References
[Abedin, Muhammad, ], [Nessa, Syeda, ], [Khan, Latifur, ], [Thuraisingham, Bhavani, ] - Detection and Resolution of Anomalies in Firewall Policy Rules - 2006.
Summary/Abstract
A firewall is a system acting as an interface of a network to one or more external networks. It implements the security policy of the network by deciding which packets to let through based on rules defined by the network administrator. Any error in defining the rules may compromise the system security by letting unwanted traffic pass or blocking desired traffic. Manual definition of rules often results in a set that contains conflicting, redundant or overshadowed rules, resulting in anomalies in the policy. Manually detecting and resolving these anomalies is a critical but tedious and error prone task. Existing research on this problem have been focused on the analysis and detection of the anomalies in firewall policy. Previous works define the possible relations between rules and also define anomalies in terms of the relations and present algorithms to detect the anomalies by analyzing the rules. In this paper, we discuss some necessary modifications to the existing definitions of the relations. We present a new algorithm that will simultaneously detect and resolve any anomaly present in the policy rules by necessary reorder and split operations to generate a new anomaly free rule set. We also present proof of correctness of the algorithm. Then we present an algorithm to merge rules where possible in order to reduce the number of rules and hence increase efficiency of the firewall.
[Sharaf, Husain, ], [Ahmad, Imtiaz, ], [Dimitriou, Tassos, ] - Extended Berkeley Packet Filter: An Application Perspective - 2022.
Summary/Abstract
The extended Berkeley Packet Filter (eBPF) is a lightweight and fast 64-bit RISC-like virtual machine (VM) inside the Linux kernel. eBPF has emerged as the most promising and de facto standard of executing untrusted, user-defined specialized code at run-time inside the kernel with strong performance, portability, flexibility, and safety guarantees. Due to these key benefits and availability of a rich ecosystem of compilers and tools within the Linux kernel, eBPF has received widespread adoption by both industry and academia for a wide range of application domains. The most important include enhancing performance of monitoring tools and providing a variety of new security mechanisms, data collection tools and data screening applications. In this review, we investigate the landscape of existing eBPF use-cases and trends with aim to provide a clear roadmap for researchers and developers. We first introduce the necessary background knowledge for eBPF before delving into its applications. Although, the potential use-cases of eBPF are vast, we restrict our focus on four key application domains related to networking, security, storage, and sandboxing. Then for each application domain, we analyze and summarize solution techniques along with their working principles in an effort to provide an insightful discussion that will enable researchers and practitioners to easily adopt eBPF into their designs. Finally, we delineate several exciting research avenues to fully exploit the revolutionary eBPF technology.
[Jin, Xin, ], [Sandhu, Ravi, ], [Krishnan, Ram, ] - {RABAC}: Role-Centric Attribute-Based Access Control - 2012.
Summary/Abstract
Role-based access control (RBAC) is a commercially dominant model, standardized by the National Institute of Standards and Technology (NIST). Although RBAC provides compelling benefits for security management it has several known deficiencies such as role explosion, wherein multiple closely related roles are required (e.g., attending-doctor role is separately defined for each patient). Numerous extensions to RBAC have been proposed to overcome these shortcomings. Recently NIST announced an initiative to unify and standardize these extensions by integrating roles with attributes, and identified three approaches: use attributes to dynamically assign users to roles, treat roles as just another attribute, and constrain the permissions of a role via attributes. The first two approaches have been previously studied. This paper presents a formal model for the third approach for the first time in the literature. We propose the novel role-centric attribute-based access control (RABAC) model which extends the NIST RBAC model with permission filtering policies. Unlike prior proposals addressing the role-explosion problem, RABAC does not fundamentally modify the role concept and integrates seamlessly with the NIST RBAC model. We also define an XACML profile for RABAC based on the existing XACML profile for RBAC.
[Balamurugan, B, ], [Shivitha, N Gnana, ], [Monisha, V, ], [Saranya, V, ] - A Honey Bee behaviour inspired novel Attribute-based access control using enhanced Bell-Lapadula model in cloud computing - 2015.
Summary/Abstract
Cloud computing is one of the emerging technologies that is being used widely these days. It makes use of the computing resources such as hardware and software that is delivered over the internet and provides remote services with user's data, software and computation. There has been a growing trend to use the cloud for large-scale data storage. This has raised the important security issue of how to control and prevent unauthorized access to data stored in the cloud. There are various access control techniques in cloud environment such as IBAC, RBAC, ABAC, MAC, DAC. Among these techniques, Attribute-Based Access Control (ABAC) is gaining more importance. Here access is granted based on attributes. Our primary objective is to summarize all the access control techniques in cloud environment. Our main objective is to come up with a Novel Attribute-Based Access Control for cloud security using Enhanced Bell-Lapadula Model inspired from Honey Bee behaviour. The Honey Bee prevents the intruders from entering into their hives. This is similar to the access control mechanism in cloud environment. It identifies the bee that belongs to the same hive by the possession of the small barbs on the stings. Similarly, we are trying to restrict the users based on the possession of correct set of attributes by using ABAC technique.