1 |
On the Design and Testing of Authorization SystemsSharifi, Alireza January 2013 (has links)
Authorization deals with the specification and management of accesses principals have to resources. In the design of an authorization system, sometimes we just implement the accessenforcement without having a precise semantics for it. In this dissertation we show that, there
exists a precise semantics that improves the efficiency of access-enforcement over the accessenforcement without precise semantics. We present an algorithm to produce an Access Control
List (ACL), in a particular authorization system for version control syatems called gitolite,
and we compare the implementation of our algorithm against the implementation that is already
being used.
As another design problem, we consider least-restrictive enforcement of the Chinese Wall
security policy. We show that there exists a least-restrictive enforcement of the Chinese Wall
Security Policy. Our approach to proving the thesis is by construction; we present an enforcement
that is least-restrictive. We also prove that such an enforcement mechanism cannot be subjectindependent.
We also propose a methodology that tests the implementation of an authorization system to
check whether it has properties of interest. The properties may be considered to be held in the
design of an authorization system, but they are not held in the implementation. We show that
there exist authorization systems that do not have the properties of interest.
|
2 |
On the Design and Testing of Authorization SystemsSharifi, Alireza January 2013 (has links)
Authorization deals with the specification and management of accesses principals have to resources. In the design of an authorization system, sometimes we just implement the accessenforcement without having a precise semantics for it. In this dissertation we show that, there
exists a precise semantics that improves the efficiency of access-enforcement over the accessenforcement without precise semantics. We present an algorithm to produce an Access Control
List (ACL), in a particular authorization system for version control syatems called gitolite,
and we compare the implementation of our algorithm against the implementation that is already
being used.
As another design problem, we consider least-restrictive enforcement of the Chinese Wall
security policy. We show that there exists a least-restrictive enforcement of the Chinese Wall
Security Policy. Our approach to proving the thesis is by construction; we present an enforcement
that is least-restrictive. We also prove that such an enforcement mechanism cannot be subjectindependent.
We also propose a methodology that tests the implementation of an authorization system to
check whether it has properties of interest. The properties may be considered to be held in the
design of an authorization system, but they are not held in the implementation. We show that
there exist authorization systems that do not have the properties of interest.
|
3 |
Design and implementation of an attribute-based authorization management systemMohan, Apurva 05 April 2011 (has links)
The proposed research is in the area of attribute-based authorization systems. We address two specific research problems in this area. First, evaluating authorization policies in multi-authority systems where there are multiple stakeholders in the disclosure of sensitive data. The research proposes to consider all the relevant policies related to authorization in real time upon the receipt of an access request and to resolve any differences that these individual policies may have in authorization. Second, to enable a lot of entities to participate in the authorization process by asserting attributes on behalf of the principal accessing resources. Since it is required that these asserted attributes be trusted by the authorization system, it is necessary that these entities are themselves trusted by the authorization system. Two frameworks are proposed to address these issues. In the first contribution a dynamic authorization system is proposed which provides conflict detection and resolution among applicable policies in a multi-authority system. The authorization system is dynamic in nature and considers the context of an access request to adapt its policy selection, execution and conflict handling based on the access environment. Efficient indexing techniques are used to increase the speed of authorization policy loading and evaluation. In the second contribution, we propose a framework for service providers to evaluate trust in entities asserting on behalf of service users in real time upon receipt of an access request. This trust evaluation is done based on a reputation system model, which is designed to protect itself against known attacks on reputation systems.
|
Page generated in 0.0857 seconds