Security Policies
Overview
- Programming languages and program analysis for security: a three-year retrospective. Marco Pistoia, Úlfar Erlingsson. ACM SIGPLAN Notices 2008.
- Program Analysis for Access Control at IBM Research
Web Service Security Policies
- Tools
- Surveys:
- Security for Web Services: Standards and Research Issues. Lorenzo Martino, Elisa Bertino Int. J. Web Service Res. 2009.
- A survey of attacks on web services. Meiko Jensen, Nils Gruschka and Ralph Herkenhöner. Computer Science - Research and Development 2009.
- A Service-oriented Approach to Security - Concepts and Issues. Elisa Bertino, Lorenzo Martino. ISADS 2007:
- Challenges of testing web services and security in soa implementations. A Barbir, C Hobbs, E Bertino et al. 2007.
- An Overview of Web Services Security. P Kearney, J Chapman, N Edwards, M Gifford and L He. BT Technology Journal 2006.
- Security in SOA and Web Services. Elisa Bertino, Lorenzo Martino. SCC 2006
- A Survey of Web Services Security. Carlos Gutiérrez, Eduardo Fernández-Medina and Mario Piattini. ICCSA 2004
- A flexible access control model for web services. Slides. Elisa Bertino. IFIP Working Group 10.4 Dependable Computing and Fault Tolerance 2005.
- Other related work
- ACConv -- An Access Control Model for Conversational Web Services. Federica Paci, Massimo Mecella, Mourad Ouzzani, and Elisa Bertino. ACM Trans. Web 2011.
- Access control enforcement for conversation-based web services. Massimo Mecella, Mourad Ouzzani, Federica Paci, and Elisa Bertino. WWW 2006.
- Policy-Driven Service Composition with Information Flow Control. Wei She, I-Ling Yen, Bhavani M. Thuraisingham, Elisa Bertino. ICWS 2010.
- Using XML schema to improve writing, validation, and structure of WS-policies. Steffen Heinzl and Benjamin Schmeling. SAC 2010.
- A pattern-driven security advisor for service-oriented architectures. Maxim Schnjakin, Michael Menzel, and Christoph Meinel. SWS 2009.
- The SCIFC Model for Information Flow Control in Web Service Composition. Wei She, I-Ling Yen, Bhavani M. Thuraisingham, Elisa Bertino. ICWS 2009.
- Identity Attribute-Based Role Provisioning for Human WS-BPEL Processes. Federica Paci, Rodolfo Ferrini, Elisa Bertino. ICWS 2009.
- Verifying policy-based web services security. Karthikeyan Bhargavan, C\&\#233;dric Fournet, and Andrew D. Gordon. TOPLAS 2008.
- Verifying policy-based security for web services. Karthikeyan Bhargavan, C\&\#233;dric Fournet, and Andrew D. Gordon. CCS 2004.
- Pattern-based Policy Configuration for SOA Applications. Satoh, F.; Mukhi, N.K.; Nakamura, Y.; Hirose, S.. SCC 2008.
- An Access-Control Framework for WS-BPEL. Federica Paci, Elisa Bertino, Jason Crampton. Int. J. Web Service Res. 2008.
- Authorization and User Failure Resiliency for WS-BPEL business processes. F. Paci, R. Ferrini, Y. Sun, E. Bertino. ICSOC 2008.
- Verification of Access Control Requirements in Web Services Choreography. F. Paci, M.Ouzzani, M. Mecella, E. Bertino. SCC 2008.
- A Policy-Based Authorization Framework for Web Services: Integrating XGTRBAC and WS-Policy. Rafae Bhatti, Daniel Sanz, Elisa Bertino, Arif Ghafoor. ICWS 2007.
- User Tasks and Access Control over Web Services. Jacques Thomas, Federica Paci, Elisa Bertino, Patrick Eugster. ICWS 2007.
- An Access Control System for Web Service Compositions. Mudhakar Srivatsa, Arun Iyengar, Thomas Mikalsen, Isabelle Rouvellou, Jian Yin. ICWS 2007.
- Access Control for Cross-Organisational Web Service Composition. Michael Menzel , Christian Wolter and Christoph Meinel. Journal of Information Assurance and Security 2007.
- Web Services Security Policy Language (WS-SecurityPolicy). OASIS. 2007 (WS-SecurityPolicy wiki)
- An Adaptive Access Control Model for Web Services. Elisa Bertino, Anna Cinzia Squicciarini, Lorenzo Martino, Federica Paci. Int. J. Web Service Res. 2006.
- Defeasible security policy composition for web services. Adam J. Lee, Jodie P. Boyer, Lars E. Olson, and Carl A. Gunter. FMSE 2006.
- An Attribute-Based Access Control Model for Web Services. Hai-bo Shen, Fan Hong, PDCAT 2006.
- Ws-AC: A Fine Grained Access Control System for Web Services. Elisa Bertino, Anna Cinzia Squicciarini, Ivan Paloscia, Lorenzo Martino J. World Wide Web 2006.
- Understanding Web Services Policy. Microsoft, 2006.
- WS-SecurityPolicy Decision and Enforcement for Web Service Firewalls. Nils Gruschka, Ralph Herkenh¨oner and Norbert Luttenberger. 2006
- Access Control and Authorization Constraints for WS-BPEL. Bertino, E., Crampton, J., Paci, F. ICWS 2006.
- An advisor for web services security policies. Karthikeyan Bhargavan, C\&\#233;dric Fournet, Andrew D. Gordon, and Greg O'Shea. SWS 2005.
- Negotiated Security Policies for E-Services and Web Services. George Yee, Larry Korba. ICWS 2005.
- Attributed Based Access Control (ABAC) for Web Services. Eric Yuan, Jin Tong. ICWS 2005.
- A Trust-Based Context-Aware Access Control Model for Web-Services. Rafae Bhatti, Elisa Bertino, Arif Ghafoor. Distributed and Parallel Databases 2005.
- A trust-based context-aware access control model for Web-services. Bhatti, R., Bertino, E., Ghafoor, A. ICWS 2004.
- Authorization and privacy for semantic Web services. Kagal, L, Finin, T., Paolucci, M., Navcen. IEEE Intelligent Systems 2005.
- Towards Web Service access control. M. Coetzee, J.H.P. Eloff. Computers & Security 2004.
- A Fine-Grained Access Control Model for Web Services. Elisa Bertino, Anna Cinzia Squicciarini, D. Mevi. SCC 2004.
- A Flexible Access Control Model for Web Services. Elisa Bertino, Anna Cinzia Squicciarini: FQAS 2004.
- A Web Service Architecture for Enforcing Access Control Policies. Claudio Agostino Ardagna, Ernesto Damiani, Sabrina De Capitani di Vimercati, Pierangela Samarati. VODCA 2004
- Managing security policy in a large distributed Web services environment. Symon Chang, Qiming Chen, Meichun Hsu COMPSAC 2003.
- An access control language for web services. Emin G\&\#252;n Sirer and Ke Wang. SACMAT 2002.
- ACConv -- An Access Control Model for Conversational Web Services. Federica Paci, Massimo Mecella, Mourad Ouzzani, and Elisa Bertino. ACM Trans. Web 2011.
Policy Recovery/Inference
- Inferring Java Security Policies Through Dynamic Sandboxing. H. Inoue and S. Forrest, PLC 2005.
- Retrofitting Legacy Code for Authorization Policy Enforcement. Vinod Ganapathy. Dissertation 2007.
- Mining Security-Sensitive Operations in Legacy Code using Concept Analysis. Vinod Ganapathy, David King, Trent Jaeger, and Somesh Jha. ICSE 2007.
- Inferring Higher Level Policies from Firewall Rules. Alok Tongaonkar, Niranjan Inamdar, and R. Sekar. LISA 2007.
- Combining static and dynamic analysis for automatic identification of precise access-control policies. Paolina Centonze. ACSAC 2007.
- Confidentiality Policies and Their Extraction from Programs. Michael Carl Tschantz and Jeannette M. Wing. Tech report 2007.
- Extracting Conditional Confidentiality Policies. Michael Carl Tschantz and Jeannette M. Wing. SEFM 2008. [Implementation]
- AutoISES: Automatically inferring security specifications and detecting violations. Lin Tan, Xiaolan (Catherine) Zhang, Xiao Ma, Weiwei Xiong and Yuanyuan Zhou. USENIX Security 2008 [Slides in PDF]
- Towards Automatic Reverse Engineering of Security Configurations. R. Wang, X. Wang, K. Zhang and Z. Li. CCS 2008.
- Policy Inference using Genetic Programming: A comparison among three approaches. Yow Tzu Lim, Pau–Chen Cheng, John Andrew Clark and Pankaj Rohatgi.
- Merlin: Specification Inference for Explicit Information Flow Problems. Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani, and Anindya Banerjee. PLDI 2009.
- Dynamic security policy learning. Yow Tzu Lim; Pau Chen Cheng; Pankaj Rohatgi; John A Clark. WISE 2009.
- Inference of Usable Declassification Policies. Jeffrey A. Vaughan and Stephen Chong. Working paper, 2010.
- Auto-generating access control policies for applications by static analysis with user input recognition. Sven Lachmund. SESS 2010.
- Auto-generation of Least Privileges Access Control Policies for Applications Supported by User Input Recognition. Sven Lachmund and Gregor Hengst. Transactions on Computational Science XI 2010.
- Learning Autonomic Security Reconfiguration Policies. Tapiador, J.E.; Clark, J.A.. CIT 2010.
- Static Extraction of Program Configuration Options. Ariel Rabkin and Randy Katz. ICSE 2011. [Implementation]
- Inference of Expressive Declassification Policies. Jeffrey A. Vaughan and Stephen Chong. Oakland 2011. [slides]
- Access Control to Materialized Views: an Inference-Based Approach. Sarah Nait Bahloul. EDBT/ICDT PhD 2011.
- Using Hierarchical Change Mining to Manage Network Security Policy Evolution. Gabriel A. Weaver, Nick Foti, Sergey Bratus, Dan Rockmore, and Sean W. Smith, HOT-ICE 2011.
- Slides
Program Analysis for Security Policies
- Modular string-sensitive permission analysis with demand-driven precision, Geay, Emmanuel and Pistoia, Marco and Takaaki Tateishi, and Ryder, Barbara G. and Dolby, Julian, ICSE 2009.
- A Security Policy Oracle: Detecting Security Holes Using Multiple API Implementations. With Varun Srivastava, Michael D. Bond, and Kathryn S. McKinley. PLDI 2011.
Mobile Security Testing and Analysis
Web Security Policies
- Towards Fine-Grained Access Control in JavaScript Contexts. Kailas Patil, Xinshu Dong, Xiaolei Li, Zhenkai Liang, and Xuxian Jiang. ICDCS 2011.
- Static Detection of Access Control Vulnerabilities in Web Applications, Fangqi Sun, Liang Xu, and Zhendong Su, USENIX Security 2011
Browser Security
- RePriv: Re-Imagining Content Personalization and In-Browser Privacy, Matthew Fredrikson and Benjamin Livshits, S & P 2011
- Verified Security for Browser Extensions, Arjun Guha, Matthew Fredrikson, Benjamin Livshits, and Nikhil Swamy, S & P 2011
Privacy Concerns/ Privacy Leakage Detection
- Privacy Oracle: A System for Finding Application Leaks with Black Box Differential Testing., J. Jung, A. Sheth, B. Greenstein, D. Wetherall, G. Maganis, and T. Kohno. CCS 2008.
- When I am On Wi-Fi, I am Fearless: Privacy Concerns & Practices in Everyday Wi-Fi Use, Predrag Klasnja, Sunny Consolvo, Jaeyeon Jung, Ben Greenstein, Louis LeGrand, Polly Powledge and David Wetherall, CHI 2009
Models/Protocol
- Oblivious transfer with access control, Jan Camenisch, Maria Dubovitskaya, and Gregory Neven, CCS 2009.
- A formal framework for reflective database access control policies, Lars E. Olson, Carl A. Gunter, and P. Madhusudan, CCS 2008
- Understanding and developing role-based administrative models, Jason Crampton, CCS 2005
- Resiliency policies in access control, Ninghui Li, Mahesh V. Tripunitara, and Qihua Wang, CCS 2006
Policies against attacks
- Protecting browsers from dns rebinding attacks , Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh, CCS 2008
Policy Analysis
- Efficient policy analysis for administrative role based access control, Scott D. Stoller, Ping Yang, C R. Ramakrishnan, Mikhail I. Gofman, CCS 2007
- Safety and consistency in policy-based authorization systems, Adam J. Lee, and Marianne Winslett, CCS 2006
Role Engineering (i.e., role mining)
- A class of probabilistic models for role engineering, Mario Frank, David Basin, and Joachim M. Buhmann, CCS 2008
- RoleMiner: mining roles using subset enumeration, Jaideep Vaidya, Vijayalakshmi Atluri, and Janice Warner, CCS 2006
- On the Definition of Role Mining, Mario Frank, Joachim M. Buhmann and David Basin, SACMAT 2010
- Probabilistic Approach to Hybrid Role Mining, Mario Frank, Andreas P. Streich, David Basin and Joachim M. Buhmann, CCS 2009
- Mining Roles with Semantic Meanings, Ian Molloy, Hong Chen, Tiancheng Li, Qihua Wang, Ninghui Li, Elisa Bertino, Seraphin Calo, and Jorge Lobo, SACMAT 2008
- Evaluating Role Mining Algorithms, Ian Molloy, Ninghui Li, Tiancheng Li, Ziqing Mao, Qihua Wang, Jorge Lobo, SACMAT 2009
- Automating role-based provisioning by learning from examples, Ni, Q., Lobo, J., Calo, S., Rohatgi, P., and Bertino, E, SACMAT 2009
Policy Composition
- Assessing query privileges via safe and efficient permission composition, Sabrina De Capitani di Vimercati, Sara Foresti, Sushil Jajodia, Stefano Paraboschi, and Pierangela Samarati, CCS 2008
Policy Constraints/Features (e.g., Obligations, Separation of Duty)
- On the modeling and analysis of obligations, Keith Irwin, Ting Yu, and William H. Winsborough, CCS 2006
Misc.
Performance
- CPOL: high-performance policy evaluation, Kevin Borders, Xin Zhao, and Atul Prakash, CCS 2005
Authorization
- PeerAccess: a logic for distributed authorization, Marianne Winslett, Charles C. Zhang, and Piero A. Bonatti, CCS 2005
Reasoning
- KNOW Why your access was denied: regulating feedback for usable security, Apu Kapadia, Geetanjali Sampemane, Roy H. Campbell, CCS 2005
Policy Comparison
- Comparing the expressive power of access control models, Mahesh V. Tripunitara, and Ninghui Li, CCS 2005
Note: adds papers CCS 05-09 04/10/2010