Matching Items (17)
Filtering by
- All Subjects: Security
- Creators: Computer Science and Engineering Program
- Creators: Dasgupta, Partha
- Member of: Theses and Dissertations
- Resource Type: Text
Description
Attribute Based Access Control (ABAC) mechanisms have been attracting a lot of interest from the research community in recent times. This is especially because of the flexibility and extensibility it provides by using attributes assigned to subjects as the basis for access control. ABAC enables an administrator of a server to enforce access policies on the data, services and other such resources fairly easily. It also accommodates new policies and changes to existing policies gracefully, thereby making it a potentially good mechanism for implementing access control in large systems, particularly in today's age of Cloud Computing. However management of the attributes in ABAC environment is an area that has been little touched upon. Having a mechanism to allow multiple ABAC based systems to share data and resources can go a long way in making ABAC scalable. At the same time each system should be able to specify their own attribute sets independently. In the research presented in this document a new mechanism is proposed that would enable users to share resources and data in a cloud environment using ABAC techniques in a distributed manner. The focus is mainly on decentralizing the access policy specifications for the shared data so that each data owner can specify the access policy independent of others. The concept of ontologies and semantic web is introduced in the ABAC paradigm that would help in giving a scalable structure to the attributes and also allow systems having different sets of attributes to communicate and share resources.
ContributorsPrabhu Verleker, Ashwin Narayan (Author) / Huang, Dijiang (Thesis advisor) / Ahn, Gail-Joon (Committee member) / Dasgupta, Partha (Committee member) / Arizona State University (Publisher)
Created2014
Description
Access control is one of the most fundamental security mechanisms used in the design and management of modern information systems. However, there still exists an open question on how formal access control models can be automatically analyzed and fully realized in secure system development. Furthermore, specifying and managing access control policies are often error-prone due to the lack of effective analysis mechanisms and tools. In this dissertation, I present an Assurance Management Framework (AMF) that is designed to cope with various assurance management requirements from both access control system development and policy-based computing. On one hand, the AMF framework facilitates comprehensive analysis and thorough realization of formal access control models in secure system development. I demonstrate how this method can be applied to build role-based access control systems by adopting the NIST/ANSI RBAC standard as an underlying security model. On the other hand, the AMF framework ensures the correctness of access control policies in policy-based computing through automated reasoning techniques and anomaly management mechanisms. A systematic method is presented to formulate XACML in Answer Set Programming (ASP) that allows users to leverage off-the-shelf ASP solvers for a variety of analysis services. In addition, I introduce a novel anomaly management mechanism, along with a grid-based visualization approach, which enables systematic and effective detection and resolution of policy anomalies. I further evaluate the AMF framework through modeling and analyzing multiparty access control in Online Social Networks (OSNs). A MultiParty Access Control (MPAC) model is formulated to capture the essence of multiparty authorization requirements in OSNs. In particular, I show how AMF can be applied to OSNs for identifying and resolving privacy conflicts, and representing and reasoning about MPAC model and policy. To demonstrate the feasibility of the proposed methodology, a suite of proof-of-concept prototype systems is implemented as well.
ContributorsHu, Hongxin (Author) / Ahn, Gail-Joon (Thesis advisor) / Yau, Stephen S. (Committee member) / Dasgupta, Partha (Committee member) / Ye, Nong (Committee member) / Arizona State University (Publisher)
Created2012
Description
The quality of user interface designs largely depends on the aptitude of the designer. The ability to generate mental abstract models and characterize a target user audience helps greatly when conceiving a design. The dry cleaning point-of-sale industry lacks quality user interface designs. These impaired interfaces were compared with textbook design techniques to discover how applicable published interface design concepts are in practice. Four variations of a software package were deployed to end users. Each variation contained different design techniques. Surveyed users responded positively to interface design practices that were consistent and easy to learn. This followed textbook expectations. Users however responded poorly to customization options, an important feature according to textbook material. The study made conservative changes to the four interface variations provided to end-users. A more liberal approach may have yielded additional results.
ContributorsSmith, Andrew David (Author) / Nakamura, Mutsumi (Thesis director) / Gottesman, Aaron (Committee member) / Barrett, The Honors College (Contributor) / Electrical Engineering Program (Contributor)
Created2014-05
Description
Modern computer processors contain an embedded firmware known as microcode that controls decode and execution of x86 instructions. Although proprietary and relatively obscure, this microcode can be modified using updates released by hardware manufacturers to correct processor logic flaws (errata). At the same time, a malicious microcode update could compromise a processor by implementing new malicious instructions or altering the functionality of existing instructions, including processor-accelerated virtualization or cryptographic primitives. Not only is this attack vector capable of subverting all software-enforced security policies and access controls, but it also leaves behind no postmortem forensic evidence since the write-only patch memory is cleared upon system reset. Although supervisor privileges (ring zero) are required to update processor microcode, this attack cannot be easily mitigated due to the implementation of microcode update functionality within processor silicon. In this paper, we reveal the microarchitecture and mechanism of microcode updates, present a security analysis of this attack vector, and provide some mitigation suggestions.
ContributorsChen, Daming Dominic (Author) / Ahn, Gail-Joon (Thesis director) / Lee, Joohyung (Committee member) / Barrett, The Honors College (Contributor) / Computer Science and Engineering Program (Contributor) / School of International Letters and Cultures (Contributor) / School of Mathematical and Statistical Sciences (Contributor)
Created2014-05
Description
We discuss processes involved in user-centric security design, including the synthesis of goals based on security and usability tasks. We suggest the usage of implicit security and the facilitation of secureuser actions. We propose a process for evaluating usability flaws by treating them as security threats and adapting traditional HCI methods. We discuss how to correct these flaws once they are discovered. Finally, we discuss the Usable Security Development Model for developing usable secure systems.
ContributorsJorgensen, Jan Drake (Author) / Ahn, Gail-Joon (Thesis director) / VanLehn, Kurt (Committee member) / Wilkerson, Kelly (Committee member) / Barrett, The Honors College (Contributor) / Computer Science and Engineering Program (Contributor)
Created2013-05
Description
Over the course of computing history there have been many ways for humans to pass information to computers. These different input types, at first, tended to be used one or two at a time for the users interfacing with computers. As time has progressed towards the present, however, many devices are beginning to make use of multiple different input types, and will likely continue to do so. With this happening, users need to be able to interact with single applications through a variety of ways without having to change the design or suffer a loss of functionality. This is important because having only one user interface, UI, across all input types is makes it easier for the user to learn and keeps all interactions consistent across the application. Some of the main input types in use today are touch screens, mice, microphones, and keyboards; all seen in Figure 1 below. Current design methods tend to focus on how well the users are able to learn and use a computing system. It is good to focus on those aspects, but it is important to address the issues that come along with using different input types, or in this case, multiple input types. UI design for touch screens, mice, microphones, and keyboards each requires satisfying a different set of needs. Due to this trend in single devices being used in many different input configurations, a "fully functional" UI design will need to address the needs of multiple input configurations. In this work, clashing concerns are described for the primary input sources for computers and suggests methodologies and techniques for designing a single UI that is reasonable for all of the input configurations.
ContributorsJohnson, David Bradley (Author) / Calliss, Debra (Thesis director) / Wilkerson, Kelly (Committee member) / Walker, Erin (Committee member) / Barrett, The Honors College (Contributor) / Computer Science and Engineering Program (Contributor)
Created2013-05
Description
Radio Frequency Identification (RFID) technology allows objects to be identified electronically by way of a small electronic tag. RFID is quickly becoming quite popular, and there are many security hurdles for this technology to overcome. The iCLASS line of RFID, produced by HID Global, is one such technology that is widely used for secure access control and applications where a contactless authentication element is desirable. Unfortunately, iCLASS has been shown to have security issues. Nevertheless customers continue to use it because of the great cost that would be required to completely replace it. This Honors Thesis will address attacks against iCLASS and means for countering them that do not require such an overhaul.
ContributorsMellott, Matthew John (Author) / Ahn, Gail-Joon (Thesis director) / Thorstenson, Tina (Committee member) / Barrett, The Honors College (Contributor) / Computer Science and Engineering Program (Contributor)
Created2014-05
Description
IoT Media broadcast devices, such as the Roku stick, Amazon Fire, and Chromecast have been emerging onto the market recently as a portable and inexpensive alternative to cable and disk players, allowing easy integration between home and business Wi-Fi networks and television systems capable of supporting HDMI inputs without the additional overhead of setting up a heavy or complicated player or computer. The rapid expansion of these products as a mechanism to provide for TV Everywhere services for entertainment as well as cheap office appliances brings yet another node in the rapidly expanding network of IoT that surrounds us today. However, the security implications of these devices are nearly unexplored, despite their prevalence. In this thesis, I will go over the structure and mechanisms of Chromecast, and explore some of the potential exploits and consequences of the device. The thesis contains an overview of the inner workings of Chromecast, goes over the segregation and limited control and fundamental design choices of the Android based OS. It then identifies the objectives of security, four different potential methods of exploit to compromise those objectives on a Chromecast and/or its attached network, including rogue applications, traffic sniffing, evil access points and the most effective one: deauthentication attack. Tests or relevant analysis were carried out for each of these methods, and conclusions were drawn on their effectiveness. There is then a conclusion revolving around the consequences, mitigation and the future implications of security issues on Chromecast and the larger IoT landscape.
ContributorsHuang, Kaiyi (Author) / Zhao, Ziming (Thesis director) / Ahn, Gail-Joon (Committee member) / W. P. Carey School of Business (Contributor) / Computer Science and Engineering Program (Contributor) / Barrett, The Honors College (Contributor)
Created2016-12
Description
Third-party mixers are used to heighten the anonymity of Bitcoin users. The mixing techniques implemented by these tools are often untraceable on the blockchain, making them appealing to money launderers. This research aims to analyze mixers currently available on the deep web. In addition, an in-depth case study is done on an open-source bitcoin mixer known as Penguin Mixer. A local version of Penguin Mixer was used to visualize mixer behavior under specific scenarios. This study could lead to the identification of vulnerabilities in mixing tools and detection of these tools on the blockchain.
ContributorsPakki, Jaswant (Author) / Doupe, Adam (Thesis director) / Shoshitaishvili, Yan (Committee member) / Computer Science and Engineering Program (Contributor, Contributor) / Barrett, The Honors College (Contributor)
Created2018-12
Description
Despite the more tightly controlled permissions and Java framework used by most programs in the Android operating system, an attacker can use the same classic vulnerabilities that exist for traditional Linux binaries on the programs in the Android operating system. Some classic vulnerabilities include stack overows, string formats, and heap meta-information corruption. Through the exploitation of these vulnerabilities an attacker can hijack the execution ow of an application. After hijacking the execution ow, an attacker can then violate the con_dentiality, integrity, or availability of the operating system. Over the years, the operating systems and compliers have implemented a number of protections to prevent the exploitation of vulnerable programs. The most widely implemented protections include Non-eXecutable stack (NX Stack), Address Space Layout Randomization (ASLR), and Stack Canaries (Canaries). NX Stack protections prevent the injection and execution of arbitrary code through the use of a permissions framework within a program. Whereas, ASLR and Canaries rely on obfuscation techniques to protect control ow, which requires su_cient entropy between each execution. Early in the implementation of these protections in Linux, researchers discovered that without su_cient entropy between executions, ASLR and Canaries were easily bypassed. For example, the obfuscation techniques were useless in programs that ran continuously because the programs did not change the canaries or re-randomize the address space. Similarly, aws in the implementation of ASLR and Canaries in Android only re-randomizes the values after rebooting, which means the address space locations and canary values remain constant across the executions of an Android program. As a result, an attacker can hijack the control ow Android binaries that contain control ow vulnerabilities. The purpose of this paper is to expose these aws and the methodology used to verify their existence in Android versions 4.1 (Jelly Bean) through 8.0 (Oreo).
ContributorsGibbs, Wil (Author) / Doupe, Adam (Thesis director) / Shoshitaishvili, Yan (Committee member) / Barrett, The Honors College (Contributor) / Computer Science and Engineering Program (Contributor)
Created2018-12