VAC+: Verifier of Access Control View Homepage


Ontology type: schema:MonetaryGrant     


Grant Info

YEARS

2017-2019

FUNDING AMOUNT

100745 GBP

ABSTRACT

Access Control is concerned with controlling which users of a computer system should have permission to access particular resources such as files. Today, there exists a variety of formal authorization models to meet the wide needs of requirements in specifying access control policies. These include Discretionary Access Control, Mandatory Access Control and Role Based Access Control (RBAC). Recognizing the industry needs, RBAC has been widely deployed in most commercial software including Microsoft Azure, Microsoft Active Directory, and Oracle DBMS. Under RBAC, roles represent organizational agents that perform certain job functions, and permissions to access objects are grouped as roles. Users, in turn, are assigned appropriate roles based on their responsibilities and qualifications. During the past two decades, a number of extensions to the basic RBAC have been made to fit the needs of real-world sectors including mobile, manufacturing, healthcare, and financial services where access permissions need to be granted not only on the basis of roles that individual users possesses but also according to contextual information including the access request time, the user location, sequencing and temporal dependencies between permissions. UK NHS, for instance, implements a variant of RBAC that is able to capture complex policies expressing legitimate relationships and patient consent management. The need for security analysis: Analysis is essential to understand the implications of access control policies. Although each policy may appear innocent in isolation, their cumulative effect may lead to an undesirable authorization state. A study of the formal behavior of the access control system implemented, helps organizations gain confidence on the level of control they have on the resources they manage. Moreover, security analysis helps designers set policies so that owners do not unknowingly lose control on resources, and make changes to the policies only if the analysis yields no security violations. Policy analysis allows designers to gauge what security breaches could happen if several untrusted users started exploiting the rules to gain unintended permissions in the system. When employees gain more access than necessary, there are several risks: they could abuse that access, or lose information they have access to, or be socially engineered into giving that access to a malfeasant. Unfortunately, security breaches due to unintended access are frequent and can have significant implications including financial and reputation losses. The Vormetric Insider Threat Report (2015) remarks that privilege escalation, where users incrementally gain access rights beyond their requirements, usually as a result of job role changes, is a serious issue for many organizations. The IBM 2016 cyber security report shows that about 60% of recorded attacks have been carried out by insiders. 15% of such attacks involve inadvertent actors, for instance, when users' credentials are lost or stolen. Two recent examples are 1) at Sony when attackers gained unfettered access to the network through a set of stolen credentials, 2) and Home Depot, where a third-party air conditioning supplier with excessive access rights was hacked. Interestingly, the report also shows that the most critical sectors are healthcare, manufacturing and financial services. Aim of the Project: Several RBAC extensions have been proposed in order to fulfill the requirements of emerging and critical sectors, however, there is a lack of techniques and tools for analysing their security guarantees. The aim of this project is to reduce this key research gap by expanding the real-world scenarios in which security analysis of access control is useful and effective. Specifically, we aim at developing a framework for the security analysis of such policies that features a simple yet expressive for expressing policies as well as scalable solutions for checking their security guarantees. More... »

URL

http://gtr.rcuk.ac.uk/project/C927E51D-44B2-4679-8256-FD19D43BAC20

Related SciGraph Publications

  • 2017. Preventing Unauthorized Data Flows in DATA AND APPLICATIONS SECURITY AND PRIVACY XXXI
  • 2017. Toward Group-Based User-Attribute Policies in Azure-Like Access Control Systems in DATA AND APPLICATIONS SECURITY AND PRIVACY XXXI
  • JSON-LD is the canonical representation for SciGraph data.

    TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

    [
      {
        "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
        "about": [
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/2208", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "type": "DefinedTerm"
          }
        ], 
        "amount": {
          "currency": "GBP", 
          "type": "MonetaryAmount", 
          "value": "100745"
        }, 
        "description": "Access Control is concerned with controlling which users of a computer system should have permission to access particular resources such as files. Today, there exists a variety of formal authorization models to meet the wide needs of requirements in specifying access control policies. These include Discretionary Access Control, Mandatory Access Control and Role Based Access Control (RBAC). Recognizing the industry needs, RBAC has been widely deployed in most commercial software including Microsoft Azure, Microsoft Active Directory, and Oracle DBMS. Under RBAC, roles represent organizational agents that perform certain job functions, and permissions to access objects are grouped as roles. Users, in turn, are assigned appropriate roles based on their responsibilities and qualifications. During the past two decades, a number of extensions to the basic RBAC have been made to fit the needs of real-world sectors including mobile, manufacturing, healthcare, and financial services where access permissions need to be granted not only on the basis of roles that individual users possesses but also according to contextual information including the access request time, the user location, sequencing and temporal dependencies between permissions. UK NHS, for instance, implements a variant of RBAC that is able to capture complex policies expressing legitimate relationships and patient consent management. \n\nThe need for security analysis: Analysis is essential to understand the implications of access control policies. Although each policy may appear innocent in isolation, their cumulative effect may lead to an undesirable authorization state. A study of the formal behavior of the access control system implemented, helps organizations gain confidence on the level of control they have on the resources they manage. Moreover, security analysis helps designers set policies so that owners do not unknowingly lose control on resources, and make changes to the policies only if the analysis yields no security violations. Policy analysis allows designers to gauge what security breaches could happen if several untrusted users started exploiting the rules to gain unintended permissions in the system. When employees gain more access than necessary, there are several risks: they could abuse that access, or lose information they have access to, or be socially engineered into giving that access to a malfeasant. Unfortunately, security breaches due to unintended access are frequent and can have significant implications including financial and reputation losses. The Vormetric Insider Threat Report (2015) remarks that privilege escalation, where users incrementally gain access rights beyond their requirements, usually as a result of job role changes, is a serious issue for many organizations. The IBM 2016 cyber security report shows that about 60% of recorded attacks have been carried out by insiders. 15% of such attacks involve inadvertent actors, for instance, when users' credentials are lost or stolen. Two recent examples are 1) at Sony when attackers gained unfettered access to the network through a set of stolen credentials, 2) and Home Depot, where a third-party air conditioning supplier with excessive access rights was hacked. Interestingly, the report also shows that the most critical sectors are healthcare, manufacturing and financial services. \n\nAim of the Project: Several RBAC extensions have been proposed in order to fulfill the requirements of emerging and critical sectors, however, there is a lack of techniques and tools for analysing their security guarantees. The aim of this project is to reduce this key research gap by expanding the real-world scenarios in which security analysis of access control is useful and effective. Specifically, we aim at developing a framework for the security analysis of such policies that features a simple yet expressive for expressing policies as well as scalable solutions for checking their security guarantees.", 
        "endDate": "2019-03-29T00:00:00Z", 
        "funder": {
          "id": "https://www.grid.ac/institutes/grid.421091.f", 
          "type": "Organization"
        }, 
        "id": "sg:grant.6621584", 
        "identifier": [
          {
            "name": "dimensions_id", 
            "type": "PropertyValue", 
            "value": [
              "6621584"
            ]
          }, 
          {
            "name": "gtr_id", 
            "type": "PropertyValue", 
            "value": [
              "C927E51D-44B2-4679-8256-FD19D43BAC20"
            ]
          }
        ], 
        "inLanguage": [
          "en"
        ], 
        "keywords": [
          "certain job functions", 
          "framework", 
          "object", 
          "Several RBAC extensions", 
          "Microsoft Azure", 
          "security guarantees", 
          "several untrusted users", 
          "policy", 
          "unintended access", 
          "access control system", 
          "requirements", 
          "particular resource", 
          "VAC+", 
          "turn", 
          "policy analysis", 
          "patient consent management", 
          "computer systems", 
          "number", 
          "insiders", 
          "need", 
          "Sony", 
          "industry", 
          "report", 
          "changes", 
          "privilege escalation", 
          "permission", 
          "appropriate role", 
          "financial services", 
          "wider needs", 
          "complex policies", 
          "job role changes", 
          "set", 
          "extension", 
          "user location", 
          "unintended permissions", 
          "technique", 
          "credentials", 
          "results", 
          "project", 
          "access request time", 
          "Microsoft Active Directory", 
          "resources", 
          "system", 
          "Home Depot", 
          "security violations", 
          "attack", 
          "basic RBAC", 
          "contextual information", 
          "Oracle DBMS", 
          "decades", 
          "scalable solution", 
          "temporal dependencies", 
          "variants", 
          "remarks", 
          "mandatory access control", 
          "access", 
          "employees", 
          "analysis", 
          "critical sectors", 
          "confidence", 
          "information", 
          "order", 
          "isolation", 
          "IBM 2016 cyber security report", 
          "many organizations", 
          "significant implications", 
          "excessive access rights", 
          "such attacks", 
          "tool", 
          "cumulative effect", 
          "users' credentials", 
          "Vormetric Insider Threat Report", 
          "basis", 
          "access rights", 
          "formal behavior", 
          "malfeasants", 
          "study", 
          "more access", 
          "access control policies", 
          "access permissions", 
          "Role Based Access Control", 
          "several risks", 
          "designers", 
          "attacker", 
          "files", 
          "key research gaps", 
          "such policies", 
          "verifier", 
          "manufacturing", 
          "levels", 
          "control", 
          "legitimate relationship", 
          "third-party air conditioning supplier", 
          "inadvertent actors", 
          "analysis yields", 
          "owners", 
          "mobile", 
          "security breaches", 
          "serious issue", 
          "organization", 
          "security analysis", 
          "users", 
          "healthcare", 
          "responsibility", 
          "network", 
          "undesirable authorization state", 
          "variety", 
          "reputation loss", 
          "lack", 
          "UK NHS", 
          "real-world sectors", 
          "organizational agents", 
          "instance", 
          "role", 
          "unfettered access", 
          "formal authorization models", 
          "qualification", 
          "discretionary access control", 
          "sequencing", 
          "aim", 
          "real-world scenarios", 
          "recent examples", 
          "individual users", 
          "rules", 
          "access control", 
          "today", 
          "implications", 
          "most commercial software"
        ], 
        "name": "VAC+: Verifier of Access Control", 
        "recipient": [
          {
            "id": "https://www.grid.ac/institutes/grid.5491.9", 
            "type": "Organization"
          }, 
          {
            "affiliation": {
              "id": "https://www.grid.ac/institutes/grid.5491.9", 
              "name": "University of Southampton", 
              "type": "Organization"
            }, 
            "familyName": "Ferrara", 
            "givenName": "Anna Lisa", 
            "id": "sg:person.014344657406.34", 
            "type": "Person"
          }, 
          {
            "member": "sg:person.014344657406.34", 
            "roleName": "PI", 
            "type": "Role"
          }
        ], 
        "sameAs": [
          "https://app.dimensions.ai/details/grant/grant.6621584"
        ], 
        "sdDataset": "grants", 
        "sdDatePublished": "2019-03-07T11:34", 
        "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
        "sdPublisher": {
          "name": "Springer Nature - SN SciGraph project", 
          "type": "Organization"
        }, 
        "sdSource": "s3://com.uberresearch.data.processor/core_data/20181219_192338/projects/base/gtr_projects_2.xml.gz", 
        "startDate": "2017-07-31T23:00:00Z", 
        "type": "MonetaryGrant", 
        "url": "http://gtr.rcuk.ac.uk/project/C927E51D-44B2-4679-8256-FD19D43BAC20"
      }
    ]
     

    Download the RDF metadata as:  json-ld nt turtle xml License info

    HOW TO GET THIS DATA PROGRAMMATICALLY:

    JSON-LD is a popular format for linked data which is fully compatible with JSON.

    curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/grant.6621584'

    N-Triples is a line-based linked data format ideal for batch operations.

    curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/grant.6621584'

    Turtle is a human-readable linked data format.

    curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/grant.6621584'

    RDF/XML is a standard XML format for linked data.

    curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/grant.6621584'


     

    This table displays all metadata directly associated to this object as RDF triples.

    172 TRIPLES      19 PREDICATES      150 URIs      142 LITERALS      5 BLANK NODES

    Subject Predicate Object
    1 sg:grant.6621584 schema:about anzsrc-for:2208
    2 schema:amount N5f8e739bcc8a478f9e6713e6c374b7ed
    3 schema:description Access Control is concerned with controlling which users of a computer system should have permission to access particular resources such as files. Today, there exists a variety of formal authorization models to meet the wide needs of requirements in specifying access control policies. These include Discretionary Access Control, Mandatory Access Control and Role Based Access Control (RBAC). Recognizing the industry needs, RBAC has been widely deployed in most commercial software including Microsoft Azure, Microsoft Active Directory, and Oracle DBMS. Under RBAC, roles represent organizational agents that perform certain job functions, and permissions to access objects are grouped as roles. Users, in turn, are assigned appropriate roles based on their responsibilities and qualifications. During the past two decades, a number of extensions to the basic RBAC have been made to fit the needs of real-world sectors including mobile, manufacturing, healthcare, and financial services where access permissions need to be granted not only on the basis of roles that individual users possesses but also according to contextual information including the access request time, the user location, sequencing and temporal dependencies between permissions. UK NHS, for instance, implements a variant of RBAC that is able to capture complex policies expressing legitimate relationships and patient consent management. The need for security analysis: Analysis is essential to understand the implications of access control policies. Although each policy may appear innocent in isolation, their cumulative effect may lead to an undesirable authorization state. A study of the formal behavior of the access control system implemented, helps organizations gain confidence on the level of control they have on the resources they manage. Moreover, security analysis helps designers set policies so that owners do not unknowingly lose control on resources, and make changes to the policies only if the analysis yields no security violations. Policy analysis allows designers to gauge what security breaches could happen if several untrusted users started exploiting the rules to gain unintended permissions in the system. When employees gain more access than necessary, there are several risks: they could abuse that access, or lose information they have access to, or be socially engineered into giving that access to a malfeasant. Unfortunately, security breaches due to unintended access are frequent and can have significant implications including financial and reputation losses. The Vormetric Insider Threat Report (2015) remarks that privilege escalation, where users incrementally gain access rights beyond their requirements, usually as a result of job role changes, is a serious issue for many organizations. The IBM 2016 cyber security report shows that about 60% of recorded attacks have been carried out by insiders. 15% of such attacks involve inadvertent actors, for instance, when users' credentials are lost or stolen. Two recent examples are 1) at Sony when attackers gained unfettered access to the network through a set of stolen credentials, 2) and Home Depot, where a third-party air conditioning supplier with excessive access rights was hacked. Interestingly, the report also shows that the most critical sectors are healthcare, manufacturing and financial services. Aim of the Project: Several RBAC extensions have been proposed in order to fulfill the requirements of emerging and critical sectors, however, there is a lack of techniques and tools for analysing their security guarantees. The aim of this project is to reduce this key research gap by expanding the real-world scenarios in which security analysis of access control is useful and effective. Specifically, we aim at developing a framework for the security analysis of such policies that features a simple yet expressive for expressing policies as well as scalable solutions for checking their security guarantees.
    4 schema:endDate 2019-03-29T00:00:00Z
    5 schema:funder https://www.grid.ac/institutes/grid.421091.f
    6 schema:identifier N3a6222a081644ce7b7d2b499d7b8a74c
    7 Ndcd86ceb03b544f9b70938d70ef4bdf9
    8 schema:inLanguage en
    9 schema:keywords Home Depot
    10 IBM 2016 cyber security report
    11 Microsoft Active Directory
    12 Microsoft Azure
    13 Oracle DBMS
    14 Role Based Access Control
    15 Several RBAC extensions
    16 Sony
    17 UK NHS
    18 VAC+
    19 Vormetric Insider Threat Report
    20 access
    21 access control
    22 access control policies
    23 access control system
    24 access permissions
    25 access request time
    26 access rights
    27 aim
    28 analysis
    29 analysis yields
    30 appropriate role
    31 attack
    32 attacker
    33 basic RBAC
    34 basis
    35 certain job functions
    36 changes
    37 complex policies
    38 computer systems
    39 confidence
    40 contextual information
    41 control
    42 credentials
    43 critical sectors
    44 cumulative effect
    45 decades
    46 designers
    47 discretionary access control
    48 employees
    49 excessive access rights
    50 extension
    51 files
    52 financial services
    53 formal authorization models
    54 formal behavior
    55 framework
    56 healthcare
    57 implications
    58 inadvertent actors
    59 individual users
    60 industry
    61 information
    62 insiders
    63 instance
    64 isolation
    65 job role changes
    66 key research gaps
    67 lack
    68 legitimate relationship
    69 levels
    70 malfeasants
    71 mandatory access control
    72 manufacturing
    73 many organizations
    74 mobile
    75 more access
    76 most commercial software
    77 need
    78 network
    79 number
    80 object
    81 order
    82 organization
    83 organizational agents
    84 owners
    85 particular resource
    86 patient consent management
    87 permission
    88 policy
    89 policy analysis
    90 privilege escalation
    91 project
    92 qualification
    93 real-world scenarios
    94 real-world sectors
    95 recent examples
    96 remarks
    97 report
    98 reputation loss
    99 requirements
    100 resources
    101 responsibility
    102 results
    103 role
    104 rules
    105 scalable solution
    106 security analysis
    107 security breaches
    108 security guarantees
    109 security violations
    110 sequencing
    111 serious issue
    112 set
    113 several risks
    114 several untrusted users
    115 significant implications
    116 study
    117 such attacks
    118 such policies
    119 system
    120 technique
    121 temporal dependencies
    122 third-party air conditioning supplier
    123 today
    124 tool
    125 turn
    126 undesirable authorization state
    127 unfettered access
    128 unintended access
    129 unintended permissions
    130 user location
    131 users
    132 users' credentials
    133 variants
    134 variety
    135 verifier
    136 wider needs
    137 schema:name VAC+: Verifier of Access Control
    138 schema:recipient N718d56c5ecae48e299b864559f620f1e
    139 sg:person.014344657406.34
    140 https://www.grid.ac/institutes/grid.5491.9
    141 schema:sameAs https://app.dimensions.ai/details/grant/grant.6621584
    142 schema:sdDatePublished 2019-03-07T11:34
    143 schema:sdLicense https://scigraph.springernature.com/explorer/license/
    144 schema:sdPublisher Nb67426e51e3f4a0ca791cb2da66c3d9a
    145 schema:startDate 2017-07-31T23:00:00Z
    146 schema:url http://gtr.rcuk.ac.uk/project/C927E51D-44B2-4679-8256-FD19D43BAC20
    147 sgo:license sg:explorer/license/
    148 sgo:sdDataset grants
    149 rdf:type schema:MonetaryGrant
    150 N3a6222a081644ce7b7d2b499d7b8a74c schema:name gtr_id
    151 schema:value C927E51D-44B2-4679-8256-FD19D43BAC20
    152 rdf:type schema:PropertyValue
    153 N5f8e739bcc8a478f9e6713e6c374b7ed schema:currency GBP
    154 schema:value 100745
    155 rdf:type schema:MonetaryAmount
    156 N718d56c5ecae48e299b864559f620f1e schema:member sg:person.014344657406.34
    157 schema:roleName PI
    158 rdf:type schema:Role
    159 Nb67426e51e3f4a0ca791cb2da66c3d9a schema:name Springer Nature - SN SciGraph project
    160 rdf:type schema:Organization
    161 Ndcd86ceb03b544f9b70938d70ef4bdf9 schema:name dimensions_id
    162 schema:value 6621584
    163 rdf:type schema:PropertyValue
    164 anzsrc-for:2208 schema:inDefinedTermSet anzsrc-for:
    165 rdf:type schema:DefinedTerm
    166 sg:person.014344657406.34 schema:affiliation https://www.grid.ac/institutes/grid.5491.9
    167 schema:familyName Ferrara
    168 schema:givenName Anna Lisa
    169 rdf:type schema:Person
    170 https://www.grid.ac/institutes/grid.421091.f schema:Organization
    171 https://www.grid.ac/institutes/grid.5491.9 schema:name University of Southampton
    172 rdf:type schema:Organization
     




    Preview window. Press ESC to close (or click here)


    ...