Abstract. The eXtensible Access Control Markup Language (XACML) is an extensible and flexible XML language for the specification of access control policies. However, the richness and flexibility of the language (along with the verbose syntax of XML) come with a price: errors are easy to make and difficult to detect when policies grow in size. If these errors are not detected and rectified, they can result in serious data leakage and/or privacy violations leading to significant legal and financial consequences. To assist policy authors in the analysis of their policies, several policy analysis tools have been proposed based on different underlying formalisms. However, most of these tools either abstract away functions over non-Boolean domains (hence they cannot provide information about them) or produce very large encodings which hinder the performance. In this paper, we present a generic policy analysis framework that employs SMT as the underlying reasoning mechanism. The use of SMT does not only allow more fine-grained analysis of policies but also improves the performance. We demonstrate that a wide range of security properties proposed in the literature can be easily modeled within the framework. A prototype implementation and its evaluation are also provided.
Take-down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.
The User Authorization Query (UAQ) Problem for RoleBased Access Control (RBAC) amounts to determining a set of roles to be activated in a given session in order to achieve some permissions while satisfying a collection of authorization constraints governing the activation of roles. Techniques ranging from greedy algorithms to reduction to (variants of) the propositional satisfiability (SAT) problem have been used to tackle the UAQ problem. Unfortunately, available techniques suffer two major limitations that seem to question their practical usability. On the one hand, authorization constraints over multiple sessions or histories are not considered. On the other hand, the experimental evaluations of the various techniques are not satisfactory since they do not seem to scale to larger RBAC policies.In this paper, we describe a SAT-based technique to solve the UAQ problem which overcomes these limitations. First, we show how authorization constraints over multiple sessions and histories can be supported. Second, we carefully tune the reduction to the SAT problem so that most of the clauses need not to be generated at run-time but only in a pre-processing step. Finally, we present an extensive experimental evaluation of an implementation of our techniques on a significant set of UAQ problem instances that show the practical viability of our approach; e.g., problems with 300 roles are solved in less than a second.
Background Logistic regression (LR) is a widely used classification method for modeling binary outcomes in many medical data classification tasks. Researchers that collect and combine datasets from various data custodians and jurisdictions can greatly benefit from the increased statistical power to support their analysis goals. However, combining data from different sources creates serious privacy concerns that need to be addressed. Methods In this paper, we propose two privacy-preserving protocols for performing logistic regression with the Newton–Raphson method in the estimation of parameters. Our proposals are based on secure Multi-Party Computation (MPC) and tailored to the honest majority and dishonest majority security settings. Results The proposed protocols are evaluated against both synthetic and real-world datasets in terms of efficiency and accuracy, and a comparison is made with the ordinary logistic regression. The experimental results demonstrate that the proposed protocols are highly efficient and accurate. Conclusions Our work introduces two iterative algorithms to enable the distributed training of a logistic regression model in a privacy-preserving manner. The implementation results show that our algorithms can handle large datasets from multiple sources.
Abstract-Physical Access Controls, such as supervised doors, surveillance cameras and alarms, act as important points of demarcation between physical zones (areas/rooms) of different levels of trust. They do so by controlling personnel flow to and from areas in accordance with the enterprise security policy. A significant challenge in providing physical access control for (restricted) areas is attaining a degree of confidence that a Physical Access Control security configuration adequately addresses the threats. A misconfiguration may result in a threat of unapproved personnel access or the denial of approved personnel access to a restricted zone. In practice, Physical Access Control security configurations typically span multiple zones, involve many users and run to many thousands of access-control rules, and such complexity may increase the likelihood of misconfiguration. In this paper, a formal model for Physical Access Control security configurations is presented. This model, implemented in SAT, captures a number of unique anomalies specific to Physical Access Control domain. A preliminary set of experiments that evaluate our approach is presented.
DevOps teams have to consider many technology and platform aspects when developing, deploying and operating cloud based applications: application deployments need to work everywhere on different cloud platforms, identities need to come from anywhere, and networks need to connect to anyone. The CYCLONE middleware is a holistic middleware stack that allows deploying and managing cloud based applications on multiple clouds and multiple cloud platforms. It includes a deployment manager, a practical identity federation, as well as a network manager that connects VMs independent of any specific infrastructure. This article explains the CYCLONE middleware stack, and what it can offer for application developers and operators. The paper describes in details the main bioinformatics use cases that evolve from a single VM installation for simple microbial research to multicloud infrastructure for advanced genomic resource. The paper also describes the CYCLONE federated identity management and access control infrastructure that significantly simplifies access for institutional users.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.