Risk assessment in distributed authorization
Proceedings of the 2005 ACM workshop on Formal methods in security engineering
Trust but verify: authorization for web services
SWS '04 Proceedings of the 2004 workshop on Secure web service
An End-To-End Approach to Distributed Policy Language Implementation
Electronic Notes in Theoretical Computer Science (ENTCS)
Risk management for distributed authorization
Journal of Computer Security
Authorization in trust management: Features and foundations
ACM Computing Surveys (CSUR)
xDomain: cross-border proofs of access
Proceedings of the 14th ACM symposium on Access control models and technologies
A modal deconstruction of access control logics
FOSSACS'08/ETAPS'08 Proceedings of the Theory and practice of software, 11th international conference on Foundations of software science and computational structures
An introduction to the role based trust management framework RT
Foundations of security analysis and design IV
A framework towards enhancing trust and authorisation for e-commerce service
International Journal of Internet Technology and Secured Transactions
PCAL: language support for proof-carrying authorization systems
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Nexus authorization logic (NAL): Design rationale and applications
ACM Transactions on Information and System Security (TISSEC)
Stateful authorization logic: proof theory and a case study
STM'10 Proceedings of the 6th international conference on Security and trust management
ICLP'05 Proceedings of the 21st international conference on Logic Programming
GPC'10 Proceedings of the 5th international conference on Advances in Grid and Pervasive Computing
A linear logic of authorization and knowledge
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
A proof-carrying file system with revocable and use-once certificates
STM'11 Proceedings of the 7th international conference on Security and Trust Management
New modalities for access control logics: permission, control and ratification
STM'11 Proceedings of the 7th international conference on Security and Trust Management
Noninterference in a predicative polymorphic calculus for access control
Computer Languages, Systems and Structures
Stateful authorization logic --Proof theory and a case study
Journal of Computer Security - STM'10
| Hi-index | 0.00 |
After a short period of being not much more than a curiosity, the World-Wide Web quickly became an important medium for discussion, commerce, and business. Instead of holding just information that the entire world could see, web pages also became used to access email, financial records, and other personal or proprietary data that was meant to be viewed only by particular individuals or groups. This made it necessary to design mechanisms that would restrict access to web pages. Unfortunately, most current mechanisms are lacking in generality and flexibility—they interoperate poorly and can express only a limited number of security policies. We view access control on the web as a general distributed authorization problem and develop a solution by adapting the techniques of proof-carrying authorization, a framework for defining security logics based on higher-order logic. In this dissertation we present a particular logic for modeling access-control scenarios that occur on the web. We give this application-specific logic a semantics in higher-order logic, thus ensuring its soundness, and use it to implement a system that regulates access to web pages. Our system uncouples authorization from authentication, allowing for better interoperation across administrative domains and more expressive security policies. Our implementation consists of a web server module and a local web proxy. The server allows access to pages only if the web browser can demonstrate that it is authorized to view them. The browser's local proxy accomplishes this by mechanically constructing a proof of a challenge sent to it by the server. Our system supports arbitrarily complex delegation, and we implement a framework that lets the web browser locate and use pieces of the security policy that have been distributed across arbitrary hosts. Our system was built for controlling access to web pages, but could relatively easily be extended to encompass access control for other applications as well.