MPEIS 2011 Abstracts


Full Papers
Paper Nr: 2
Title:

SEMANTIC ANNOTATIONS FOR SECURITY POLICY MATCHING IN WS-POLICY

Authors:

Giuseppe Di Modica and Orazio Tomarchio

Abstract: SService computing technology enables B2B scenarios where the provision of a service may require a collaboration among several service providers across multiple independent and heterogeneous administrative domains. In these environments, several new security and privacy challenges arise, mainly related to resource sharing and interoperability among different providers. Policy management frameworks are a powerful mechanism to deal with this heterogeneity, although many issues still have to be faced with. In particular, policy matching is today carried out following a syntactical approach, which may impair the selection of suitable services on the one hand, and the flexibility of the matching process on the other one. In this work we propose a semantic approach that, by allowing WS-Policy assertions to reference semantic concepts, provides for a better matching of security requirements and capabilities. The proposed approach has been validated through a case study that shows how a pure syntactic-based mechanism of WS-Policy would have failed in matching two actually compatible policies.
Download

Paper Nr: 3
Title:

POLICY-BASED SECURITY CHANNELS FOR PROTECTING NETWORK COMMUNICATION IN MOBILE CLOUD COMPUTING

Authors:

Wassim Itani, Ayman Kayssi and Ali Chehab

Abstract: In this paper we present a set of policy-driven security protocols for ensuring the confidentiality and integrity of enterprise data in mobile cloud computing environments. The proposed protocols leverage trusted authority entities and the “elastic” virtualized nature of the cloud computing model to provide energy-efficient key management mechanisms and policy-driven data protection techniques that support the secure interaction of the mobile client with an assortment of cloud software and storage services. The main contribution lies in: (1) Offloading the intensive asymmetric key agreement mechanisms from the mobile client and delegating them to resource-lucrative trusted authority sites. This is achieved by aggregating the security associations, required to agree on symmetric keys between the client and the cloud services, in a single security association between the client and the trusted authority. The aggregation concept results in major energy savings especially when the client consumes a relatively large set of services as is the case in cloud computing today. (2) Designing a customizable policy-based security architecture that considers the sensitivity of cloud data to provide multi-level and fine-grained data protection methodologies that suit the energy-limited mobile devices and the low-bandwidth wireless networks characterizing current mobile cloud computing models. The system is implemented in a real cloud computing environment and the savings in terms of energy consumption and execution time are analyzed.

Paper Nr: 8
Title:

DATA AND ACCESS MANAGEMENT USING ACCESS TOKENS FOR DELEGATING AUTHORITY TO PERSONS AND SOFTWARE

Authors:

Hidehito Gomi

Abstract: Delegation of authority is an act whereby an entity delegates his or her rights to use personal information to another entity. It has most often been implemented in enterprise environments, but previous studies have focused little on the dynamic data and access management model or the design from a practical viewpoint. A data and access management model for the delegation of authority is proposed. In the proposed model, an access token that is an opaque string associated with authorized permission is issued and exchanged among users and entities across security domains. The framework enables fine-grained access control and permission assignment for delegated access by persons and software agents.
Download

Paper Nr: 9
Title:

A FOUR-CONCERN-ORIENTED SECURE IS DEVELOPMENT APPROACH

Authors:

Michel Embe Jiague, Marc Frappier, Frédéric Gervais, Pierre Konopacki, Régine Laleau, Jérémy Milhau and Richard St-Denis

Abstract: In this paper, we advocate a strong separation of four aspects of information systems: data, dynamic behavior, security data and access control behavior. We describe how to model each of these aspects using formal methods. An abstract specification of each part of an information system is defined. The presented approach can be used when building a system from scratch but can also be applied to implement a security controller for an existing system. In parallel with models, properties of the system are written. These properties are checked against the system’s models to ensure they hold using model checking techniques.
Download

Paper Nr: 10
Title:

A LOGICAL VIEW OF NONMONOTONICITY IN ACCESS CONTROL

Authors:

Ali Noorollahi Ravari and Mehran S. Fallah

Abstract: Classical logics have already been proposed as a means to specify and implement access control systems. In this paper, we first show that some facets of access control render these logics inadequate. In particular, when used as an inference engine, they are insufficient for decision making on the basis of imperfect information, a situation that occurs frequently in new computing paradigms. In addition, it is sometimes required to annihilate former derivable authorizations when new rules are added to security policies. Then, we demonstrate how the existing formalisms of nonmonotonic reasoning can be deployed to address such aspects of access control. Finally, we justify the use of modal nonmonotonic logics for access control in open environments and propose their required features.