for instance by using cash in shopping services, everyone can use cash to buy anything in shops. Hence, depending on which parts are bound, there are different kinds of electronic services. However, there is no scheme to provide a solution for all kinds of electronic services. Users have to change service systems if they want to apply different kind of electronic services on the Internet. From the consumer's point of view, users often prefer to have a total solution for all kinds of service problems, some degree of anonymity with no unnecessary cross authentications and a clear statement of account when shopping over the Internet. There are some suggested solutions for electronic service systems, but the solutions are neither total solution for all kinds of services nor have some degree of anonymity with a clear statement of account. In our work, we build a bridge between existing technologies and electronic service theory such as e-payment, security and so on. We aim to provide a foundation for the improvement of technology to aid electronic service application. As validation, several technologies for electronic service system design have been enhanced and improved in this project. To fix the problems mentioned above, we extend our idea to a ticket based access service system. The user in the above electronic service system has to pay when s/he obtains service. S/He can pay by traditional cash (physical cash), check, credit or electronic cash. The best way to pay money for goods or services on the Internet is using electronic cash. Consumers, when shopping over the Internet, often prefer to have a high level of anonymity with important things and a low level with general one. The ideal system needs to provide some degree of anonymity for consumers so that they cannot be traced by banks. There are a number of proposals for electronic cash systems. All of them are either too large to manage or lack flexibility in providing anonymity. Therefore, they are not suitable solutions for electronic payment in the future. We propose a secure, scalable anonymity and practical payment protocol for Internet purchases. The protocol uses electronic cash for payment transactions. In this new protocol, from the viewpoint of banks, consumers can improve anonymity if they are worried about disclosure of their identities. An agent, namely anonymity provider agent provides a higher anonymous certificate and improves the security of the consumers. The agent will certify re-encrypted data after verifying the validity of the content from consumers, but with no private information of the consumers required. With this new method, each consumer can get the required anonymity level. Electronic service systems involve various subsystems such as service systems, payment systems, and management systems. Users and service providers are widely distributed and use heterogeneous catalog systems. They are rapidly increasing in dynamic environments. The management of these service systems will be very complex. Whether systems are successful or not depends on the quality of their management. To simplify the management of e-commerce systems \cite{Sandhu97}, we discuss role based access control management. We define roles and permissions in the subsystems. For example, there are roles TELLER, AUDITOR, MANAGER and permissions teller (account operation), audit operation, managerial decision in a bank system. Permissions are assigned to roles such as permission teller is assigned to role TELLER. People (users) employed in the bank are granted roles to perform associated duties. However, there are conflicts between various roles as well as between various permissions. These conflicts may cause serious security problems with the bank system. For instance, if permissions teller and audit operation are assigned to a role, then a person with this role will have too much privilege to break the security of the bank system. Therefore, the organizing of relationships between users and roles, roles and permissions currently requires further development. Role based access control (RBAC) has been widely used in database management and operating systems. In 1993, the National Institute of Standards and Technology (NIST) developed prototype implementations, sponsored external research, and published formal RBAC models. Since then, many RBAC practical applications have been implemented, because RBAC has many advantages such as reducing administration cost and complexity. However, there are some problems which may arise in RBAC management. One is related to authorization granting process. For example, when a role is granted to a user, this role may conflict with other roles of the user or together with this role; the user may have or derive a high level of authority. Another is related to authorization revocation. For instance, when a role is revoked from a user, the user may still have the role. To solve these problems, we present an authorization granting algorithm, and weak revocation and strong revocation algorithms that are based on relational algebra. The algorithms check conflicts and therefore help allocate the roles and permissions without compromising the security in RBAC. We describe the applications of the new algorithms with an anonymity scalable payment scheme. In summary, this thesis has made the following major contributions in electronic service systems: 1. A ticket based global solution for electronic commerce systems; A ticket based solution is designed for different kinds of e-services. Tickets provide a flexible mechanism and users can check charges at anytime. 2. Untraceable electronic cash system; An untraceable e-cash system is developed, in which the bank involvement in the payment transaction between a user and a receiver is eliminated. Users remain anonymous, unless she/he spends a coin more than once. 3. A self-scalable anonymity electronic payment system; In this payment system, from the viewpoint of banks, consumers can improve anonymity if they are worried about disclosure of their identities. Each consumer can get the required anonymity level. 4. Using RBAC to manage electronic payment system; The basic structure of RBAC is reviewed. The challenge problems in the management of RBAC with electronic payment systems are analysed and how to use RBAC to manage electronic payment system is proposed. 5. The investigation of recovery algorithms for conflicting problems in user-role assignments and permission-role assignments. Formal authorization allocation algorithms for role-based access control have developed. The formal approaches are based on relational structure, and relational algebra and are used to check conflicting problems between roles and between permissions.
|
18 |
Role-based access control and single sign-on for Web servicesFalkcrona, Jerry January 2008 (has links)
Nowadays, the need for sharing information between different systems in a secure manner is common, not only in the corporate world but also in the military world. This information often resides at different locations, creating a distributed system. In order to share information in a secure manner in a distributed system, credentials are often used to attain authorization. This thesis examines how such a distributed system for sharing information can be realized, using the technology readily available today. Accounting to the results of this examination a basic system is implemented, after which the overall security of the system is evaluated. The thesis then presents possible extensions and improvements that can be done in future implementations. The result shows that dynamic roles do not easily integrate with a single sign-on system. Combining the two technologies leads to several synchronization issues, where some are non-trivial to solve.
|
19 |
Role based access control in a telecommunications operations and maintenance network / Rollbaserad behörighetskontroll i ett drift- och underhållssystem för telekommunikationGunnarsson, Peter January 2005 (has links)
Ericsson develops and builds mobile telecommunication networks. These networks consists of a large number of equipment. Each telecommunication company has a staff of administrators appointed to manage respective networks. In this thesis, we investigate the requirements for an access control model to manage the large number of permissions and equipment in telecommunication networks. Moreover, we show that the existing models do not satisfy the identified requirements. Therefore, we propose a novel RBAC model which is adapted for these conditions. We also investigate some of the most common used commercial tools for administrating RBAC, and evaluate their effectiveness in coping with our new proposed model. However, we find the existing tools limited, and thereby design and partly implement a RBAC managing system which is better suited to the requirements posed by our new model.
|
20 |
Rollbaserad åtkomstkontroll med geografisk avgränsning : En systematisk litteraturgenomgång av det befintliga kunskapstillståndet inom ämnesområdetAndersson, Jerker January 2015 (has links)
Rollbaserad åtkomstkontroll är en standardiserad och väl etablerad modell för att hantera åtkomsträttigheter i informationssystem. Den vedertagna ANSI-standarden 359-2004 saknar dock stöd för att geografiskt avgränsa rollbehörigheter. Informationssystem som behandlar geografiska data och de senaste årens ökade spridning av mobila enheter påkallar ett behov av att sådana rumsliga aspekter diskuteras inom kontexten av rollbaserad åtkomstkontroll. Arbetet syftar till att bringa klarhet i hur det befintliga kunskapstillståndet inom ämnesområdet rollbaserad åtkomst kontroll med geografisk avgränsning ser ut, och vilka aspekter hos detta som står i behov av vidare utveckling. Genom de teoretiska referensramar som skapats vid inledande litteraturstudier har en efterföljande systematisk litteraturgenomgång möjliggjorts, där vetenskapligt material selekterats genom fördefinierade urvalskriterier. Sammanställningen och analysen av den systematiska litteraturgenomgångens resultat har i samverkan med de teoretiska referensramarna lett fram till arbetets huvudsakliga kunskapsbidrag: en områdesöversikt där ämnets state-of-the-art presenteras och en strukturerad lista över angelägna forsknings- och utvecklingsbehov inom området. / Role-based Access Control is a standardized and well established model in terms of handling access rights. However, the accepted ANSI standard 359-2004 lacks the support of geographically delimiting role authorizations. Information systems handling geographical data together with the increasing use of mobile devices call for a need to discuss such spatial aspects within the context of Role-Based Access Control. This thesis seeks to shed light on the current state of knowledge within the subject area as well as to identify aspects of it that are in need of further development. The theoretical framework conceived by the initial literature review has made the conduction of a systematic literature review possible, and the synthesis and analysis of the data together with the theoretical framework have led to the work’s contributions of knowledge: an overview of the subject where the state-of-the art in the area is presented and a structured list of desirous needs of research and development within the area of study.
|
Page generated in 0.032 seconds