Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Issue title: Computer Security Foundations
Guest editors: Michael BackesGuest Editor and Steve ZdancewicGuest Editor
Article type: Research Article
Authors: Basin, Davida; * | Burri, Samuel J.b | Karjoth, Günterc
Affiliations: [a] Department of Computer Science, Institute of Information Security, ETH Zurich, Zurich, Switzerland. E-mail: [email protected] | [b] Schindler Elevators Ltd, Ebikon, Switzerland. E-mail: [email protected] | [c] IBM Research – Zurich, Rüschlikon, Switzerland. E-mail: [email protected]
Correspondence: [*] Corresponding author: David Basin, Department of Computer Science, Institute of Information Security, ETH Zurich, 8092 Zurich, Switzerland. E-mail: [email protected].
Abstract: Access control is fundamental in protecting information systems but it can also pose an obstacle to achieving business objectives. We analyze this tradeoff and its avoidance in the context of systems modeled as workflows restricted by authorization constraints, including those specifying Separation of Duty (SoD) and Binding of Duty (BoD). To begin with, we present a novel approach to scoping authorization constraints within workflows with loops and conditional execution. We formalize workflows, authorization constraints, and their enforcement using the process algebra CSP and visualize our constraints by extending the workflow modeling language BPMN. Afterwards, we consider enforcement's effects on business objectives. We identify the notion of obstruction, which generalizes deadlock within a system where access control is enforced, and we formulate the existence of an obstruction-free enforcement mechanism as a decision problem. We present complexity bounds for this problem and give an approximation algorithm that performs well when authorizations are evenly distributed among users. We provide tool support for our constraints in an extension of the modeling platform Oryx and report on the performance of our algorithms' implementation.
Keywords: Authorizations, separation of duty, binding of duty, workflows, obstruction, deadlock, release
DOI: 10.3233/JCS-140500
Journal: Journal of Computer Security, vol. 22, no. 5, pp. 661-698, 2014
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
[email protected]
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office [email protected]
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
如果您在出版方面需要帮助或有任何建, 件至: [email protected]