A Statistically Rigorous Evaluation of the Cascade Bloom Filter for Distributed Access Enforcement in Role-Based Access Control (RBAC) Systems

Zitouni, Toufik

January 2010

We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC’s increasing adoption, and the proliferation of data that needs to be protected. Our particular interest is in the evaluation of a new data structure that has recently been proposed for enforcement: the Cascade Bloom Filter. The Cascade Bloom Filter is an extension of the Bloom filter, and provides for time- and space-efficient encodings of sets. We compare the Cascade Bloom Filter to the Bloom Filter, and another approach called Authorization Recycling that has been proposed for distributed access enforcement in RBAC. One of the challenges we address is the lack of a benchmark: we propose and justify a benchmark for the assessment. Also, we adopt a statistically rigorous approach for empirical assessment from recent work. We present our results for time- and space-efficiency based on our benchmark. We demonstrate that, of the three data structures that we consider, the Cascade Bloom Filter scales the best with the number of RBAC sessions from the standpoints of time- and space-efficiency.

Role Based Access Control

Cascade Bloom Filter

Authorization Recycling

Electrical and Computer Engineering

Access management in electronic commerce system

Wang, Hua

January 2004

The definition of Electronic commerce is the use of electronic transmission mediums to engage in the exchange, including buying and selling, of products and services requiring transportation, either physically or digitally, from location to location. Electronic commerce systems, including mobile e-commerce, are widely used since 1990. The number of world-wide Internet users tripled between 1993 and 1995 to 60 million, and by 2000 there were 250 million users. More than one hundred countries have Internet access. Electronic commerce, especial mobile e-commerce systems, allows their users to access a large set of traditional (for example, voice communications) and contemporary (for example, e-­shop) services without being tethered to one particular physical location. With the increasing use of electronic service systems for security sensitive application (for example, e-shop) that can be expected in the future, the provision of secure services becomes more important. The dynamic mobile environment is incompatible with static security services. Electronic service access across multiple service domains, and the traditional access mechanisms rely on cross-domain authentication using roaming agreements starting home location. Cross-domain authentication involves many complicated authentication activities when the roam path is long. This limits future electronic commerce applications. Normally, there are three participants in an electronic service. These are users, service providers, and services. Some services bind users and service providers as well as services such as flight services; other services do not bind any participants, for instance by using cash in shopping services, everyone can use cash to buy anything in shops. Hence, depending on which parts are bound, there are different kinds of electronic services. However, there is no scheme to provide a solution for all kinds of electronic services. Users have to change service systems if they want to apply different kind of electronic services on the Internet. From the consumer's point of view, users often prefer to have a total solution for all kinds of service problems, some degree of anonymity with no unnecessary cross authentications and a clear statement of account when shopping over the Internet. There are some suggested solutions for electronic service systems, but the solutions are neither total solution for all kinds of services nor have some degree of anonymity with a clear statement of account. In our work, we build a bridge between existing technologies and electronic service theory such as e-payment, security and so on. We aim to provide a foundation for the improvement of technology to aid electronic service application. As validation, several technologies for electronic service system design have been enhanced and improved in this project. To fix the problems mentioned above, we extend our idea to a ticket based access service system. The user in the above electronic service system has to pay when s/he obtains service. S/He can pay by traditional cash (physical cash), check, credit or electronic cash. The best way to pay money for goods or services on the Internet is using electronic cash. Consumers, when shopping over the Internet, often prefer to have a high level of anonymity with important things and a low level with general one. The ideal system needs to provide some degree of anonymity for consumers so that they cannot be traced by banks. There are a number of proposals for electronic cash systems. All of them are either too large to manage or lack flexibility in providing anonymity. Therefore, they are not suitable solutions for electronic payment in the future. We propose a secure, scalable anonymity and practical payment protocol for Internet purchases. The protocol uses electronic cash for payment transactions. In this new protocol, from the viewpoint of banks, consumers can improve anonymity if they are worried about disclosure of their identities. An agent, namely anonymity provider agent provides a higher anonymous certificate and improves the security of the consumers. The agent will certify re-encrypted data after verifying the validity of the content from consumers, but with no private information of the consumers required. With this new method, each consumer can get the required anonymity level. Electronic service systems involve various subsystems such as service systems, payment systems, and management systems. Users and service providers are widely distributed and use heterogeneous catalog systems. They are rapidly increasing in dynamic environments. The management of these service systems will be very complex. Whether systems are successful or not depends on the quality of their management. To simplify the management of e-commerce systems \cite{Sandhu97}, we discuss role based access control management. We define roles and permissions in the subsystems. For example, there are roles TELLER, AUDITOR, MANAGER and permissions teller (account operation), audit operation, managerial decision in a bank system. Permissions are assigned to roles such as permission teller is assigned to role TELLER. People (users) employed in the bank are granted roles to perform associated duties. However, there are conflicts between various roles as well as between various permissions. These conflicts may cause serious security problems with the bank system. For instance, if permissions teller and audit operation are assigned to a role, then a person with this role will have too much privilege to break the security of the bank system. Therefore, the organizing of relationships between users and roles, roles and permissions currently requires further development. Role based access control (RBAC) has been widely used in database management and operating systems. In 1993, the National Institute of Standards and Technology (NIST) developed prototype implementations, sponsored external research, and published formal RBAC models. Since then, many RBAC practical applications have been implemented, because RBAC has many advantages such as reducing administration cost and complexity. However, there are some problems which may arise in RBAC management. One is related to authorization granting process. For example, when a role is granted to a user, this role may conflict with other roles of the user or together with this role; the user may have or derive a high level of authority. Another is related to authorization revocation. For instance, when a role is revoked from a user, the user may still have the role. To solve these problems, we present an authorization granting algorithm, and weak revocation and strong revocation algorithms that are based on relational algebra. The algorithms check conflicts and therefore help allocate the roles and permissions without compromising the security in RBAC. We describe the applications of the new algorithms with an anonymity scalable payment scheme. In summary, this thesis has made the following major contributions in electronic service systems: 1. A ticket based global solution for electronic commerce systems; A ticket based solution is designed for different kinds of e-services. Tickets provide a flexible mechanism and users can check charges at anytime. 2. Untraceable electronic cash system; An untraceable e-cash system is developed, in which the bank involvement in the payment transaction between a user and a receiver is eliminated. Users remain anonymous, unless she/he spends a coin more than once. 3. A self-scalable anonymity electronic payment system; In this payment system, from the viewpoint of banks, consumers can improve anonymity if they are worried about disclosure of their identities. Each consumer can get the required anonymity level. 4. Using RBAC to manage electronic payment system; The basic structure of RBAC is reviewed. The challenge problems in the management of RBAC with electronic payment systems are analysed and how to use RBAC to manage electronic payment system is proposed. 5. The investigation of recovery algorithms for conflicting problems in user-role assignments and permission-role assignments. Formal authorization allocation algorithms for role-based access control have developed. The formal approaches are based on relational structure, and relational algebra and are used to check conflicting problems between roles and between permissions.

electronic commerce

e-commerce

system

e-payment

role based access control (RBAC)

technology

internet

Separation of Duty in Role Based Access

Kugblenu, Francis M., Asim, Memon

January 2007

In today’s business world, many organizations use Information Systems to many their sensitive and business critical information. The need to protect such a key component of the organization cannot be over emphasized. Access control has been found to be one of the effective ways of insuring that only authorized users have access to the information resources to perform their job function. Role Based Access Control has been found to be the access control mechanism that fits naturally with the organizational structure of businesses. Separation of duties is a security principle that has been used extensively to prevent conflict of interest, fraud and error control in organizations. In this thesis, we identify the various forms of separation of duties in role based access control systems. We also do a case study of the role based access control system in the banking application of a financial institution.

Role Based Access Control System

Separation of duty

Case Study.

Computer Sciences

Datavetenskap (datalogi)

Role based access control in a telecommunications operations and maintenance network / Rollbaserad behörighetskontroll i ett drift- och underhållssystem för telekommunikation

Gunnarsson, Peter

January 2005

Ericsson develops and builds mobile telecommunication networks. These networks consists of a large number of equipment. Each telecommunication company has a staff of administrators appointed to manage respective networks. In this thesis, we investigate the requirements for an access control model to manage the large number of permissions and equipment in telecommunication networks. Moreover, we show that the existing models do not satisfy the identified requirements. Therefore, we propose a novel RBAC model which is adapted for these conditions. We also investigate some of the most common used commercial tools for administrating RBAC, and evaluate their effectiveness in coping with our new proposed model. However, we find the existing tools limited, and thereby design and partly implement a RBAC managing system which is better suited to the requirements posed by our new model.

Datalogi

Role Based Access Control

RBAC

security

authorization model

administration tools

Datalogi

Computer Sciences

Datavetenskap (datalogi)

A Role-based intranet : Overcoming information overload?

Lundberg, Anders, Kuu, Teresa

January 2007

No description available.

Role-based intranet

Information overload

Intranet

Information Systems

A Pure Embedding of Roles

Leuthäuser, Max

21 August 2017

Present-day software systems have to fulfill an increasing number of requirements, which makes them more and more complex. Many systems need to anticipate changing contexts or need to adapt to changing business rules or requirements. The challenge of 21th-century software development will be to cope with these aspects. We believe that the role concept offers a simple way to adapt an object-oriented program to its changing context. In a role-based application, an object plays multiple roles during its lifetime. If the contexts are represented as first-class entities, they provide dynamic views to the object-oriented program, and if a context changes, the dynamic views can be switched easily, and the software system adapts automatically. However, the concepts of roles and dynamic contexts have been discussed for a long time in many areas of computer science. So far, their employment in an existing object-oriented language requires a specific runtime environment. Also, classical object-oriented languages and their runtime systems are not able to cope with essential role-specific features, such as true delegation or dynamic binding of roles. In addition to that, contexts and views seem to be important in software development. The traditional code-oriented approach to software engineering becomes less and less satisfactory. The support for multiple views of a software system scales much better to the needs of todays systems. However, it relies on programming languages to provide roles for the construction of views. As a solution, this thesis presents an implementation pattern for role-playing objects that does not require a specific runtime system, the SCala ROles Language (SCROLL). Via this library approach, roles are embedded in a statically typed base language as dynamically evolving objects. The approach is pure in the sense that there is no need for an additional compiler or tooling. The implementation pattern is demonstrated on the basis of the Scala language. As technical support from Scala, the pattern requires dynamic mixins, compiler-translated function calls, and implicit conversions. The details how roles are implemented are hidden in a Scala library and therefore transparent to SCROLL programmers. The SCROLL library supports roles embedded in structured contexts. Additionally, a four-dimensional, context-aware dispatch at runtime is presented. It overcomes the subtle ambiguities introduced with the rich semantics of role-playing objects. SCROLL is written in Scala, which blends a modern object-oriented with a functional programming language. The size of the library is below 1400 lines of code so that it can be considered to have minimalistic design and to be easy to maintain. Our approach solves several practical problems arising in the area of dynamical extensibility and adaptation.

Scala

Rollen

Rollenbasiertes Programmieren

Scala

Roles

Embedding

Role-based Programming

Context

ddc:004

rvk:ST 231

Analyzing State-of-the-Art Role-based Programming Languages

Schütze, Lars, Castrillon, Jeronimo

18 December 2020

With ubiquitous computing, autonomous cars, and cyber-physical systems (CPS), adaptive software becomes more and more important as computing is increasingly context-dependent. Role-based programming has been proposed to enable adaptive software design without the problem of scattering the context-dependent code. Adaptation is achieved by having objects play roles during runtime. With every role, the object's behavior is modified to adapt to the given context. In recent years, many role-based programming languages have been developed. While they greatly differ in the set of supported features, they all incur in large runtime overheads, resulting in inferior performance. The increased variability and expressiveness of the programming languages have a direct impact on the run-time and memory consumption. In this paper we provide a detailed analysis of state-of-the-art role-based programming languages, with emphasis on performance bottlenecks. We also provide insight on how to overcome these problems.

info:eu-repo/classification/ddc/004

ddc:004

Multiagent Systems for Robust IoT Services / 頑健なIoTサービスのためのマルチエージェントシステム

Kemas, Muslim Lhaksmana

23 September 2016

京都大学 / 0048 / 新制・課程博士 / 博士(情報学) / 甲第20028号 / 情博第623号 / 新制||情||108(附属図書館) / 33124 / 京都大学大学院情報学研究科社会情報学専攻 / (主査)教授 石田 亨, 教授 多々納 裕一, 教授 山本 章博 / 学位規則第4条第1項該当 / Doctor of Informatics / Kyoto University / DFAM

multiagent systems

Internet of Things

cascading failure

role-modeling method

role-based language

self-organization

007

Context Reasoning for Role-Based Models

Böhme, Stephan

17 October 2018

In a modern world software systems are literally everywhere. These should cope with very complex scenarios including the ability of context-awareness and self-adaptability. The concept of roles provide the means to model such complex, context-dependent systems. In role-based systems, the relational and context-dependent properties of objects are transferred into the roles that the object plays in a certain context. However, even if the domain can be expressed in a well-structured and modular way, role-based models can still be hard to comprehend due to the sophisticated semantics of roles, contexts and different constraints. Hence, unintended implications or inconsistencies may be overlooked. A feasible logical formalism is required here. In this setting Description Logics (DLs) fit very well as a starting point for further considerations since as a decidable fragment of first-order logic they have both an underlying formal semantics and decidable reasoning problems. DLs are a well-understood family of knowledge representation formalisms which allow to represent application domains in a well-structured way by DL-concepts, i.e. unary predicates, and DL-roles, i.e. binary predicates. However, classical DLs lack expressive power to formalise contextual knowledge which is crucial for formalising role-based systems. We investigate a novel family of contextualised description logics that is capable of expressing contextual knowledge and preserves decidability even in the presence of rigid DL-roles, i.e. relational structures that are context-independent. For these contextualised description logics we thoroughly analyse the complexity of the consistency problem. Furthermore, we present a mapping algorithm that allows for an automated translation from a formal role-based model, namely a Compartment Role Object Model (CROM), into a contextualised DL ontology. We prove the semantical correctness and provide ideas how features extending CROM can be expressed in our contextualised DLs. As final step for a completely automated analysis of role-based models, we investigate a practical reasoning algorithm and implement the first reasoner that can process contextual ontologies.

info:eu-repo/classification/ddc/004

ddc:004

The effect of feedback on lower-level employees' empowerment, motivation and performance in a selected steel production company / Johannes Hlanganato Sono

Sono, Johannes Hlanganato

January 2014

The general aim of the study was to determine the effect of feedback derived from task observations on lower-level employees’ empowerment, motivation and performance in a selected steel production company. Feedback plays an important role in empowering and motivating employees to improve performance. Previous research indicates that relationships exist between feedback and empowerment, motivation and performance. However, past research was confined to particular context(s), and the effect of feedback on lower-level employees has received little research attention. It was identified that feedback derived from task observations could potentially become a tool to enable lower-level employees to be empowered to perform to the best of their abilities. The research design used is a quantitative non-experimental cross-sectional approach, where questionnaires were used to collect data. The targeted population was all 500 lower-level skilled workers at one business unit of a selected steel production company. Only 308 lower-level employees were available and willing to participate. The findings of the study indicate that there is a statistically significant positive relationship between feedback as derived from task observations and employee empowerment, motivation and performance. The positive relationship found between feedback and empowerment indicates that feedback derived from task observations can be used as a critical component in empowering and motivating lower-level employees to improve performance. / MBA, North-West University, Potchefstroom Campus, 2015

Feedback

Lower-level employee

Task observations

Steel industry

Meaning

Impact

Competence

Self-determination

Self-esteem

Motivation

Role-based performance