NSPW '96 Proceedings of the 1996 workshop on New security paradigms
A Component-Based Architecture for Secure Data Publication
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
An Adaptive Policy-Based Framework for Network Services Management
Journal of Network and Systems Management
An XACML-based Policy Management and Authorization Service for Globus Resources
GRID '03 Proceedings of the 4th International Workshop on Grid Computing
First experiences using XACML for access control in distributed systems
Proceedings of the 2003 ACM workshop on XML security
Unification in Privacy Policy Evaluation - Translating EPAL into Prolog
POLICY '04 Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks
KNOW Why your access was denied: regulating feedback for usable security
Proceedings of the 11th ACM conference on Computer and communications security
Verification and change-impact analysis of access-control policies
Proceedings of the 27th international conference on Software engineering
The secondary and approximate authorization model and its application to Bell-LaPadula policies
Proceedings of the eleventh ACM symposium on Access control models and technologies
Intentional access management: making access control usable for end-users
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Privacy and Utility in Business Processes
CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Xengine: a fast and scalable XACML policy evaluation engine
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Using Dependency Tracking to Provide Explanations for Policy Management
POLICY '08 Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks
A Mechanism for Requesting Hierarchical documetns in XACML
WIMOB '08 Proceedings of the 2008 IEEE International Conference on Wireless & Mobile Computing, Networking & Communication
WhyNot: debugging failed queries in large knowledge bases
IAAI'02 Proceedings of the 14th conference on Innovative applications of artificial intelligence - Volume 1
A comparison of two privacy policy languages: EPAL and XACML
A comparison of two privacy policy languages: EPAL and XACML
Deriving XACML policies from business process models
WISE'07 Proceedings of the 2007 international conference on Web information systems engineering
Baaz: a system for detecting access control misconfigurations
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
User controllable security and privacy for mobile mashups
Proceedings of the 12th Workshop on Mobile Computing Systems and Applications
Hi-index | 0.00 |
With a number of access rules at play along with contexts in which they may or may not apply, it is not always obvious to the legitimate user what caused an authorization server to deny a request, neither is it possible for the administrator to specify a complete fail proof policy. It then becomes the responsibility of the system to act in a user friendly manner by providing feedback suggesting the requester about possible alternatives. The system should also cover any unhandled request that it may encounter due to an incomplete system policy. At the same time, it is essential for feedback to not reveal the entire policy to any user. In this paper we propose a framework Cue, for generating feedback in XACML using logic programming in Prolog. Feedback content is protected by the use of meta policy which itself is specified in XACML. We first translate XACML policies into logic based functors. Second, we execute a query using parameters in the denied XACML request, to identify conditions that failed. Third, the failed condition is notified as feedback if a meta policy allows the system to reveal it. Cue is capable of generating appropriate feedback while ensuring that a desired degree of confidentiality is maintained.