Spelling suggestions: "subject:"role based access control"" "subject:"hole based access control""
11 |
Μηχανισμός πρόσβασης για υπηρεσίες ιστού (web services) για βιομηχανικές εφαρμογέςΚατσαρού, Κατερίνα 22 January 2009 (has links)
Η διπλωματική εργασία ασχολείται με την ανάγκη για έναν προηγμένο μηχανισμό ασφάλειας που θα παρέχει προστασία πληροφοριών από τους μη εξουσιοδοτημένους χρήστες.
Τα περισσότερα συστήματα σε εταιρικό και βιομηχανικό επίπεδο χρησιμοποιούν την απλή εξουσιοδότηση (simple authorization) ή all-or-nothing όπου έχουμε παραχώρηση πρόσβασης στους πόρους του συστήματος εάν ο χρήστης είναι εξουσιοδοτημένος ή εάν δεν είναι άρνηση πρόβλεψης χωρίς να έχει προβλεφθεί κάποια ενδιάμεση λύση. Στην περίπτωση του ελέγχου πρόσβασης για υπηρεσίες Ιστού (web services) –που είναι εφαρμογές που παρέχονται μέσω Διαδικτύου όπως φαίνεται και από το όνομά τους- δεν είναι ικανοποιητική η παραχώρηση πρόσβασης σε ολόκληρη την υπηρεσία Ιστού δηλαδή η πρόσβαση στο υψηλότερο επίπεδο (coarse-grained access control) αλλά απαιτείται και η πρόσβαση σε κάποια ή κάποιες από τις μεθόδους την υπηρεσίας Ιστού δηλαδή η διαβαθμισμένη πρόσβαση (fine-grained access control).
Η πολιτική ελέγχου πρόσβασης που χρησιμοποιήσαμε είναι ο έλεγχος πρόσβασης βασισμένος σε ρόλους (Role-based Access Control) όπου οι χρήστες αποκτούν πρόσβαση στους προστατευόμενους πόρους (μια ολόκληρη υπηρεσία Ιστού ή μέθοδο) συνδεόμενοι με ρόλους με τις κατάλληλες άδειες πρόσβασης δηλαδή μόνο εξουσιοδοτημένοι χρήστες έχουν πρόσβαση στους προστατευόμενους πόρους.
Τέλος υποθέσαμε μία βιομηχανική υποδομή που παρέχει σε πελάτες πρόσβαση μέσω ενός OPC XML-DA server όπου το OPC είναι ένα σύνολο από ανοικτά πρότυπα που παρέχουν δια-λειτουργικότητα (interoperability) και συνδεσιμότητα (connectivity) μεταξύ βιομηχανικού αυτοματισμού και επιχειρησιακών συστημάτων. / -
|
12 |
Algorithmic Problems in Access ControlMousavi, Nima 29 July 2014 (has links)
Access control is used to provide regulated access
to resources by principals. It is an important and foundational
aspect of information security. Role-Based Access Control (RBAC) is
a popular and widely-used access control model,
that, as prior work argues,
is ideally suited for enterprise settings. In this dissertation,
we address two problems in the context of RBAC.
One is the User Authorization Query (UAQ) problem, which relates
to sessions that a user creates to exercise permissions.
UAQ's objective is the identification of a
set of roles that a user needs to activate such that the session is
authorized to all permissions that the user wants to exercise in
that session. The roles that are activated must respect
a set of Separation of Duty constraints. Such constraints restrict the
roles that can be activated together in a session.
UAQ is known to be intractable (NP-hard).
In this dissertation, we give a precise formulation of UAQ as a
joint-optimization problem, and analyze it.
We examine the manner in which each input parameter contributes to its
intractability.
We then propose an approach to mitigate its intractability based on
our observation that a corresponding decision version of the problem
is in NP. We efficiently
reduce UAQ to Boolean satisfiability in conjunctive normal form
(CNF-SAT), a well-known
NP-complete problem for which solvers exist that are efficient for large
classes of instances. We also present results for UAQ posed
as an approximation problem; our results
suggest that efficient approximation is not promising for UAQ.
We discuss an open-source implementation of our approach and a
corresponding empirical assessment that we have conducted.
The other problem we consider in this dissertation regards
an efficient data structure for distributed
access enforcement. Access enforcement is the process of validating an access
request to a resource.
Distributed access enforcement has become important
with the proliferation of data, which requires access control systems
to scale to tens of thousands of resources and permissions.
Prior work has shown the effectiveness of a data structure called
the Cascade Bloom Filter (CBF) for this problem.
In this dissertation, we study the construction of instances
of the CBF.
We formulate the problem of finding an optimal instance of a
CBF, where optimality refers to the number of false positives
incurred and the number
of hash functions used. We prove that this problem
is NP-hard, and a meaningful decision version is in NP.
We then propose an approach to mitigate the intractability of
the problem by reducing it to
CNF-SAT, that allows us to use a SAT solver for instances that
arise in practice.
We discuss an open-source implementation of our approach
and an empirical assessment based on it.
|
13 |
Análise de políticas de controle de acesso baseado em papéis com rede de Petri colorida. / Policies analysis of role based access control with colored Petri net.Ueda, Eduardo Takeo 24 May 2012 (has links)
Controle de acesso é um tópico de pesquisa importante tanto para a academia quanto para a indústria. Controle de Acesso Baseado em Papéis (CABP) foi desenvolvido no início dos anos 1990, tornando-se um padrão generalizado para controle de acesso em vários produtos e soluções computacionais. Embora modelos CABP sejam largamente aceitos e adotados, ainda existem questões para responder. Um dos principais desafios de pesquisa em segurança baseada em papéis é determinar se uma política de controle de acesso é consistente em um ambiente altamente dinâmico. Nossa pesquisa visa preencher essa lacuna fornecendo um método para analisar políticas CABP com respeito a dois aspectos significativos: segurança e dinamismo envolvendo papéis e objetos. Para este propósito, desenvolvemos um modelo de descrição e simulação de política usando rede de Petri colorida e CPN Tools. O modelo descreve e é capaz de simular vários estados CABP em um contexto de educação a distância típico. Usando este modelo, foi possível analisar o espaço de estados produzido pela rede de Petri colorida em um cenário dinâmico envolvendo a criação de novos papéis e objetos. O resultado da análise de alcançabilidade da rede de Petri da política demonstrou que é possível verificar a consistência de políticas de controle de acesso considerando a dinamicidade de papéis e objetos, e apontou vantagens de aplicabilidade da modelagem de políticas de segurança em ambientes distribuídos utilizando rede de Petri colorida. / Access control is an important research topic both for academia and industry. Role Based Access Control (RBAC) was developed in the early 1990s, becoming a generalized standard of access control for many products and computing solutions. Although RBAC models have been widely accepted and adopted, there are issues to answer. One of the key challenges for role-based security research is to characterize whether an access control policy is consistent in a highly dynamic environment. Our research aims filling this gap providing a method to analyze RBAC policies with respect to two significant aspects: security and dynamics involving roles and objects. For this purpose, we developed a policy description and simulation model using colored Petri net and the CPN Tools. The model describes and is capable to simulate many RBAC states in a typical distance education context. Using this model it was possible to analyze the state space provided by colored Petri net that simulates a dynamic environment and the creation of new roles and objects. The result of the reachability analysis of Petri net policy showed that it is possible to check the consistency of access control policies considering dynamic of roles and objects, and point out the advantages and applicability of modeling security policies in distributed environments using colored Petri net.
|
14 |
Análise de políticas de controle de acesso baseado em papéis com rede de Petri colorida. / Policies analysis of role based access control with colored Petri net.Eduardo Takeo Ueda 24 May 2012 (has links)
Controle de acesso é um tópico de pesquisa importante tanto para a academia quanto para a indústria. Controle de Acesso Baseado em Papéis (CABP) foi desenvolvido no início dos anos 1990, tornando-se um padrão generalizado para controle de acesso em vários produtos e soluções computacionais. Embora modelos CABP sejam largamente aceitos e adotados, ainda existem questões para responder. Um dos principais desafios de pesquisa em segurança baseada em papéis é determinar se uma política de controle de acesso é consistente em um ambiente altamente dinâmico. Nossa pesquisa visa preencher essa lacuna fornecendo um método para analisar políticas CABP com respeito a dois aspectos significativos: segurança e dinamismo envolvendo papéis e objetos. Para este propósito, desenvolvemos um modelo de descrição e simulação de política usando rede de Petri colorida e CPN Tools. O modelo descreve e é capaz de simular vários estados CABP em um contexto de educação a distância típico. Usando este modelo, foi possível analisar o espaço de estados produzido pela rede de Petri colorida em um cenário dinâmico envolvendo a criação de novos papéis e objetos. O resultado da análise de alcançabilidade da rede de Petri da política demonstrou que é possível verificar a consistência de políticas de controle de acesso considerando a dinamicidade de papéis e objetos, e apontou vantagens de aplicabilidade da modelagem de políticas de segurança em ambientes distribuídos utilizando rede de Petri colorida. / Access control is an important research topic both for academia and industry. Role Based Access Control (RBAC) was developed in the early 1990s, becoming a generalized standard of access control for many products and computing solutions. Although RBAC models have been widely accepted and adopted, there are issues to answer. One of the key challenges for role-based security research is to characterize whether an access control policy is consistent in a highly dynamic environment. Our research aims filling this gap providing a method to analyze RBAC policies with respect to two significant aspects: security and dynamics involving roles and objects. For this purpose, we developed a policy description and simulation model using colored Petri net and the CPN Tools. The model describes and is capable to simulate many RBAC states in a typical distance education context. Using this model it was possible to analyze the state space provided by colored Petri net that simulates a dynamic environment and the creation of new roles and objects. The result of the reachability analysis of Petri net policy showed that it is possible to check the consistency of access control policies considering dynamic of roles and objects, and point out the advantages and applicability of modeling security policies in distributed environments using colored Petri net.
|
15 |
A Platform for Assessing the Efficiency of Distributed Access Enforcement in Role Based Access Control (RBAC) and its ValidationKomlenovic, Marko 14 January 2011 (has links)
We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC's increasing adoption, and the proliferation of data that needs to be protected. We provide a platform for assessing candidates for access enforcement in a distributed architecture for enforcement. The platform provides the ability to encode data structures and algorithms for enforcement, and to measure time-, space- and administrative efficiency. To validate our platform, we use it to compare the state of the art in enforcement, CPOL [6], with two other approaches, the directed graph and the access matrix [9, 10]. We consider encodings of RBAC sessions in each, and propose and justify a benchmark for the assessment. We conclude with the somewhat surprising observation that CPOL is not necessarily the most efficient approach for access enforcement in distributed RBAC deployments.
|
16 |
A Platform for Assessing the Efficiency of Distributed Access Enforcement in Role Based Access Control (RBAC) and its ValidationKomlenovic, Marko 14 January 2011 (has links)
We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC's increasing adoption, and the proliferation of data that needs to be protected. We provide a platform for assessing candidates for access enforcement in a distributed architecture for enforcement. The platform provides the ability to encode data structures and algorithms for enforcement, and to measure time-, space- and administrative efficiency. To validate our platform, we use it to compare the state of the art in enforcement, CPOL [6], with two other approaches, the directed graph and the access matrix [9, 10]. We consider encodings of RBAC sessions in each, and propose and justify a benchmark for the assessment. We conclude with the somewhat surprising observation that CPOL is not necessarily the most efficient approach for access enforcement in distributed RBAC deployments.
|
17 |
Automated Testing for RBAC PoliciesJanuary 2014 (has links)
abstract: Access control is necessary for information assurance in many of today's applications such as banking and electronic health record. Access control breaches are critical security problems that can result from unintended and improper implementation of security policies. Security testing can help identify security vulnerabilities early and avoid unexpected expensive cost in handling breaches for security architects and security engineers. The process of security testing which involves creating tests that effectively examine vulnerabilities is a challenging task. Role-Based Access Control (RBAC) has been widely adopted to support fine-grained access control. However, in practice, due to its complexity including role management, role hierarchy with hundreds of roles, and their associated privileges and users, systematically testing RBAC systems is crucial to ensure the security in various domains ranging from cyber-infrastructure to mission-critical applications. In this thesis, we introduce i) a security testing technique for RBAC systems considering the principle of maximum privileges, the structure of the role hierarchy, and a new security test coverage criterion; ii) a MTBDD (Multi-Terminal Binary Decision Diagram) based representation of RBAC security policy including RHMTBDD (Role Hierarchy MTBDD) to efficiently generate effective positive and negative security test cases; and iii) a security testing framework which takes an XACML-based RBAC security policy as an input, parses it into a RHMTBDD representation and then generates positive and negative test cases. We also demonstrate the efficacy of our approach through case studies. / Dissertation/Thesis / M.S. Computer Science 2014
|
18 |
Refined Access Control in a Distributed Environment / Finkornig åtkomstkontroll i en distribuerad miljöBoström, Erik January 2002 (has links)
In the area of computer network security, standardization work has been conducted for several years. However, the sub area of access control and authorization has so far been left out of major standardizing. This thesis explores the ongoing standardization for access control and authorization. In addition, areas and techniques supporting access control are investigated. Access control in its basic forms is described to point out the building blocks that always have to be considered when an access policy is formulated. For readers previously unfamiliar with network security a number of basic concepts are presented. An overview of access control in public networks introduces new conditions and points out standards related to access control. None of the found standards fulfills all of our requirements at current date. The overview includes a comparison between competing products, which meet most of the stated conditions. In parallel with this report a prototype was developed. The purpose of the prototype was to depict how access control could be administered and to show the critical steps in formulating an access policy.
|
19 |
Securing Multiprocessor Systems-on-ChipBiswas, Arnab Kumar 16 August 2016 (has links) (PDF)
MHRD PhD scholarship / With Multiprocessor Systems-on-Chips (MPSoCs) pervading our lives, security issues are emerging as a serious problem and attacks against these systems are becoming more critical and sophisticated. We have designed and implemented different hardware based solutions to ensure security of an MPSoC. Security assisting modules can be implemented at different abstraction
levels of an MPSoC design. We propose solutions both at circuit level and system level of abstractions. At the VLSI circuit level abstraction, we consider the problem of presence of noise voltage in input signal coming from outside world. This noise voltage disturbs the normal circuit operation inside a chip causing false logic reception. If the disturbance is caused
intentionally the security of a chip may be compromised causing glitch/transient attack. We propose an input receiver with hysteresis characteristic that can work at voltage levels between 0.9V and 5V. The circuit can protect the MPSoC from glitch/transient attack. At the system level, we propose solutions targeting Network-on-Chip (NoC) as the on-chip communication medium. We survey the possible attack scenarios on present-day MPSoCs and investigate a new attack scenario, i.e., router attack targeted toward NoC enabled MPSoC. We propose different monitoring-based countermeasures against routing table-based router attack in an MPSoC having multiple Trusted Execution Environments (TEEs). Software attacks, the most common type of attacks, mainly exploit vulnerabilities like buffer overflow. This is possible if proper access control to memory is absent in the system. We propose four hardware based mechanisms to implement Role Based Access Control (RBAC) model in NoC based MPSoC.
|
20 |
Prevention of Privilege Abuse on NoSQL Databases : Analysis on MongoDB access control / Förebyggande av Privilegier Missbruk på NoSQL-databaser : Analys på MongoDB-åtkomstkontrollIshak, Marwah January 2021 (has links)
Database security is vital to retain confidentiality and integrity of data as well as prevent security threats such as privilege abuse. The most common form of privilege abuse is excessive privilege abuse, which entails assigning users with excessive privileges beyond their job function, which can be abused deliberately or inadvertently. The thesis’s objective is to determine how to prevent privilege abuse in the NoSQL database MongoDB. Prior studies have noted the importance of access control to secure databases from privilege abuse. Access control is essential to manage and protect the accessibility of the data stored and restrict unauthorised access. Therefore, the study analyses MongoDB’s embedded access control through experimental testing to test various built-in and advanced privileges roles in preventing privilege abuse. The results indicate that privilege abuse can be prevented if users are granted roles composed of the least privileges. Additionally, the results indicate that assigning users with excessive privileges exposes the system to privilege abuse. The study also underlines that an inaccurate allocation of privileges or permissions to users of databases may have profound consequences for the system and organisation, such as data breach and data manipulation. Hence, organisations that utilise information technology should be obliged to protect their interests and databases from others and their members through access control policies. / Datasäkerhet är avgörande för att bevara datats konfidentialitet och integritet samt för att förhindra säkerhetshot som missbruk av privilegier. Missbruk av överflödig privilegier, är den vanligaste formen av privilegier missbruk. Detta innebär att en användare tilldelas obegränsad behörighet utöver det som behövs för deras arbete, vilket kan missbrukas medvetet eller av misstag. Examensarbetets mål är att avgöra hur man kan förhindra missbruk av privilegier i NoSQL-databasen MongoDB. Tidigare studier har noterat vikten av åtkomstkontroll för att säkra databaser från missbruk av privilegier. Åtkomstkontroll är viktigt för att hantera och skydda åtkomlighet för de lagrade data samt begränsa obegränsad åtkomst. Därför analyserar arbetet MongoDBs inbäddade åtkomstkontroll genom experimentell testning för att testa olika inbyggda och avancerade priviligierade roller för att förhindra missbruk av privilegier. Resultaten indikerar att missbruk av privilegier kan förhindras om användare får roller som har färre privilegier. Dessutom visar resultaten att tilldelning av användare med obegränsade privilegier utsätter systemet för missbruk av privilegier. Studien understryker också att en felaktig tilldelning av privilegier eller behörigheter för databasanvändare kan få allvarliga konsekvenser för systemet och organisationen, såsom dataintrång och datamanipulation. Därför bör organisationer som använder informationsteknologi ha som plikt att skydda sina tillgångar och databaser från obehöriga men även företagets medarbetare som inte är beroende av datat genom policys för åtkomstkontroll.
|
Page generated in 0.1206 seconds