Security Policies

Overview

• Programming languages and program analysis for security: a three-year retrospective. Marco Pistoia, Úlfar Erlingsson. ACM SIGPLAN Notices 2008.
• Program Analysis for Access Control at IBM Research

Web Service Security Policies

• Tools
  • Microsoft Research Policy Advisor for WSE 3.0 (download here)
  • UMBC Rei
• Surveys:
  • Security for Web Services: Standards and Research Issues. Lorenzo Martino, Elisa Bertino Int. J. Web Service Res. 2009.
  • A survey of attacks on web services. Meiko Jensen, Nils Gruschka and Ralph Herkenhöner. Computer Science - Research and Development 2009.
  • A Service-oriented Approach to Security - Concepts and Issues. Elisa Bertino, Lorenzo Martino. ISADS 2007:
  • Challenges of testing web services and security in soa implementations. A Barbir, C Hobbs, E Bertino et al. 2007.
• An Overview of Web Services Security. P Kearney, J Chapman, N Edwards, M Gifford and L He. BT Technology Journal 2006.
• Security in SOA and Web Services. Elisa Bertino, Lorenzo Martino. SCC 2006
• A Survey of Web Services Security. Carlos Gutiérrez, Eduardo Fernández-Medina and Mario Piattini. ICCSA 2004
• A flexible access control model for web services. Slides. Elisa Bertino. IFIP Working Group 10.4 Dependable Computing and Fault Tolerance 2005.
• Other related work
  • ACConv -- An Access Control Model for Conversational Web Services. Federica Paci, Massimo Mecella, Mourad Ouzzani, and Elisa Bertino. ACM Trans. Web 2011.
    • Access control enforcement for conversation-based web services. Massimo Mecella, Mourad Ouzzani, Federica Paci, and Elisa Bertino. WWW 2006.
  • Policy-Driven Service Composition with Information Flow Control. Wei She, I-Ling Yen, Bhavani M. Thuraisingham, Elisa Bertino. ICWS 2010.
  • Using XML schema to improve writing, validation, and structure of WS-policies. Steffen Heinzl and Benjamin Schmeling. SAC 2010.
  • A pattern-driven security advisor for service-oriented architectures. Maxim Schnjakin, Michael Menzel, and Christoph Meinel. SWS 2009.
  • The SCIFC Model for Information Flow Control in Web Service Composition. Wei She, I-Ling Yen, Bhavani M. Thuraisingham, Elisa Bertino. ICWS 2009.
  • Identity Attribute-Based Role Provisioning for Human WS-BPEL Processes. Federica Paci, Rodolfo Ferrini, Elisa Bertino. ICWS 2009.
  • Verifying policy-based web services security. Karthikeyan Bhargavan, C\&\#233;dric Fournet, and Andrew D. Gordon. TOPLAS 2008.
    • Verifying policy-based security for web services. Karthikeyan Bhargavan, C\&\#233;dric Fournet, and Andrew D. Gordon. CCS 2004.
  • Pattern-based Policy Configuration for SOA Applications. Satoh, F.; Mukhi, N.K.; Nakamura, Y.; Hirose, S.. SCC 2008.
  • An Access-Control Framework for WS-BPEL. Federica Paci, Elisa Bertino, Jason Crampton. Int. J. Web Service Res. 2008.
  • Authorization and User Failure Resiliency for WS-BPEL business processes. F. Paci, R. Ferrini, Y. Sun, E. Bertino. ICSOC 2008.
  • Verification of Access Control Requirements in Web Services Choreography. F. Paci, M.Ouzzani, M. Mecella, E. Bertino. SCC 2008.
  • A Policy-Based Authorization Framework for Web Services: Integrating XGTRBAC and WS-Policy. Rafae Bhatti, Daniel Sanz, Elisa Bertino, Arif Ghafoor. ICWS 2007.
  • User Tasks and Access Control over Web Services. Jacques Thomas, Federica Paci, Elisa Bertino, Patrick Eugster. ICWS 2007.
  • An Access Control System for Web Service Compositions. Mudhakar Srivatsa, Arun Iyengar, Thomas Mikalsen, Isabelle Rouvellou, Jian Yin. ICWS 2007.
  • Access Control for Cross-Organisational Web Service Composition. Michael Menzel , Christian Wolter and Christoph Meinel. Journal of Information Assurance and Security 2007.
  • Web Services Security Policy Language (WS-SecurityPolicy). OASIS. 2007 (WS-SecurityPolicy wiki)
  • An Adaptive Access Control Model for Web Services. Elisa Bertino, Anna Cinzia Squicciarini, Lorenzo Martino, Federica Paci. Int. J. Web Service Res. 2006.
  • Defeasible security policy composition for web services. Adam J. Lee, Jodie P. Boyer, Lars E. Olson, and Carl A. Gunter. FMSE 2006.
  • An Attribute-Based Access Control Model for Web Services. Hai-bo Shen, Fan Hong, PDCAT 2006.
  • Ws-AC: A Fine Grained Access Control System for Web Services. Elisa Bertino, Anna Cinzia Squicciarini, Ivan Paloscia, Lorenzo Martino J. World Wide Web 2006.
  • Understanding Web Services Policy. Microsoft, 2006.
  • WS-SecurityPolicy Decision and Enforcement for Web Service Firewalls. Nils Gruschka, Ralph Herkenh¨oner and Norbert Luttenberger. 2006
  • Access Control and Authorization Constraints for WS-BPEL. Bertino, E., Crampton, J., Paci, F. ICWS 2006.
  • An advisor for web services security policies. Karthikeyan Bhargavan, C\&\#233;dric Fournet, Andrew D. Gordon, and Greg O'Shea. SWS 2005.
  • Negotiated Security Policies for E-Services and Web Services. George Yee, Larry Korba. ICWS 2005.
  • Attributed Based Access Control (ABAC) for Web Services. Eric Yuan, Jin Tong. ICWS 2005.
  • A Trust-Based Context-Aware Access Control Model for Web-Services. Rafae Bhatti, Elisa Bertino, Arif Ghafoor. Distributed and Parallel Databases 2005.
    • A trust-based context-aware access control model for Web-services. Bhatti, R., Bertino, E., Ghafoor, A. ICWS 2004.
  • Authorization and privacy for semantic Web services. Kagal, L, Finin, T., Paolucci, M., Navcen. IEEE Intelligent Systems 2005.
  • Towards Web Service access control. M. Coetzee, J.H.P. Eloff. Computers & Security 2004.
  • A Fine-Grained Access Control Model for Web Services. Elisa Bertino, Anna Cinzia Squicciarini, D. Mevi. SCC 2004.
  • A Flexible Access Control Model for Web Services. Elisa Bertino, Anna Cinzia Squicciarini: FQAS 2004.
  • A Web Service Architecture for Enforcing Access Control Policies. Claudio Agostino Ardagna, Ernesto Damiani, Sabrina De Capitani di Vimercati, Pierangela Samarati. VODCA 2004
  • Managing security policy in a large distributed Web services environment. Symon Chang, Qiming Chen, Meichun Hsu COMPSAC 2003.
  • An access control language for web services. Emin G\&\#252;n Sirer and Ke Wang. SACMAT 2002.

Policy Recovery/Inference

• Inferring Java Security Policies Through Dynamic Sandboxing. H. Inoue and S. Forrest, PLC 2005.
• Retrofitting Legacy Code for Authorization Policy Enforcement. Vinod Ganapathy. Dissertation 2007.
• Mining Security-Sensitive Operations in Legacy Code using Concept Analysis. Vinod Ganapathy, David King, Trent Jaeger, and Somesh Jha. ICSE 2007.
• Inferring Higher Level Policies from Firewall Rules. Alok Tongaonkar, Niranjan Inamdar, and R. Sekar. LISA 2007.
• Combining static and dynamic analysis for automatic identification of precise access-control policies. Paolina Centonze. ACSAC 2007.
• Confidentiality Policies and Their Extraction from Programs. Michael Carl Tschantz and Jeannette M. Wing. Tech report 2007.
• Extracting Conditional Confidentiality Policies. Michael Carl Tschantz and Jeannette M. Wing. SEFM 2008. [Implementation]
• AutoISES: Automatically inferring security specifications and detecting violations. Lin Tan, Xiaolan (Catherine) Zhang, Xiao Ma, Weiwei Xiong and Yuanyuan Zhou. USENIX Security 2008 [Slides in PDF]
• Towards Automatic Reverse Engineering of Security Configurations. R. Wang, X. Wang, K. Zhang and Z. Li. CCS 2008.
• Policy Inference using Genetic Programming: A comparison among three approaches. Yow Tzu Lim, Pau–Chen Cheng, John Andrew Clark and Pankaj Rohatgi.
• Merlin: Specification Inference for Explicit Information Flow Problems. Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani, and Anindya Banerjee. PLDI 2009.
• Dynamic security policy learning. Yow Tzu Lim; Pau Chen Cheng; Pankaj Rohatgi; John A Clark. WISE 2009.
• Inference of Usable Declassification Policies. Jeffrey A. Vaughan and Stephen Chong. Working paper, 2010.
• Auto-generating access control policies for applications by static analysis with user input recognition. Sven Lachmund. SESS 2010.
• Auto-generation of Least Privileges Access Control Policies for Applications Supported by User Input Recognition. Sven Lachmund and Gregor Hengst. Transactions on Computational Science XI 2010.
• Learning Autonomic Security Reconfiguration Policies. Tapiador, J.E.; Clark, J.A.. CIT 2010.
• Static Extraction of Program Configuration Options. Ariel Rabkin and Randy Katz. ICSE 2011. [Implementation]
• Inference of Expressive Declassification Policies. Jeffrey A. Vaughan and Stephen Chong. Oakland 2011. [slides]
• Access Control to Materialized Views: an Inference-Based Approach. Sarah Nait Bahloul. EDBT/ICDT PhD 2011.
• Using Hierarchical Change Mining to Manage Network Security Policy Evolution. Gabriel A. Weaver, Nick Foti, Sergey Bratus, Dan Rockmore, and Sean W. Smith, HOT-ICE 2011.
• Slides

Program Analysis for Security Policies

• Modular string-sensitive permission analysis with demand-driven precision, Geay, Emmanuel and Pistoia, Marco and Takaaki Tateishi, and Ryder, Barbara G. and Dolby, Julian, ICSE 2009.
• A Security Policy Oracle: Detecting Security Holes Using Multiple API Implementations. With Varun Srivastava, Michael D. Bond, and Kathryn S. McKinley. PLDI 2011.

Mobile Security Testing and Analysis

Web Security Policies

• Towards Fine-Grained Access Control in JavaScript Contexts. Kailas Patil, Xinshu Dong, Xiaolei Li, Zhenkai Liang, and Xuxian Jiang. ICDCS 2011.
• Static Detection of Access Control Vulnerabilities in Web Applications, Fangqi Sun, Liang Xu, and Zhendong Su, USENIX Security 2011

Browser Security

• RePriv: Re-Imagining Content Personalization and In-Browser Privacy, Matthew Fredrikson and Benjamin Livshits, S & P 2011
• Verified Security for Browser Extensions, Arjun Guha, Matthew Fredrikson, Benjamin Livshits, and Nikhil Swamy, S & P 2011

Privacy Concerns/ Privacy Leakage Detection

• Privacy Oracle: A System for Finding Application Leaks with Black Box Differential Testing., J. Jung, A. Sheth, B. Greenstein, D. Wetherall, G. Maganis, and T. Kohno. CCS 2008.
• When I am On Wi-Fi, I am Fearless: Privacy Concerns & Practices in Everyday Wi-Fi Use, Predrag Klasnja, Sunny Consolvo, Jaeyeon Jung, Ben Greenstein, Louis LeGrand, Polly Powledge and David Wetherall, CHI 2009

Models/Protocol

• Oblivious transfer with access control, Jan Camenisch, Maria Dubovitskaya, and Gregory Neven, CCS 2009.
• A formal framework for reflective database access control policies, Lars E. Olson, Carl A. Gunter, and P. Madhusudan, CCS 2008
• Understanding and developing role-based administrative models, Jason Crampton, CCS 2005
• Resiliency policies in access control, Ninghui Li, Mahesh V. Tripunitara, and Qihua Wang, CCS 2006

Policies against attacks

• Protecting browsers from dns rebinding attacks , Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh, CCS 2008

Policy Analysis

• Efficient policy analysis for administrative role based access control, Scott D. Stoller, Ping Yang, C R. Ramakrishnan, Mikhail I. Gofman, CCS 2007
• Safety and consistency in policy-based authorization systems, Adam J. Lee, and Marianne Winslett, CCS 2006

Role Engineering (i.e., role mining)

• A class of probabilistic models for role engineering, Mario Frank, David Basin, and Joachim M. Buhmann, CCS 2008
• RoleMiner: mining roles using subset enumeration, Jaideep Vaidya, Vijayalakshmi Atluri, and Janice Warner, CCS 2006
• On the Definition of Role Mining, Mario Frank, Joachim M. Buhmann and David Basin, SACMAT 2010
• Probabilistic Approach to Hybrid Role Mining, Mario Frank, Andreas P. Streich, David Basin and Joachim M. Buhmann, CCS 2009
• Mining Roles with Semantic Meanings, Ian Molloy, Hong Chen, Tiancheng Li, Qihua Wang, Ninghui Li, Elisa Bertino, Seraphin Calo, and Jorge Lobo, SACMAT 2008
• Evaluating Role Mining Algorithms, Ian Molloy, Ninghui Li, Tiancheng Li, Ziqing Mao, Qihua Wang, Jorge Lobo, SACMAT 2009
• Automating role-based provisioning by learning from examples, Ni, Q., Lobo, J., Calo, S., Rohatgi, P., and Bertino, E, SACMAT 2009

Policy Composition

• Assessing query privileges via safe and efficient permission composition, Sabrina De Capitani di Vimercati, Sara Foresti, Sushil Jajodia, Stefano Paraboschi, and Pierangela Samarati, CCS 2008

Policy Constraints/Features (e.g., Obligations, Separation of Duty)

• On the modeling and analysis of obligations, Keith Irwin, Ting Yu, and William H. Winsborough, CCS 2006

Misc.

Performance

• CPOL: high-performance policy evaluation, Kevin Borders, Xin Zhao, and Atul Prakash, CCS 2005

Authorization

• PeerAccess: a logic for distributed authorization, Marianne Winslett, Charles C. Zhang, and Piero A. Bonatti, CCS 2005

Reasoning

• KNOW Why your access was denied: regulating feedback for usable security, Apu Kapadia, Geetanjali Sampemane, Roy H. Campbell, CCS 2005

Policy Comparison

• Comparing the expressive power of access control models, Mahesh V. Tripunitara, and Ninghui Li, CCS 2005

Note: adds papers CCS 05-09 04/10/2010