Article

KNOW Why your access was denied: regulating feedback for usable security

Authors:

Geetanjali Sampemane,

Roy H. CampbellAuthors Info & Claims

CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

Pages 52 - 61

https://doi.org/10.1145/1030083.1030092

Published: 25 October 2004 Publication History

Abstract

We examine the problem of providing useful feedback about access control decisions to users while controlling the disclosure of the system's security policies. Relevant feedback enhances system usability, especially in systems where permissions change in unpredictable ways depending on contextual information. However, providing feedback indiscriminately can violate the confidentiality of system policy. To achieve a balance between system usability and the protection of security policies, we present Know, a framework that uses cost functions to provide feedback to users about access control decisions. Know honors the policy protection requirements, which are represented as a meta-policy, and generates permissible and relevant feedback to users on how to obtain access to a resource. To the best of our knowledge, our work is the first to address the need for useful access control feedback while honoring the privacy and confidentiality requirements of a system's security policy.

References

[1]

Beate Bollig and Ingo Wegener. Improving the variable ordering of OBDDs is NP-complete. IEEE Trans. on Computers, 45(9):993-1001, Sept. 1996.

Digital Library

[2]

Piero Bonatti, Ernesto Damiani, and Pierangela Samarati. A component-based architecture for secure data publication. In Proceedings of 17th Annual Computer Security Applications Conference (ACSAC), pages 309--318, New Orleans, LA, December 2001.

Digital Library

[3]

Piero A. Bonatti and Pierangela Samarati. A uniform framework for regulating service access and information release on the Web. Journal of Computer Security, 10(3):241--271, 2002.

Digital Library

[4]

Kenneth M. Butler, Don E. Ross, Rohit Kapur, and M.Ray Mercer. Heuristics to compute variable orderings for efficient manipulation of ordered binary decision diagrams. In Proceedings of the 28th conference on ACM/IEEE Design Automation, pages 417--420, San Francisco, CA, June 1991.

Digital Library

[5]

David Eppstein. Finding the k shortest paths. In Proc. 35th Symp. Foundations of Computer Science, pages 154--165. IEEE, November 1994.

Digital Library

[6]

David F. Ferraiolo and D. Richard Kuhn. Role-based access controls. In Proc. 15th NIST-NCSC National Computer Security Conference, pages 554-563, Baltimore, MD, October 1992.

[7]

Masahiro Fujita, Yusuke Matsunaga, and Taeko Kakuda. On variable ordering of binary decision diagrams for the application of multi-level logic synthesis. In Proceedings of the conference on European Design Automation, pages 50--54, Amsterdam, February 1991. IEEE Computer Society Press.

Digital Library

[8]

Jonathan Graehl. kbest, a C++ library for efficiently finding the k shortest paths in a graph. Available from http://jonathan.graehl.org/kbest.zip.

[9]

Takashi Horiyama and Shuzo Yajima. Exponential lower bounds on the size of OBDDs representing integer divistion. In Proceedings ISAAC, pages 163--172, 1997.

Digital Library

[10]

Brad Johanson, Armando Fox, and Terry Winograd. The Interactive Workspaces project: Experiences with ubiquitous computing environments. IEEE Pervasive Computing magazine, 1(2):67--74, Apr-Jun 2002.

Digital Library

[11]

R.E. Korf. Search techniques. In Hossein Bidgoli, editor, Encyclopedia of Information Systems. Academic Press, San Diego, CA, aug 2002.

[12]

Håkan Kvarnström, Hans Hedbom, and Erland Jonsson. Protecting security policies in ubiquitous environments using one-way functions. In D.Hutter et al., editors, Security in Pervasive Computing 2003, volume 2802 of LNCS, pages 71--85. Springer-Verlag, Heidelberg, 2003.

[13]

J. Lind-Nielsen. BuDDy - a binary decision diagram package. Technical Report IT-TR: 1999-028, Technical University of Denmark, 1999.

[14]

P. Orponen and H. Mannila. On approximation preserving reductions: Complete problems and robust measures. Technical Report C-1987-28, University of Helsinki, Dept. of Computer Science, 1987.

[15]

Shipra Panda and Fabio Somenzi. Who are the variables in your neighborhood. In Proc. International Conference on Computer-Aided Design (ICCAD '95), pages 74--77, San Jose, CA, November 1995.

Digital Library

[16]

R.E.Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8):677--691, 1986.

Digital Library

[17]

Manuel Román, Christopher K. Hess, Renato Cerqueira, Anand Ranganathan, Roy H. Campbell, and Klara Nahrstedt. GaiaOS: A middleware infrastructure to enable Active Spaces. IEEE Pervasive Computing, pages 74--83, Oct-Dec 2002.

Digital Library

[18]

Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE, volume 63, pages 1278--1308, September 1975.

[19]

Geetanjali Sampemane, Prasad Naldurg, and Roy H. Campbell. Access control for Active Spaces. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), pages 343--352, Las Vegas, NV, December 2002.

Digital Library

[20]

Mark Weiser. The computer for the 21st century. Scientific American, pages 94-104, September 1991.

[21]

William H. Winsborough and Ninghui Li. Safety in automated trust negotiation. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, pages 147--160, Oakland, CA, May 2004. IEEE Press.

[22]

Ka-Ping Yee. User interaction design for secure systems. In Proceedings of the 4th International Conference on Information and Communications Security, pages 278--290. Springer-Verlag, 2002.

Digital Library

[23]

Ting Yu and Marianne Winslett. A unified scheme for resource protection in automated trust negotiation. In Proceedings of the IEEE Symposium on Security and privacy, pages 110--122, May 2003.

Digital Library

[24]

Ting Yu, Marianne Winslett, and Kent E. Seamons. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Trans. Inf. Syst. Secur., 6(1):1--42, 2003.

Digital Library

[25]

Terry Zimmerman and Subbarao Kambhampati. Learning-assisted automated planning. AI Magazine, 24(2):73--96, 2003.

Digital Library

[26]

Mary Ellen Zurko and Richard T. Simon. User-centered security. In Proceedings of the Workshop on New Security Paradigms (NSPW), pages 27--33, Lake Arrowhead, CA, September 1996.

Digital Library

Cited By

Paci FSquicciarini AZannone N(2018)Survey on Access Control for Community-Centered Collaborative SystemsACM Computing Surveys10.1145/314602551:1(1-38)Online publication date: 4-Jan-2018
https://dl.acm.org/doi/10.1145/3146025
Xu TNaing HLu LZhou YMark GFussell SLampe Cschraefel mHourcade JAppert CWigdor D(2017)How Do System Administrators Resolve Access-Denied Issues in the Real World?Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems10.1145/3025453.3025999(348-361)Online publication date: 2-May-2017
https://dl.acm.org/doi/10.1145/3025453.3025999
den Hartog JZannone N(2016)Collaborative Access Decisions: Why Has My Decision Not Been Enforced?Information Systems Security10.1007/978-3-319-49806-5_6(109-130)Online publication date: 24-Nov-2016
https://doi.org/10.1007/978-3-319-49806-5_6
Show More Cited By

Index Terms

KNOW Why your access was denied: regulating feedback for usable security
1. Human-centered computing
2. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Cue: a framework for generating meaningful feedback in XACML
SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

With a number of access rules at play along with contexts in which they may or may not apply, it is not always obvious to the legitimate user what caused an authorization server to deny a request, neither is it possible for the administrator to specify ...
ESPOON: Enforcing Encrypted Security Policies in Outsourced Environments
ARES '11: Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security

The enforcement of security policies in outsourced environments is still an open challenge for policy-based systems. On the one hand, taking the appropriate security decision requires access to the policies. However, if such access is allowed in an ...
Authorized! access denied, unauthorized! access granted
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Existing access control systems are mostly identity-based. However, such access control systems impose risks because recognized identity is not essentially an interpretation of good intentions of access. On the other hand, an un-identified individual ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

October 2004

376 pages

ISBN:1581139616

DOI:10.1145/1030083

General Chair:
Vijay Atluri
Rutgers University
,
Program Chairs:
Birgit Pfitzmann
IBM Research, Switzerland
,
Patrick McDaniel
AT&T Labs

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS04

Sponsor:

CCS04: 11th ACM Conference on Computer and Communications Security 2004

October 25 - 29, 2004

Washington DC, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
941
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)1

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Paci FSquicciarini AZannone N(2018)Survey on Access Control for Community-Centered Collaborative SystemsACM Computing Surveys10.1145/314602551:1(1-38)Online publication date: 4-Jan-2018
https://dl.acm.org/doi/10.1145/3146025
Xu TNaing HLu LZhou YMark GFussell SLampe Cschraefel mHourcade JAppert CWigdor D(2017)How Do System Administrators Resolve Access-Denied Issues in the Real World?Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems10.1145/3025453.3025999(348-361)Online publication date: 2-May-2017
https://dl.acm.org/doi/10.1145/3025453.3025999
den Hartog JZannone N(2016)Collaborative Access Decisions: Why Has My Decision Not Been Enforced?Information Systems Security10.1007/978-3-319-49806-5_6(109-130)Online publication date: 24-Nov-2016
https://doi.org/10.1007/978-3-319-49806-5_6
Mangle APatel S(2014)Issues in user authentication using security questionsInternational Journal of Information and Computer Security10.1504/IJICS.2014.0681006:4(383-407)Online publication date: 1-Mar-2014
https://dl.acm.org/doi/10.1504/IJICS.2014.068100
Bartsch S(2014)Policy override in practiceSecurity and Communication Networks10.1002/sec.5477:1(139-156)Online publication date: 1-Jan-2014
https://dl.acm.org/doi/10.1002/sec.547
Reeder RBauer LCranor LReiter MVaniea KTan DFitzpatrick GGutwin CBegole BKellogg W(2011)More than skin deepProceedings of the SIGCHI Conference on Human Factors in Computing Systems10.1145/1978942.1979243(2065-2074)Online publication date: 7-May-2011
https://dl.acm.org/doi/10.1145/1978942.1979243
Malik ADustdar S(2010)An intelligent information sharing control system for dynamic collaborationsProceedings of the 8th International Conference on Frontiers of Information Technology10.1145/1943628.1943658(1-6)Online publication date: 21-Dec-2010
https://dl.acm.org/doi/10.1145/1943628.1943658
Ghai SNigam PKumaraguru PSager TAhn GKant KLipford H(2010)CueProceedings of the 3rd ACM workshop on Assurable and usable security configuration10.1145/1866898.1866901(9-16)Online publication date: 4-Oct-2010
https://dl.acm.org/doi/10.1145/1866898.1866901
Pontual MIrwin KChowdhury OWinsborough WYu T(2010)Failure Feedback for User Obligation SystemsProceedings of the 2010 IEEE Second International Conference on Social Computing10.1109/SocialCom.2010.111(713-720)Online publication date: 20-Aug-2010
https://dl.acm.org/doi/10.1109/SocialCom.2010.111
Karat JKarat CBertino ELi NNi QBrodie CLobo JCalo SCranor LKumaraguru PReeder R(2009)Policy framework for security and privacy managementIBM Journal of Research and Development10.5555/1850636.185064053:2(242-255)Online publication date: 1-Mar-2009
https://dl.acm.org/doi/10.5555/1850636.1850640
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents