SACMAT '19- Proceedings of the 24th ACM Symposium on Access Control Models and Technologies

Recent cyber attacks have shown that the leakage/stealing of big data may result in enormous monetary loss and damage to organizational reputation, and increased identity theft risks for individuals. Furthermore, in the age of big data, protecting the security and privacy of stored data is paramount for maintaining public trust, and getting the full value from the collected data.

In this talk, we first discuss the unique security and privacy challenges arise due to big data and the NoSQL systems designed to analyze big data. Also we discuss our proposed SecureDL system that is built on top of existing NoSQL databases such as Hadoop and Spark and designed as a data access broker where each request submitted by a user app is automatically captured. These captured requests are logged, analyzed and then modified (if needed) to conform with security and privacy policies (e.g.,[5]), and submitted to underlying NoSQL database. Furthermore, SecureDL can allow organizations to audit their big data usage to prevent data misuse and comply with various privacy regulations[2]. SecureDL is totally transparent from the user point of view and does not require any change to the user's code and/or the underlying NoSQL database systems. Therefore, it can be deployed on existing NoSQL databases.

Later on, we discuss how to add additional security layer for protecting big data using encryption techniques (e.g., [1, 3, 4]). Especially, we discuss our work on leveraging the modern hardware based trusted execution environments (TEEs) such as Intel SGX for secure encrypted data processing. We also discuss how to provide a simple, secure and high level language based framework that is suitable for enabling generic data analytics for non-security experts who do not have security concepts such as "oblivious execution''. Our proposed framework allows data scientists to perform the data analytic tasks with TEEs using a Python/Matlab like high level language; and automatically compiles programs written in our language to optimal execution code by managing issues such as optimal data block sizes for I/O, vectorized computations to simplify much of the data processing, and optimal ordering of operations for certain tasks. Using these design choices, we show how to provide guarantees for efficient and secure big data analytics over encrypted data.

The integrity of executable binaries is essential to the security of any device that runs them. At best, a manipulated binary can leave the system in question open to attack, and at worst, it can compromise the entire system by itself. In recent years, supply-chain attacks have demonstrated that binaries can even be compromised unbeknownst to their creators. This, in turn, leads to the dissemination of supposedly valid binaries that need to be revoked later.

In this paper, we present and evaluate a concept for publishing and revoking integrity protecting information for binaries, based on the Ethereum Blockchain and its underlying peer-to-peer network. Smart Contracts are used to enforce access control over the publication and revocation of integrity preserving information, whereas the peer-to-peer network serves as a fast, global communication service to keep user clients informed. The Ethereum Blockchain serves as a tamper-evident, publicly-verifiable log of published and revoked binaries. Our implementation incurs costs comparable to registration fees for centralised software distribution platforms but allows publication and revocation of individual binaries within minutes. The proposed concept can be integrated incrementally into existing software distribution platforms, such as package repositories or various app stores.

This paper proposes Concurrent-Access Obfuscated Store (CAOS), a construction for remote data storage that provides access-pattern obfuscation in a honest-but-curious adversarial model, while allowing for low bandwidth overhead and client storage. Compared to other approaches, the main advantage of CAOS is that it supports concurrent access without a proxy, for multiple read-only clients and a single read-write client. Concurrent access is achieved by letting clients maintain independent maps that describe how the data is stored. Even though the maps might diverge from client to client, the protocol guarantees that clients will always have access to the data. Efficiency and concurrency are achieved at the expense of perfect obfuscation: in CAOS the extent to which access patterns are hidden is determined by the resources allocated to its built-in obfuscation mechanism. To assess this trade-off we provide both a security and a performance analysis of CAOS. We additionally provide a proof-of-concept implementation available at https://github.com/meehien/caos.

In Attribute-Based Access Control (ABAC), a user is permitted or denied access to an object based on a set of rules (together called an ABAC Policy) specified in terms of the values of attributes of various types of entities, namely, user, object and environment. Efficient evaluation of these rules is therefore essential for ensuring decision making at on-line speed when an access request comes. Sequentially evaluating all the rules in a policy is inherently time consuming and does not scale with the size of the ABAC system or the frequency of access requests. This problem, which is quite pertinent for practical deployment of ABAC, surprisingly has not so far been addressed in the literature. In this paper, we introduce two variants of a tree data structure for representing ABAC policies, which we name as PolTree. In the binary version (B-PolTree), at each node, a decision is taken based on whether a particular attribute-value pair is satisfied or not. The n-ary version (N-PolTree), on the other hand, grows as many branches out of a given node as the total number of possible values for the attribute being checked at that node. An extensive experimental evaluation with diverse data sets shows the scalability and effectiveness of the proposed approach.

With the prevalence of online social networking, a large amount of studies have focused on online users' privacy. Existing work has heavily focused on preventing unauthorized access of one's personal information (e.g. locations, posts and photos). Very little research has been devoted into protecting the friend search engine, a service that allows people to explore others' friend lists. Although most friend search engines only disclose a partial view of one's friend list (e.g., k friends) or offer the ability to show all or no friends, attackers may leverage the combined knowledge from views obtained from different queries to gain a much larger social network of a targeted victim, potentially revealing sensitive information of a victim. In this paper, we propose a new friend search engine, namely FriendGuard, which guarantees the degree of friend exposure as set by users. If a user only allows k of his/her friends to be disclosed, our search engine will ensure that any attempts of discovering more friends of this user through querying the user's other friends will be a failure. The key idea underlying our search engine is the construction of a unique sub social network that is capable of satisfying query needs as well as controlling the degree of friend exposure. We have carried out an extensive experimental study and the results demonstrate both efficiency and effectiveness in our approach.

Event-based systems lie at the heart of many cloud-based Internet-of-Things (IoT) platforms. This combination of the Broker architectural style and the Publisher-Subscriber design pattern provides a way for smart devices to communicate and coordinate with one another. The present design of these cloud-based IoT frameworks lacks measures to (i) protect devices against malicious cloud disconnections, (ii) impose information flow control among communicating parties, and (iii) enforce coordination protocols in the presence of compromised devices. In this work, we propose to extend the modular event-based system architecture of Fiege et al., to incorporate brokering policies and execution monitors, in order to address the three protection challenges mentioned above. We formalized the operational semantics of our protection scheme, explored how the scheme can be used to enforce BLP-style information flow control and RBAC-style protection domains, implemented the proposal in an open-source MQTT broker, and evaluated the performance impact of the protection mechanisms.

This paper focuses on developing a security mechanism geared towards appified smart-home platforms. Such platforms often expose programming interfaces for developing automation apps that mechanize different tasks among smart sensors and actuators (e.g., automatically turning on the AC when the room temperature is above 80 F). Due to the lack of effective access control mechanisms, these automation apps can not only have unrestricted access to the user's sensitive information (e.g., the user is not at home) but also violate user expectations by performing undesired actions. As users often obtain these apps from unvetted sources, a malicious app can wreak havoc on a smart-home system by either violating the user's security and privacy, or creating safety hazards (e.g., turning on the oven when no one is at home). To mitigate such threats, we propose Expat which ensures that user expectations are never violated by the installed automation apps at runtime. To achieve this goal, Expat provides a platform-agnostic, formal specification language UEI for capturing user expectations of the installed automation apps' behavior. For effective authoring of these expectations (as policies) in UEI, Expat also allows a user to check the desired properties (e.g., consistency, entailment) of them; which due to their formal semantics can be easily discharged by an SMT solver. Expat then enforces UEI policies in situ with an inline reference monitor which can be realized using the same app programming interface exposed by the underlying platform. We instantiate Expat for one of the representative platforms, OpenHAB, and demonstrate it can effectively mitigate a wide array of threats by enforcing user expectations while incurring only modest performance overhead.

We are living in an age in which digitization will connect more and more physical assets with IT systems and where IoT endpoints will generate a wealth of valuable data. Companies, individual users, and organizations alike therefore have the need to control their own physical or non-physical assets and data sources. At the same time, they recognize the need for, and opportunity to, share access to such data and digitized physical assets. This paper sets out our technology vision for such sharing ecosystems, reports initial work in that direction, identifies challenges for realizing this vision, and seeks feedback and collaboration from the academic access-control community in that R&D space.

Internet-of-Things (IoT) is a rapidly-growing transformative expansion of the Internet with increasing influence on our daily life. Since the number of "things" is expected to soon surpass human population, control and automation of IoT devices has received considerable attention from academia and industry. Cross-platform collaboration is highly desirable for better user experience due to fragmentation of user needs and vendor products with time. Centralized approaches have been used to build federated trust among platforms and devices, but limit diversity and scalability. We propose a decentralized trust framework, called IoT Passport, for cross-platform collaborations using blockchain technology. IoT Passport is motivated by the familiar use of passports for international travel but with greater dynamism. It enables platforms to establish arbitrary trust relations with each other containing specific rules for intended collaborations, enforced by a combination of smart contracts. Each interaction among devices is signed by the participants and recorded on the blockchain. The records are utilized as attributes for authorization and as proofs of incentive plans. This approach incorporates the preferences of participating platforms and end users, and opens new avenues for collaborative edge computing as well as research on blockchain-based access control mechanism for IoT environments.

Inter-vehicle communication has the potential to significantly improve driving safety, but also raises security concerns. The fundamental mechanism to govern information sharing behaviors is access control. Since vehicular networks have a highly dynamic and open nature, access control becomes very challenging. Existing works are not applicable to the vehicular world. In this paper, we develop a new access control model, openRBAC, and the corresponding mechanisms for access control in vehicular systems. Our approach lets the accessee define a relative role hierarchy, specifying all potential accessor roles in terms of their relative perception to the accessees. Access control policies are defined for the relative roles in the hierarchy. Since the accessee has a clear understanding of the relative roles defined by itself, the policy definitions can be precise and less flawed.

Advancement in machine learning techniques in recent years has led to deep learning applications on source code. While there is little research available on the subject, the work that has been done shows great potential. We believe deep learning can be leveraged to obtain new insight into automated access control policy verification. In this paper, we describe our first step in applying learning techniques to access control, which consists of developing word embeddings to bootstrap learning tasks. We also discuss the future work on identifying access control enforcement code and checking access control policy violations, which can be enabled by word embeddings.

With the increasing capabilities of wearable sensors and implantable medical devices, new opportunities arise to diagnose, control and treat several chronic conditions. Unfortunately, these advancements also open new attack vectors, making security an essential requirement for the further adoption of these devices. Researchers have already developed security solutions tailored to their unique requirements and constraints. However, a fundamental yet unsolved problem is how to securely and efficiently establish and manage cryptographic keys. One of the most promising approaches is the use of patient's physiological signals for key establishment.

This paper aims at identifying common pitfalls in physiological-signal-based cryptographic protocols. These solutions are very fragile because errors can be introduced at different stages, including the choice of the physiological signal, the design of the protocol or its implementation. We start by reviewing previous work that has succeeded in measuring various physiological signals remotely. Subsequently, we conduct a thorough security analysis of two cryptographic solutions well-accepted by the security community, namely the H2H protocol (Rostami et al. - CCS 2013) and the Biosec protocol (Cherukuri et al. - ICISIP 2006). Our evaluation reveals that these protocols have serious design and implementation security weaknesses. Driven by our findings, we then describe how to use fuzzy extractors for designing secure and efficient cryptographic solutions based on the patients' physiological signals. Finally, we discuss research directions for future work.

Online Social Networks (OSNs), such as Facebook and Twitter, are popular platforms that enable users to interact and socialize through their networked devices. The social nature of such applications encourages users to share a great amount of personal data with other users and the OSN service providers, including pictures, personal views, location check-ins, etc. Nevertheless, recent data leaks on major online platforms demonstrate the ineffectiveness of the access control mechanisms that are implemented by the service providers, and has led to an increased demand for provably secure privacy controls. To this end, we introduce Hide In The Crowd (HITC), a flexible system that leverages encryption-based access control, where users can assign arbitrary decryption privileges to every data object that is posted on the OSN platforms. The decryption privileges can be assigned on the finest granularity level, for example, to a hand-picked group of users. HITC is designed as a browser extension and can be integrated to any existing OSN platform without the need for a third-party server. We describe our prototype implementation of HITC over Twitter and evaluate its performance and scalability.

Relationship-based access control (ReBAC) provides a flexible approach to specify policies based on relationships between system entities, which makes them a natural fit for many modern information systems, beyond online social networks. In this paper we are concerned with the problem of mining ReBAC policies from lower-level authorization information. Mining ReBAC policies can address transforming access control paradigms to ReBAC, reformulating existing ReBAC policies as more information becomes available, as well as inferring potentially unknown policies. Particularly, we propose a systematic algorithm for mining ReBAC authorization policies, and a first of its kind approach to mine graph transition policies that govern the evolution of ReBAC systems. Experimental evaluation manifests efficiency of the proposed approaches.

In recent years, developers have used the proliferation of biometric sensors in smart devices, along with recent advances in deep learning, to implement an array of biometrics-based authentication systems. Though these systems demonstrate remarkable performance and have seen wide acceptance, they present unique and pressing security and privacy concerns. One proposed method which addresses these concerns is the elegant, fusion-based BioCapsule method. The BioCapsule method is provably secure, privacy-preserving, cancellable and flexible in its secure feature fusion design. In this work, we extend BioCapsule to face-based recognition. Moreover, we incorporate state-of-art deep learning techniques into a BioCapsule-based facial authentication system to further enhance secure recognition accuracy. We compare the performance of an underlying recognition system to the performance of the BioCapsule-embedded system in order to demonstrate the minimal effects of the BioCapsule scheme on underlying system performance. We also demonstrate that the BioCapsule scheme outperforms or performs as well as many other proposed secure biometric techniques.

The software upon which our modern society operates is riddled with security vulnerabilities. These vulnerabilities allow hackers access to our sensitive data and make our system insecure. To identify vulnerabilities in software, human experts, or vulnerability researchers, are employed. These human experts are quite expensive. And, more fundamentally, human experts cannot analyze every change made to every piece of software (any of which could introduce a security vulnerability). Therefore, automated vulnerability analysis techniques were developed to automatically perform the process of identifying security vulnerabilities in software systems. These tools attempt to democratize the vulnerability analysis process: allowing any developer to identify vulnerabilities in their software automatically, thus finding such vulnerabilities before a malicious hacker.

In this keynote, I will discuss the history of automated vulnerability analysis, from both the binary and the web perspective. Binary fuzzing and black-box web application vulnerability analysis have many aspects in common, yet are often thought of separately. From this, I will discuss the future of automated vulnerability analysis, and how we can achieve the effectiveness of a human vulnerability researcher.

Many existing software systems like logistics systems or enterprise applications employ data security in a more or less ad hoc fashion. Our approach focuses on access control such as permission-based discretionary access control (DAC), variants of role-based access control (RBAC) with delegation, and attribute-based access control (ABAC). Typically, software systems implement hybrid access control making an effective security analysis and assessment rather difficult.

We propose an analysis methodology to reconstruct access control using a novel modular access control model. Our modular approach allows us to flexibly model exactly those access properties that are relevant for a given system. As formalism we use the Object Constraint Language (OCL) with Ecore from the Eclipse Modeling Framework (EMF).

We demonstrate the suitability of our access control model for three software systems: a port community system (PCS), a clinical information system (CIS), and an identity management system (IdMS). For the PCS and CIS we model concrete roles and policies. For the IdMS we evaluate our analysis methodology in-depth by reconstructing access control policies from byte code using the Soot analysis framework as well as model transformation techniques (QVTo). The resulting model helped us to identify design deficiencies. Violated OCL invariants such as for mutually exclusive roles or cardinality constraints revealed non-trivial security vulnerabilities.

Relationship-based access control (ReBAC) is a flexible and expressive framework that allows policies to be expressed in terms of chains of relationship between entities as well as attributes of entities. ReBAC policy mining algorithms have a potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. Existing ReBAC policy mining algorithms support a policy language with a limited set of operators; this limits their applicability.

This paper presents a ReBAC policy mining algorithm designed to be both (1) easily extensible (to support additional policy language features) and (2) scalable. The algorithm is based on Bui et al.'s evolutionary algorithm for ReBAC policy mining algorithm. First, we simplify their algorithm, in order to make it easier to extend and provide a methodology that extends it to handle new policy language features. However, extending the policy language increases the search space of candidate policies explored by the evolutionary algorithm, thus causes longer running time and/or worse results. To address the problem, we enhance the algorithm with a feature selection phase. The enhancement utilizes a neural network to identify useful features. We use the result of feature selection to reduce the evolutionary algorithm's search space. The new algorithm is easy to extend and, as shown by our experiments, is more efficient and produces better policies.

ABACα is a foundational model for attribute-based access control with a minimal set of capabilities to configure many access control models of interest, including the dominant traditional ones: discretionary (DAC), mandatory (MAC), and role-based (RBAC). A fundamental security problem in the design of ABAC is to ensure safety, that is, to guarantee that a certain subject can never gain certain permissions to access certain object(s).

We propose a rule-based specification of ABACα and of its configurations, and the semantic framework of ρLog to turn this specification into executable code for the operational model of ABACα. Next, we identify some important properties of the operational model which allow us to define a rule-based algorithm for the safety problem, and to execute it with ρLog. The outcome is a practical tool to check safety of ABACα configurations.

ρLog is a system for rule-based programming with strategies and built-in support for constraint logic programming (CLP). We argue that ρLog is an adequate framework for the specification and verification of safety of ABACα configurations. In particular, the authorization policies of ABACα can be interpreted properly by the CLP component of ρLog, and the operations of its functional specification can be described by five strategies defined by conditional rewrite rules.

There has been a considerable amount of interest in recent years in the problem of workflow satisfiability, which asks whether the existence of constraints in a workflow specification makes it impossible to allocate authorized users to each step in the workflow. Recent developments have seen the workflow satisfiability problem (WSP) studied in the context of workflow specifications in which the set of steps may vary from one instance of the workflow to another. This, in turn, means that some constraints may only apply to certain workflow instances. Inevitably, WSP becomes more complex for such workflow specifications. Other approaches have considered the possibility of associating costs with the violation of "soft'' constraints and authorizations. Workflow satisfiability in this context becomes a question of minimizing the cost of allocating users to steps in the workflow. In this paper, we introduce new problems, which we believe to be of practical relevance, that combine these approaches. In particular, we consider the question of whether, given a workflow specification with costs and a "budget'', all possible workflow instances have an allocation of users to steps that does not exceed the budget. We design a fixed-parameter tractable algorithm to solve this problem parameterized by the total number of steps, release points and xor branchings.

In the context of cooperative systems, data coming from multiple, autonomous, heterogeneous information sources, is processed and fused into new pieces of information that can be further processed by other entities participating in the cooperation. Controlling the access to such evolving and variegated data, often under the authority of different entities, is challenging. In this work, we identify a set of access control requirements for multi-source cooperative systems and propose an attribute-based access control model where provenance information is used to specify access constraints that account for both the evolution of data objects and the process of data fusion. We demonstrate the feasibility of the proposed model by showing how it can be implemented within existing access control mechanisms with minimal changes.

Recently, applications that deliver customized content to end-users, e.g., digital objects on top of a video stream, depending on information such as their current physical location, usage patterns, personal data, etc., have become extremely popular. Despite their promising future, some concerns still exist with respect to the proper use of such space-sensitive applications (S-Apps) inside independently-run physical spaces, e.g., schools, museums, hospitals, memorials, etc. Based on the idea that innovative technologies should be paired with novel (and effective) security measures, this paper proposes space-sensitive access control (SSAC), an approach for restricting space-sensitive functionality in such independently-run physical spaces, allowing for the specification, evaluation and enforcement of rich and flexible authorization policies, which, besides meeting the specific needs for S-Apps, are also intended to avoid the need for interruptions in their normal use as well as repetitive policy updates, thus providing a convenient solution for both policy makers and end-users. We present a theoretical model, a proof-of-concept S-App, and a supporting API framework, which facilitate the policy crafting, storage, retrieval and evaluation processes, as well as the enforcement of authorization decisions. In addition, we present a performance case study depicting our proof-of-concept S-App in a set of realistic scenarios, as well as a user study which resulted in 90% of participants being able to understand and write authorization policies using our approach, and 93% of them also recognizing the need for restricting functionality in the context of emerging space-sensitive technologies, thus providing evidence that encourages the adoption of SSAC in practice.

We present CMCAP (context-mapped capabilities), a decentralized mechanism for specifying and enforcing adaptive access control policies for resource-centric security. Policies in CMCAP express runtime constraints defined as containment domains with context-mapped capabilities, and ephemeral sandboxes for dynamically enforcing desired information flow properties while preserving functional correctness for the sandboxed programs. CMCAP is designed to remediate DAC's weakness and address the inflexibility that makes current MAC frameworks impractical to the common user. We use a Linux-based implementation of CMCAP to demonstrate how a program's dynamic profile is used for access control and intrusion prevention.

Studies in fields like psychology and sociology have revealed that reciprocity is a powerful determinant of human behavior. None of the existing access control models however captures this reciprocity phenomenon. In this paper, we introduce a new kind of grant, which we call mutual, to express authorizations that actually do this, i.e., users grant access to their resources only to users who allow them access to theirs. We define the syntax and semantics of mutual authorizations and show how this new grant can be included in the Role-Based Access Control model, i.e., extend RBAC with it.

Protecting software from illegal access, intentional modification or reverse engineering is an inherently difficult practical problem involving code obfuscation techniques and real-time cryptographic protection of code. In traditional systems a secure element (the "dongle") is used to protect software. However, this approach suffers from several technical and economical drawbacks such as the dongle being lost or broken.

We present a system that provides such dongles as a cloud service, and more importantly, provides the required cryptographic material to control access to software functionality in real-time.

This system is developed as part of an ongoing nationally funded research project and is now entering a first trial stage with stakeholders from different industrial sectors.

This paper intends to propose a trustworthy model for authenticating users and services over a Big Data Federation deployment architecture. The main goal of this model is to provide a Single-Sign-on (SSO) approach for the latest Hadoop 3.x platform. To achieve this, a conceptual model is proposed combining Hadoop access control primitives and the Apache Knox framework. The paper provides various insights regarding the latest ongoing developments and open challenges in this domain.

Verifying protocol implementations via application analysis can be cumbersome. Rapid development cycles of both the protocol and applications that use it can hinder up-to-date analysis. A better approach is to use formal models to characterize the applications platform and then verify the protocol through analysis of the network traffic tied to the models. To test this method, the popular protocol OAuth is considered. Currently, formal models of OAuth do not take into consideration the mobile environment, and implementation verification is largely based on code analysis. Our preliminary results are two fold; we sketch an extension to a formal model that incorporates the specifics of the Android platform and classify OAuth device types using machine learning on encrypted VPN traffic.