1,720,973 research outputs found
Policy and Security Conguration Management in Distributed Systems
Full text linkThe evolution of information system sees a continuously increasing need of flexible and sophisticated approaches for the management of security requirements. On one hand, systems are increasingly more integrated (e.g., Bring Your Own Device) and present interfaces for the invocation of services accessible through network connections. On the other hand, system administrators have the responsibility to guarantee that this integration and the consequent exposure of internal resources does not introduce vulnerabilities. The need to prove that the system correctly manages the security requirements is not only motivated by the increased exposure, but also by the need to show compliance with respect to the many regulations promulgated by governments and commercial bodies.
In modern information systems a particular area of security requirement is access control management, with security policies that describe how resources and services should be protected. These policies offer a classification of the actions on the system that distinguishes them into authorized and forbidden, depending on a variety of parameters. Given the critical role of security and their large size and complexity, concerns arise about the correctness of the policy. It is not possible anymore to rely on the security designer to have a guarantee that the policy correctly represents how the system should protect the access to resources.
The research documented in this thesis investigates new approaches for the development of a collection of both methodologies and tools, which are flexible enough to help the system administrators, or generally users, in the correct management of security requirements. Due to the complexity of this topic, the research was focused on (i) enterprise and (ii) mobile scenario
An Eclipse framework to ease notification among MyUniBG apps
No full textThe widespread diffusion of Android OS has led to a rapid explosion of the Google Play store (previously Android Market). As of 2011, the Play store includes more applications than the Apple App Store. It is natural to compare this growth to what happened years ago in the area of the World Wide Web, although in the second case, the need was to allow users to interact and collaborate in a more easy way (e.g., social network), while now the need is to try to use the same device everywhere (e.g., office, home) and for everything (e.g., work, free time). This reflects the rising concept of “Bring Your Own Device” (BYOD). In this vision, University of Bergamo decided to develop its own Android application (named MyUniBG) in order to provide to their students and staff members advanced features (e.g., information about lessons hours and course details). In this paper, we want to highlight how, thanks to the support provided by Eclipse framework, we can make a step toward the “BYOD vision”.
The aim of the tool is to ease the notification (e.g., variations in lessons hours) using Google Cloud Messaging for Android, a service that allows you to send data from your server to your users’ Android-powered device, and also to receive messages from devices on the same connection. The tool, implemented as an Eclipse RAP plug-in, will provide two main functionalities: (a) “push” information to the community of devices (communication server-client), and (b) “pop” notifications from a device and share this information with others. In this scenario, MyUniBG app will be extended in order to be the front-end for the new features
Policy Specialization to Support Domain Isolation
Full text linkThe exponential growth of modern information systems has introduced several new challenges in the management of security requirements. Nowadays, the technological scenario has evolved and the introduction of MAC models provides a better isolation among software components and reduces the damages that the malicious or defective ones can cause to the systems. On one hand it is important to confine applications and limit the privileges that they can request. On the other hand we want to let applications benefit from the flexibility given by MAC models, such as SELinux.
In this paper we show how the constructs already available in SELinux and the specialization of security domains can be leveraged to define boundaries where the applications are confined but still able to introduce sophisticated security patterns, such as application isolation and the least privilege principle. After defining the proposed model, we describe how it can be integrated into real systems through the use of examples on Android and Apache Web Server
SeSQLite: Security Enhanced SQLite
Full text linkSQLite is the most widely deployed in-process library that implements a SQL database engine. It offers high storage efficiency, fast query operation and small memory needs. Due to the fact that a complete SQLite database is stored in a single cross-platform disk file and SQLite does not support multiple users, anyone who has direct access to the file can read the whole database content. SELinux was originally developed as a Mandatory Access Control (MAC) mechanism for Linux to demonstrate how to overcome DAC limitations. However, SELinux provides per-file protection, thus the database file is treated as an atomic unit, impeding the definition of a fine-grained mandatory access control (MAC) policy for database objects.
We introduce SeSQLite, an SQLite extension that integrates SELinux access controls into SQLite with minimal performance and storage overhead. SeSQLite implements labeling and access control at both schema level (for tables and columns) and row level. This permits the management of a fine-grained access policy for database objects. A prototype has been implemented and it has been used to improve the security of Android Content Providers
A Model-Driven Approach for Securing Software Architectures
No full textCurrent IT systems consist usually of several components and services that communicate and exchange data over the Internet. They have security requirements that aim at avoiding information disclosure and at showing compliance with government regulations. In order to effectively handle the security management of complex IT systems, techniques are needed to help the security administrator in the design and configuration of the security architecture. We propose a model-driven security approach for the design and generation of concrete security configurations for software architectures. In our approach the system architect models the architecture of the system by means of UML class diagrams, and then the security administrator adds security requirements to the model by means of Security4UML, a UML profile. From the model enriched with security requirements, the concrete security configuration is derived in a semi-automated way. We present a tool that supports this model-driven approach, and a case study that involves a distributed multi-user meeting scheduler application
Extending Mandatory Access Control Policies in Android
Full text linkSolutions like SELinux have recently regenerated interest toward Mandatory Access Control (MAC) models. The role of MAC models can be expected to increase in modern systems, which are exposed to significant threats and manage high-value resources, due to the stronger protection they are able to offer. Android is a significant representative of these novel systems and the integration of MAC models is an important recent development in its security architecture. Opportunities indeed exist to further enrich the support offered by MAC models, increasing their flexibility and integrating them with other components of the system. We discuss a number of proposals that have recently been made in this domain.
First, we illustrate the integration of SELinux and SQLite, named SeSQLite, which permits to apply MAC permissions at a fine granularity into relational databases, offering both a schema-level and row-level support. Then, AppPolicyModules are presented, which let app developers specify extensions to the system-level policy that protect the resources of each specific app. Finally, an integration between SELinux and the interprocess communication services is proposed, to further regulate the cooperation among separate apps and services. All these enhancements lead to a stronger and more detailed support of the complex security requirements that characterize modern environments
Going Beyond Counting First Authors in Author Co-citation Analysis
Full text linkThe present study examines one of the fundamental aspects of author co-citation analysis (ACA) - the way co-citation
counts are defined. Co-citation counting provides the data on which all subsequent statistical analyses and mappings
are based, and we compare ACA results based on two different types of co-citation counting - the traditional type that
only counts the first one among a cited work's authors on the one hand and a non-traditional type that takes into
account the first 5 authors of a cited work on the other hand. Results indicate that the picture produced through this non-traditional author co-citation counting contains more coherent author groups and is therefore considerably clearer. However, this picture represents fewer specialties in the research field being studied than that produced through the traditional first-author co-citation counting when the same number of top-ranked authors is selected and analyzed. Reasons for these effects are discussed
- …
