Entry Leonard:2013:MAP from tissec.bib

Last update: Sun Oct 15 02:58:48 MDT 2017                Valid HTML 3.2!

Index sections

Top | Symbols | Numbers | Math | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

BibTeX entry

@Article{Leonard:2013:MAP,
  author =       "Thomas Leonard and Martin Hall-May and Mike Surridge",
  title =        "Modelling Access Propagation in Dynamic Systems",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "2",
  pages =        "5:1--5:??",
  month =        sep,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "https://doi.org/10.1145/2516951.2516952",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Sep 23 17:04:07 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Access control is a critical feature of many systems,
                 including networks of services, processes within a
                 computer, and objects within a running process. The
                 security consequences of a particular architecture or
                 access control policy are often difficult to determine,
                 especially where some components are not under our
                 control, where components are created dynamically, or
                 where access policies are updated dynamically. The
                 SERSCIS Access Modeller (SAM) takes a model of a system
                 and explores how access can propagate through it. It
                 can both prove defined safety properties and discover
                 unwanted properties. By defining expected behaviours,
                 recording the results as a baseline, and then
                 introducing untrusted actors, SAM can discover a wide
                 variety of design flaws. SAM is designed to handle
                 dynamic systems (i.e., at runtime, new objects are
                 created and access policies modified) and systems where
                 some objects are not trusted. It extends previous
                 approaches such as Scollar and Authodox to provide a
                 programmer-friendly syntax for specifying behaviour,
                 and allows modelling of services with mutually
                 suspicious clients. Taking the Confused Deputy example
                 from Authodox we show that SAM detects the attack
                 automatically; using a web-based backup service, we
                 show how to model RBAC systems, detecting a missing
                 validation check; and using a proxy certificate system,
                 we show how to extend it to model new access
                 mechanisms. On discovering that a library fails to
                 follow an RFC precisely, we re-evaluate our existing
                 models under the new assumption and discover that the
                 proxy certificate design is not safe with this
                 library.",
  acknowledgement = ack-nhfb,
  articleno =    "5",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

Related entries