Security & Trust

Papers accepted at SACMAT 2014

Published: May 20, 2014
The following papers have been accepted at the 18th ACM Symposium on Access Control Models and Technologies (SACMAT 2014):
  • Title: Attribute Based Access Control for APIs in Spring Security
  • Author: Alessandro Armando, Roberto Carbone, Eyasu Getahun Chekole, Silvio Ranise
  • Abstract: The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of attacks, ranging from SQL injection to unauthorized access of sensitive data. Available security solutions must be re-used and/or adapted to work with APIs. In this paper, we focus on the development of a flexible access control mechanism for APIs. This is an important security mechanism to guarantee the enforcement of authorization constraints on resources while invoking their API functions. We have developed an extension of the Spring Security framework, the standard for securing services and apps built in the popular (open source) Spring framework, for the specification and enforcement of Attribute-Based Access Control (ABAC) policies. We demonstrate our work with scenarios arising in a smart energy eco-system.
  • DOI: 10.1145/2613087.2613109
  • Title: Scalable and Precise Automated Analysis of Administrative Temporal Role-Based Access Control
  • Author: Silvio Ranise, Tuan Anh Truong, Alessandro Armando
  • Abstract: Extensions of Role-Based Access Control (RBAC) policies taking into account contextual information (such as time and space) are increasingly being adopted in real-world applications. Their administration is complex since they must satisfy rapidly evolving needs. For this reason, automated techniques to identify unsafe sequences of administrative actions (i.e. actions generating policies by which a user can acquire permissions that may compromise some security goals) are fundamental tools in the administrator's tool-kit. In this paper, we propose a precise and scalable automated analysis technique for the safety of administrative temporal RBAC policies. Our approach is to translate safety problems for this kind of policy to (decidable) reachability problems of a certain class of symbolic transition systems. The correctness of the translation allows us to design a precise analysis technique for the safety of administrative RBAC policies with a finite but unknown number of users. For scalability, we present a heuristics that allows us to reduce the set of administrative actions without losing the precision of the analysis. An extensive experimental analysis confirms the scalability and precision of the approach also in comparison with a recent analysis technique developed for the same class of temporal RBAC policies.
  • DOI: 10.1145/2613087.2613102

These papers will be presented by Silvio Ranise at the Symposium, that will be ill take place in London, Ontario (Canada), on June 25-27, 2014. The ACM Symposium on Access Control Models and Technologies (SACMAT) is the premier forum for the presentation of research results and experience reports on leading edge issues of access control, including models, systems, applications, and theory. The aims of the symposium are to share novel access control solutions that fulfil the needs of heterogeneous applications and environments, and to identify new directions for future research and development. More info are available here

About the conference

  • Name: 18th ACM Symposium on Access Control Models and Technologies (SACMAT 2014)
  • Date: from June 20, 2014 to June 22, 2014
  • Location: Newark, NJ, USA
  • Website: