research-article

Cue: a framework for generating meaningful feedback in XACML

Authors:

Sunil Kumar Ghai,

Ponnurangam KumaraguruAuthors Info & Claims

SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

Pages 9 - 16

https://doi.org/10.1145/1866898.1866901

Published: 04 October 2010 Publication History

Abstract

With a number of access rules at play along with contexts in which they may or may not apply, it is not always obvious to the legitimate user what caused an authorization server to deny a request, neither is it possible for the administrator to specify a complete fail proof policy. It then becomes the responsibility of the system to act in a user friendly manner by providing feedback suggesting the requester about possible alternatives. The system should also cover any unhandled request that it may encounter due to an incomplete system policy. At the same time, it is essential for feedback to not reveal the entire policy to any user. In this paper we propose a framework Cue, for generating feedback in XACML using logic programming in Prolog. Feedback content is protected by the use of meta policy which itself is specified in XACML. We first translate XACML policies into logic based functors. Second, we execute a query using parameters in the denied XACML request, to identify conditions that failed. Third, the failed condition is notified as feedback if a meta policy allows the system to reveal it. Cue is capable of generating appropriate feedback while ensuring that a desired degree of confidentiality is maintained.

References

[1]

}}A. Anderson. A comparison of two privacy policy languages: Epal and xacml. Technical report, Mountain View, CA, USA, 2005.

Digital Library

[2]

}}M. Backes, M. Durmuth, and G. Karjoth. Unification in privacy policy evaluation - translating epal into prolog. Policies for Distributed Systems and Networks, IEEE International Workshop on, 0:185, 2004.

Digital Library

[3]

}}A. Barth, J. Mitchell, A. Datta, and S. Sundaram. Privacy and utility in business processes. In CSF '07: Proceedings of the 20th IEEE Computer Security Foundations Symposium, pages 279--294, Washington, DC, USA, 2007. IEEE Computer Society.

Digital Library

[4]

}}P. Bonatti, E. Damiani, S. de Capitani, and P. Samarati. A component-based architecture for secure data publication. In ACSAC '01: Proceedings of the 17th Annual Computer Security Applications Conference, page 309, Washington, DC, USA, 2001. IEEE Computer Society.

Digital Library

[5]

}}X. Cao and L. Iverson. Intentional access management: making access control usable for end-users. In SOUPS '06: Proceedings of the second symposium on Usable privacy and security, pages 20--31, New York, NY, USA, 2006. ACM.

Digital Library

[6]

}}H. Chalupsky and T. A. Russ. Whynot: debugging failed queries in large knowledge bases. In IAAI'02: Proceedings of the 14th conference on Innovative applications of artificial intelligence, pages 870--877. AAAI Press, 2002.

Digital Library

[7]

}}J. Crampton, W. Leung, and K. Beznosov. The secondary and approximate authorization model and its application to bell-lapadula policies. In SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies, pages 111--120, New York, NY, USA, 2006. ACM.

Digital Library

[8]

}}T. Das, R. Bhagwan, and P. Naldurg. Baaz: A system for detecting access control misconfigurations. In USENIX Security Symposium, USENIX, 2010.

Digital Library

[9]

}}K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In ICSE '05. ACM Press, 2005.

Digital Library

[10]

}}L. Kagal, C. Hanson, and D. Weitzner. Using dependency tracking to provide explanations for policy management. In POLICY '08: Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks, pages 54--61, Washington, DC, USA, 2008. IEEE Computer Society.

Digital Library

[11]

}}A. Kapadia, G. Sampemane, and R. H. Campbell. KNOW why your access was denied: Regulating feedback for usable security. In Proceedings of the ACM CCS, 2004.

Digital Library

[12]

}}A. Khurat and J. Abendroth. A mechanism for requesting hierarchical documents in xacml. Wireless and Mobile Computing, Networking and Communication, IEEE International Conference on, 0:202--207, 2008.

Digital Library

[13]

}}A. X. Liu, F. Chen, J. Hwang, and T. Xie. Xengine: a fast and scalable xacml policy evaluation engine. In SIGMETRICS '08: Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pages 265--276, New York, NY, USA, 2008. ACM.

Digital Library

[14]

}}M. Lorch, D. Kafura, S. Proctor, and R. Lepro. First experiences using xacml for access control in distributed systems. In in Proceedings of the 2003 ACM workshop on XML security, pages 25--37. ACM Press, 2003.

Digital Library

[15]

}}M. Lorch, D. Kafura, and S. Shah. An xacml-based policy management and authorization service for globus resources. In GRID '03: Proceedings of the 4th International Workshop on Grid Computing, page 208, Washington, DC, USA, 2003. IEEE Computer Society.

Digital Library

[16]

}}L. Lymberopoulos, E. Lupu, and M. Sloman. An adaptive policy-based framework for network services management. J. Netw. Syst. Manage., 11:277--303, September 2003.

Digital Library

[17]

}}T. Moses. XACML Version 2.0. OASIS Standard Specification, February 2005.

[18]

}}J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE, volume 63, 1975.

[19]

}}B. Stepien, A. Felty, and S. Matwin. A Non-technical User-Oriented Display Notation for XACML Conditions. SpringerLink, 2009.

[20]

}}J. Wielemaker. An overview of the swi-prolog programming environment. In WLPE, pages 1--16, 2003.

[21]

}}C. Wolter, A. Schaad, and C. Meinel. Deriving xacml policies from business process models. In WISE'07: Proceedings of the 2007 international conference on Web information systems engineering, pages 142--153, Berlin, Heidelberg, 2007. Springer-Verlag.

Digital Library

[22]

}}M. E. Zurko and R. T. Simon. User-centered security. In NSPW '96: Proceedings of the 1996 workshop on New security paradigms, pages 27--33, New York, NY, USA, 1996. ACM.

Digital Library

Cited By

Paci FSquicciarini AZannone N(2018)Survey on Access Control for Community-Centered Collaborative SystemsACM Computing Surveys10.1145/314602551:1(1-38)Online publication date: 4-Jan-2018
https://dl.acm.org/doi/10.1145/3146025
den Hartog JZannone N(2016)Collaborative Access Decisions: Why Has My Decision Not Been Enforced?Information Systems Security10.1007/978-3-319-49806-5_6(109-130)Online publication date: 24-Nov-2016
https://doi.org/10.1007/978-3-319-49806-5_6
Mahmudlu Rden Hartog JZannone N(2016)Data Governance and Transparency for Collaborative SystemsData and Applications Security and Privacy XXX10.1007/978-3-319-41483-6_15(199-216)Online publication date: 2-Jul-2016
https://doi.org/10.1007/978-3-319-41483-6_15
Show More Cited By

Index Terms

Cue: a framework for generating meaningful feedback in XACML
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

KNOW Why your access was denied: regulating feedback for usable security
CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

We examine the problem of providing useful feedback about access control decisions to users while controlling the disclosure of the system's security policies. Relevant feedback enhances system usability, especially in systems where permissions change ...
A role-based XACML administration and delegation profile and its enforcement architecture
SWS '09: Proceedings of the 2009 ACM workshop on Secure web services

The OASIS technical committee published the XACML v3.0 administration and delegation profile (XACML-Admin) working draft on 16 April 2009 [3] in order to provide policy administration and dynamic delegation services to the XACML runtime. We enhance this ...
Entity-Based Access Control: supporting more expressive access control policies
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Access control is an important part of security that restricts the actions that users can perform on resources. Policy models specify how these restrictions are formulated in policies. Over the last decades, we have seen several such models, including ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

October 2010

98 pages

ISBN:9781450300933

DOI:10.1145/1866898

General Chair:
Tony Sager
National Security Agency, USA
,
Program Chairs:
Gail-Joon Ahn
Arizona State University, USA
,
Krishna Kant
Intel Corp./ National Science Foundation, USA
,
Heather Richter Lipford
University of North Carolina at Charlotte, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 4, 2010

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 22 of 61 submissions, 36%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
162
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)2

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Paci FSquicciarini AZannone N(2018)Survey on Access Control for Community-Centered Collaborative SystemsACM Computing Surveys10.1145/314602551:1(1-38)Online publication date: 4-Jan-2018
https://dl.acm.org/doi/10.1145/3146025
den Hartog JZannone N(2016)Collaborative Access Decisions: Why Has My Decision Not Been Enforced?Information Systems Security10.1007/978-3-319-49806-5_6(109-130)Online publication date: 24-Nov-2016
https://doi.org/10.1007/978-3-319-49806-5_6
Mahmudlu Rden Hartog JZannone N(2016)Data Governance and Transparency for Collaborative SystemsData and Applications Security and Privacy XXX10.1007/978-3-319-41483-6_15(199-216)Online publication date: 2-Jul-2016
https://doi.org/10.1007/978-3-319-41483-6_15
Adappa SAgarwal VGoyal SKumaraguru PMittal SLamarca ACox L(2011)User controllable security and privacy for mobile mashupsProceedings of the 12th Workshop on Mobile Computing Systems and Applications10.1145/2184489.2184498(35-40)Online publication date: 1-Mar-2011
https://dl.acm.org/doi/10.1145/2184489.2184498
Brucker APetritsch H(2011)A Framework for Managing and Analyzing Changes of Security Policies2011 IEEE International Symposium on Policies for Distributed Systems and Networks10.1109/POLICY.2011.47(105-112)Online publication date: Jun-2011
https://doi.org/10.1109/POLICY.2011.47

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten