Tentative Syllabus for CS590U

Guest lectures

• Evolution of Access Control (September 16th)
  David F. Ferraiolo. Computer Scientist at National Institute of Standards and Technology, Computer Security Division. Pioneer and leading expert on Role-Based Access Control. Co-author of the book Role-Based Access Control.

• Automated Trust Negotiation (October 9th)
  Dr. William H. Winsborough. Research Associate Professor at George Mason University, Center for Secure Information Systems. Pioneer and leading expert on Automated Trust Negotiation and Attribute-based Access Control.

Lectures given by the instructor (about 16 lectures)

• Introduction to the course, principles of access control, and overview of project topics. (1.5 lecture)
  
  • Course homepage and the project pages.
  • Part IA of The Protection of Information in Computer Systems. Jerome H. Saltzer and Michael D. Schroeder. Proceedings of the IEEE, 63(9):1278-1308, 1975.
• Access matrix model, HRU model, Take-grant model (1.5 lecture)
  
  • Formal Models of Capability-Based Protection Systems. Lawrence Snyder, TOCS, March 1981.
  • Protection in Operating Systems. Michael A. Harrison and Walter L. Ruzzo and Jeffrey D. Ullman. CACM, August 1976.

• Role-Based Access Control (3 lectures)
  
  • Role-Based Access Control Models. Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. IEEE Computer, 29(2):38--47, February 1996.
  • Naming and grouping privileges to simplify security management in large databases. Robert W. Baldwin. In Proc. IEEE Symposium on Research in Security and Privacy, pages 116-132, 1990.
  • Role Based Access Control. David F. Ferraiolo and D.Richard Kuhn. 15th National Computer Security Conference (1992).
  • Proposed NIST Standard for Role-Based Access Control. David F. Ferraiolo, Ravi S. Sandhu, Serban I. Gavrila, D. Richard Kuhn, and Ramaswamy Chandramouli. TISSEC, August 2001.
• The Trust Management Approach to Decentralized Access Control (3 lectures)
  
  • Decentralized Trust Management. Matt Blaze, Joan Feigenbaum, Jack Lacy. In Proc. of IEEE Symposium on Security and Privacy, 1996.
  • The KeyNote Trust-Management System, Version 2. Matt Blaze, Joan Feigenbaum, John Ioannidis, and Angelos D. Keromytis. RFC 2704, September 1999.

  • Datalog with Constraints: A Foundation for Trust-management Languages. Ninghui Li and John C. Mitchell. In Proceedings of the Fifth International Symposium on Practical Aspects of Declarative Languages (PADL 2003).
  • SDSI - A Simple Distributed Security Infrastructure. Ronald L. Rivest and Butler Lampson. 1996.
  • Distributed Credential Chain Discovery in Trust Management. Ninghui Li, William H. Winsborough, and John C. Mitchell. Journal of Computer Security, February 2003.
  • Design of A Role-based Trust-management Framework. Ninghui Li, John C. Mitchell, and William H. Winsborough. In Proceedings of 2002 IEEE Symposium on Security and Privacy, May 2002. (Slides in PDF)
  • Beyond Proof-of-compliance: Security Analysis in Trust Management. Ninghui Li, William H. Winsborough, and John C. Mitchell. Submitted to JACM. Preliminary version appeared in 2003 IEEE Symposium on Security and Privacy.
• Mandatory Access Control (2 lectures) Topics include Lattice-based mandatory access control, noninterference, nondeducibility.
  • Formal Models for Computer Security. Carl E. Landwehr. ACM Computing Surveys, 13(3):247--278, 1981.
  • A Security Model for Military Message SystemsCarl E. Landwehr, Constance L. Heitmeyer, John McLean. ACM Transactions on Computer Systems, 1984.

  • A Comparison of Commercial and Military Computer Security Policies. David D. Clark and David R. Wilson. In Proceedings of the 1987 IEEE Symposium on Security and Privacy.
  • Security Models. John McLean. In J. Marciniak, editor, Encyclopedia of Software Engineering. Wiley & Sons, 1994.

• Access Control in Databases (1 lectures)

• Access Control in Java (0 lecture)

Student presentations

• September 18. Rafae Bhatti. X-GTRBAC: An XML-BASED Policy Specification Framework And Architecture For Enterprise-Wide Access Control.
  • X-GTRBAC: An XML-BASED Policy Specification Framework And Architecture For Enterprise-Wide Access Control. Rafae Bhatti. Master thesis.

1. Evaluating the Effectiveness of Access Control in SELinux.

2. Static Analysis for Determining A Program's Access Requirements.

3. Fine Grained Access Control in Databases.

4. Human Factors in Access Control.

5. Develop A High-level Policy Language for Firewall.
   Description to be provided later.

6. Security Analysis of Administrative Models for RBAC.

7. Using Constraint Datalog to Analyze XrML and XACML.

8. Distributed Evaluation for RT1.
   

9. RTML: A Role-based Trust-management Markup Language.
   • A manuscript on RTML