Proceedings of the 28th ACM Symposium on Access Control Models and Technologies (SACMAT '23)

Privacy concerns are amongst the core issues that will constrain the adoption of distributed anomaly detection. Indeed, when outsourcing anomaly detection, i.e. with a party other than the data owner running the detection, confidential or private aspects of the observed data may need protection. Some privacy-enhancing function is usually employed. Because of the impact that this restriction causes in the creation of explainable alerts, finding mechanisms to balance the trade-off between privacy and usefulness has become increasingly important. Due to this motivation, in this paper, a privacy-preserving white-box anomaly detection framework is presented to facilitate matching the compatibility between service requirements and privacy restrictions of an user by using an access control based on a lattice of privacy protection levels. Our framework allows entities to verify these trade-offs by specifying required protection at the level of features. We evaluate the framework in a real-world scenario within the e-health setting. The results point out that it can generate interpretable alerts while protecting the confidentiality of the data.

Third-Party Unmanned Aerial Vehicle (UAV) Services, a.k.a. Drone-as-a-Service (DaaS), are an increasingly adopted business model, which enables possibly unskilled users, with no background knowledge, to operate drones and run automated drone-based tasks. Although these services provide significant advantages, the resources provided by drones are typically owned by multiple parties. Thus, Third-Party UAV services require adopting multi-party access control solutions. In this context, the leakage of the access control policies specified by the data owners might disclose confidential information and, thus, they should be protected as well. In this work, we propose a privacy-preserving multi-party access control solution tailored to the application scenarios of Third-Party UAV Services. Our solution advances an existing privacy-preserving multi-party access control framework based on Secure Function Evaluation to fit the distributed and heterogeneous nature of drone deployments. Through an extensive experimental evaluation, we demonstrate our solution can perform private policy evaluation on constrained devices in a reasonable time while requiring limited communication, memory, and energy overhead.

Synthetic data generation plays a crucial role in many areas where data is scarce and privacy/confidentiality is a significant concern. Generative Adversarial Networks (GANs), arguably one of the most widely used data synthesis techniques, allow for the training of a model (i.e., generator) that can generate real-looking data by playing a min-max game with a discriminator model. When multiple organizations are reluctant to share their sensitive data, GANs models can be trained in a federated manner, commonly with the use of differential privacy (DP). In order to achieve a reasonable level of model utility, DP trades privacy exhibiting vulnerability to various attacks (e.g., membership inference attack). In this paper, we propose a hybrid solution, PP-FedGAN, to the asynchronous federated, privacy-preserving training of GANs models by combining the CKKS homomorphic encryption (HE) scheme with differential privacy. The addition of HE results in around 10 seconds of overhead on the client side per round and 115 seconds on the entire training procedure. We also analyze the security of PP-FedGAN under the honest-but-curious security model. Where stronger security guarantees are required, our proposal presents a better alternative to solutions that only employ DP.

In this demo paper, we introduce MBBS - a tetra-model behavioral biometric authentication scheme for smartphones. MBBS leverages four modalities: the way a smartphone user (i) swipes on the touchscreen, (ii) taps any combination of ''text-independent" 8-digit numbers, (iii) writes his name on the touchscreen, and (iv) the hand's micro-movements he makes during this entry process, to authenticate users. Additionally, MBBS includes a Generative Adversarial Network (GAN) powered data augmentation architecture to enhance overall accuracy and security. To this end, we aim to demonstrate the effectiveness of MBBS firstly on ''real'' users' samples and later on the augmented samples comprising of ''real'' and ''GAN-generated'' samples, on a real Android device. MBBS is likely to enjoy maximum usability since it does not require users to remember any secret. Further, it exploits the users' familiarity with the processes and it increases the accuracy (by employing GAN in real time) without requiring a large sample size from users. Preliminary results in terms of performance, security, and usability analysis also show a positive opinion about our developed mechanism.

We introduce a novel framework for efficient enforcement of Attribute-Based Access Control (ABAC) policies using trusted execution environment. An ABAC policy is represented in the form of a height-balanced tree constructed and deployed in the trusted enclave. Both the policy and its enforcement are thus protected against intentional or accidental changes. The modular design of our framework enables any application to use its APIs for building secure ABAC systems. Our initial experiments show promising results.

The deployment of 5G technology has the potential to usher in a new era for the internet of things (IoT). The introduction of new use cases, such as massive machine-type communications (mMTC), referring to a large number of IoT devices, resulting in the increasing importance of 5G as the basic communication infrastructure for IoT. However, the increasing connectivity of IoT devices coincides with a number of risks to security. Many IoT sensors have limited resources and, therefore, cannot perform the complex security measures required to protect them from attacks and data loss. Furthermore, IoT networks are very scattered, distributed and dynamic, so decentralised security measures are required. To address these challenges, this poster proposes the integration of attribute-based access control (ABAC) into the 5G service-based architecture. This approach aims to prevent unauthorized access to IoT devices at the network level, thereby alleviating the computational burden on resource-constrained IoT devices. By implementing ABAC, the proposed solution offers a more efficient method for managing access control within the IoT landscape in the context of 5G networks.

Humanoid robots will be able to assist humans in their daily life, in particular due to their versatile action capabilities. However, while these robots need a certain degree of autonomy to learn and explore, they also should respect various constraints, for access control and beyond. We explore incorporating privacy and security constraints (Activity-Centric Access Control and Deep Learning Based Access Control) with robot task planning approaches (classical symbolic planning and end-to-end learning-based planning). We report preliminary results on their respective trade-offs and conclude that a hybrid approach will most likely be the method of choice.

The significant rise in the usage of IoT devices and their security issues has created a demand for improved security for these systems. Unfortunately, no standard IoT architecture exists, making the development of security solutions for IoT systems difficult. Towards this end, we leverage an IoT framework to create a generic IoT software architecture and integrate it with an extension of the RBAC model incorporating the time and location of users to determine access to different IoT resources. We provide a prototype implementation of the integrated architecture to show its feasibility.

To resolve disputes between servicers providing web services and their users, non-repudiable evidence is crucial because it allows one party to dismiss the denial of facts or false allegations. We propose a logger that securely records web requests and responses in a Trusted Execution Environment (TEE) to generate non-repudiable evidence for web services, which we call LogNEWT: Logger for Non-rEpudiation of Web with TEE. LogNEWT solves security issues in deploying LibSEAL to practical web services, i.e., logger-bypassing, undefined user management, and complex logger verification. In addition, LogNEWT can be transparently deployed to the existing web services.

Data science is the basis for various disciplines in the Big-Data era. Due to the high volume, velocity, and variety of big data, data owners often store their data in data servers. Past few years, many computation techniques have emerged to protect the security and privacy of such shared data while enabling analysis thereon. Hence, access-control systems must provide a fine-grained, multi-layer mechanism to protect data. However, the existing systems and frameworks fail to satisfy all these requirements and resolve the trust issue between data owners and analysts.

In this paper, we propose SEAL as a framework to protect the security and privacy of shared data. SEAL enables computations on shared data while they remain under the complete control of data owners through pre-defined policies. Our framework employs the capability-object model to define flexible access policies. SEAL's access-control system supports delegating and revoking access privileges and other access-control customizations. In addition, SEAL can assign security labels to privacy-sensitive data and track them to enable data owners to define where and when a data analyst can access their data. We demonstrate the practicability of our approach by presenting a prototype implementation of SEAL. Furthermore, we display the flexibility of our framework by implementing multiple data-analytic scenarios, which cover different applications.

Mobile Augmented Reality (MAR) is a portable, powerful, and suitable technology that integrates digital content, e.g., 3D virtual objects, into the physical world, which not only has been implemented for multiple intents such as shopping, entertainment, gaming, etc., but it is also expected to grow at a tremendous rate in the upcoming years. Unfortunately, the applications that implement MAR, hereby referred to as MAR-Apps, bear security issues, which have been imaged in worldwide incidents such as robberies, which has led authorities to ban MAR-Apps at specific locations. Existing problems with MAR-Apps can be classified into three categories: first, Space Invasion, which implies the intrusive modification through MAR of sensitive spaces, e.g., hospitals, memorials, etc. Second, Space Affectation, which involves the degradation of users' experience via interaction with undesirable MAR or malicious entities. Finally, MAR-Apps mishandling sensitive data leads to Privacy Leaks.

To alleviate these concerns, we present an approach for Policy-Governed MAR-Apps, which allows end-users to fully control under what circumstances, e.g., their presence inside a given sensitive space, digital content may be displayed by MAR-Apps. Through SpaceMediator, a proof-of-concept MAR-App that imitates the well-known and successful MAR-App Pokemon GO, we evaluated our approach through a user study with 40 participants, who recognized and prevented the issues just described with success rates as high as 92.50%. Furthermore, there is an enriched interest in Policy-Governed MAR-Apps as 87.50% of participants agreed with it, and 82.50% would use it to implement content-based restrictions in MAR-Apps These promising results encourage the adoption of our solution in future MAR-Apps.

Access control policies (ACPs) are natural language statements that describe criteria under which users can access resources. We focus on constructing NIST Next Generation Access Control (NGAC) ABAC model from ACP statements. NGAC is more complex than RBAC or XACML ABAC as it supports dynamic, event-based policies, as well as prohibitions. We provide algorithms that use spaCy, a NLP library, to extract entities and relations from ACP sentences and convert them into the NGAC model. We then convert this NGAC model into Neo4j representation for the purpose of analysis. We apply the approach to various real-world ACP datasets to demonstrate the feasibility and assess scalability. We demonstrate that the approach is scalable and effectively extracts the NGAC ABAC model from large ACP datasets. We also show that redundancies and inconsistencies of ACP sentences are often found in unclean datasets.

Ensuring security is crucial in smart home settings, where only authorized users should have access to home devices. Over the past decade, researchers have focused on developing access control policies and evaluating their efficacy in preventing unauthorized access. A new variant of Role-Based Access Control (RBAC), called Extended Generalized Role-Based Access Control (EGRBAC), has recently been introduced to capture the intricate user-device-context interactions that are prevalent in smart home environments. In this paper, we demonstrate that the task of analyzing administrative EGRBAC policies for security can be performed by reducing it to the security analysis of administrative RBAC policies. We also conducted a case study on a realistic smart home to prove the viability of our approach with respect of security requirements such as availability and privilege escalation.

In authorization logics, it is natural to treat computations as principals, since systems need to decide how much authority to give computations when they execute. But unlike other kinds of principals, the authority that we want to give to computations might be based on properties of the computation itself, such as whether the computation is differentially private, or whether the computation is memory safe. Existing authorization logics do not treat computation principals specially. Instead, they identify computation principals using a brittle hash-based naming scheme: minor changes to the code produce a distinct principal, even if the new computation is equivalent to the original one. Moreover, existing authorization logics typically treat computation principals as "black boxes," leaving any reasoning about the structure, semantics, or other properties of the computation out of the logic. We introduce Coal, a novel programming-language calculus that embeds an authorization logic in its type system via the Curry- Howard isomorphism. A key innovation of Coal is computation principals: computations that can be treated like other principals but also allow reasoning about the computation itself. Critically, Coal allows equivalent computations to be treated as equivalent principals, avoiding the brittleness of identity-based approaches to computation principals. Coal enables us to cleanly express fine-grained access control policies that are dependent on the structure and semantics of computations, such as expressing trust in all computations that are analyzed to be differentially private by any program analyzer that has been verified correct.

Commercially-available software defined networking (SDN) technologies will play an important role in protecting the on-premises resources that remain as enterprises transition to zero trust architectures. However, existing solutions assume the entire network resides in a single geographic location, requiring organizations with multiple sites to manually ensure consistency of security policy across all sites. In this paper, we present MSNetViews, which extends a single, globally-defined and managed, enterprise network security policy to many geographically distributed sites. Each site operates independently and enforces a site-specific policy slice that is dynamically parameterized with user location as employees roam between sites. We build a prototype of MSNetViews and show that for an enterprise with globally distributed sites, the average time for policy state to settle after a user roams to a new site is well below two seconds. As such, we demonstrate that multisite organizations can efficiently protect their on-premises network-attached devices via a single global perspective.

The problem of learning access control policies is receiving increasing attention in research. We contribute to the foundations of this problem by posing and addressing meaningful questions on computational hardness. Our work addresses learning access control policies in the context of three different models from the literature: the access matrix, and Role- and Relationship-Based Access Control (RBAC and ReBAC, respectively). Our underlying theory is the well-established notion of Probably Approximately Correct (PAC), with careful extensions for our setting. The data, or examples, a learning algorithm is provided in our setup is that related to access enforcement, which is the process by which a request for access to a resource is decided. For the access matrix, we pose a learning problem that turns out to be computationally easy, and another that we prove is computationally hard. We generalize the former result so we have a sufficient condition for establishing other problems to be computationally easy. With these results as the basis, we consider five learning problems in the context of RBAC, two of which turn out to be computationally hard. Finally, we consider four learning problems in the context of ReBAC, all of which turn out to be computationally easy. Every proof for a problem that is computationally easy is constructive, in that we propose a learning algorithm for the problem that is efficient, and probably, approximately correct. As such, our work makes contributions at the foundations of an important, emerging aspect of access control, and thereby, information security.

Our vision is to achieve societally responsible secure and trustworthy cyberspace that puts algorithmic and technological checks and balances on the indiscriminate sharing and analysis of data. We achieve this vision in a holistic manner by framing research directions with four major considerations: (i) Expanding knowledge and understanding of security and privacy perceptions and expectations in vulnerable groups, which significantly contribute to their unwillingness to share data, and use that knowledge to drive research in (a) mitigating missing/imbalanced data problems, (b) understanding and modeling security and privacy risks of data sharing, and (c) modeling utility of data sharing. (ii) Developing a risk-adaptive, policy model capable of capturing and articulating security and privacy expectations of users that are relevant in a particular context and develops associated technology to ensure provenance and accountability. (iii) Developing robust AI/ML algorithms that are transparent and explainable with respect to fairness and bias to reduce/eliminate discrimination, misuse, privacy violations, or other cyber-crimes. (iv) Developing models and techniques for a nuanced, contextually adaptive, and graded privacy paradigm that allows trade-offs between privacy and utility. Towards this, in this paper we present the SAFE-PASS framework to provide Stewardship, Advocacy, Fairness and Empowerment in Privacy, Accountability, Security, and Safety for Vulnerable Groups.

Microservice architectures decompose web applications into loosely-coupled, distributed components that interact with each other to provide an overall service. While this popular software architecture paradigm has many advantages in development and deployment, it also introduces a wider attack surface that is vulnerable to both internal and external attackers. Potentially malicious third-party services or software packages, as well as increased communication endpoints, introduce a wide array of security concerns. To improve the resiliency of microservice-based applications, many of which store sensitive data, we propose a novel, path-based anomaly detection and access control infrastructure that requires no modifications to existing software. We propose leveraging trusted proxies deployed alongside each service for request inspection, anomaly detection and signed token propagation for end-user path validation. Our approach reduces the trusted computing base away from the microservices to a smaller set of components that allow for less trust and a smaller attack surface.

Obtaining an accurate specification of the access control policy enforced by an application is essential in ensuring that it meets our security/privacy expectations. This is especially important as many of real-world applications handle a large amount and variety of data objects that may have different applicable policies. We investigate the problem of automated learning of access control policies from web applications. The existing research on mining access control policies has mainly focused on developing algorithms for inferring correct and concise policies from low-level authorization information. However, little has been done in terms of systematically gathering the low-level authorization data and applications' data models that are prerequisite to such a mining process. In this paper, we propose a novel black-box approach to inferring those prerequisites and discuss our initial observations on employing such a framework in learning policies from real-world web applications.

The administrative obligation is a unique feature of Next Generation Access Control (NGAC), a standard for implementing fine-grained attribute-based access control. It provides a programming mechanism for run-time privilege changes by attaching administrative operations to authorized access events. However, dynamic privilege change raises a major concern because the application of NGAC has the potential of "grave harm to the authorization state through error or intent." It is important to reveal potential obligation errors that lead to incorrect privileges and privilege changes. To address this issue, this paper presents a family of coverage-based test generation methods for the obligations in NGAC applications. These methods can generate obligation tests to achieve the corresponding coverage criterion (obligation coverage, action coverage, decision coverage, or factor decision coverage). Each test consists of a sequence of obligation-triggering access events. We have applied the proposed methods to three NGAC applications. The experiment results demonstrate that they have different levels of fault-detection capability and cost-effectiveness.

In the context of multi-user cooperative systems and, in particular, in social networks, personal data is uploaded to user profiles and shared with other users. These data are often jointly owned and associated with different degrees of sensitivity according to the users. Controlling access to such multi-owner data, under the authority of different users, is challenging. Traditional access control policies are not expressive enough to determine whether a data disclosure meets the privacy expectations of the different involved parties. In this work, we propose a fine-grained access control model for multi-user cooperative systems and apply it to the context of social networks. We consider compound objects and extend attribute-based access control with provenance information to specify additional access control constraints. We also present a prototype implementation and provide an experimental evaluation to demonstrate the feasibility of the proposed model.

Modern system architectures require sophisticated access and usage control mechanisms. The need stems from demanding requirements for security, data sovereignty and privacy regulations, as well as the challenges presented by architectural approaches like zero trust networking. Usage control systems provide one approach to encapsulate and manage the complexities related to access and usage control. In order to trust a usage control system, it is essential to ensure that usage control policies express the intended properties and are enforced correctly. To achieve this, we need a precise specification of the intended behavior of a usage control system. For attribute-based access control, the XACML standard is a sufficient specification of the behavior of policies. Usage control models, such as UCON, extend access control with features for continuous authorization based on mutability of attribute values. This adds significant complexity to the problem of specifying the intended behavior. In this paper, we identify challenges with specifying a practical usage control system regarding continuous control, obligations, and concurrency aspects. We describe an approach to specifying the UCON+ model of Dimitrakos et al. and outline an implementation of the specification with Answer Set Programming.

Designing access control policies is often expensive and tedious due to the heterogeneous systems, services, and diverse user demands. Although ABAC policy and decision engine creation methods based on machine learning have been proposed, they cannot make good access decisions for applications and situations not envisioned by the decision-makers who provide training examples. It results in over-and under-permissiveness. In this paper, we propose a framework that refines pre-developed policies. It creates a decision engine that makes better decisions than those policies. Inspired by multiple criteria decision theory, our method uses the policy manager's qualitative intentions behind their judgments to guide access decisions so that more benefits are expected. In the evaluation, we prepare a coarse and relatively elaborate policy. We refine the coarse policy to obtain a decision engine that is compared for the similarity in access decisions with the elaborate policy using AUC as a measure. The results show that our method improves the coarse policy by a difference of 12-26% in AUC and outperforms the conventional machine learning methods by a difference of 3-11% in AUC.