Bibliography, with userid= and password=
Robert Graham sources.
Cyber-terrorism-related references (still under construction).
Privacy sources recommended by Eric Christian:
This article discusses a virus that partially intended to tie up virus-detection software so that the processor becomes so busy detecting incoming viruses that other processes are interfered with.
Interview w/ Phil Zimmerman about PGP where he feels he was misrepresented.
Intelligent analysis in view of CPSR's response to 9-11.
Dutch Government Considers Regulation of Strong Crypto.
CPSR public statements after Sept 11.
How NSA access was built into Windows, Duncan Campbell 04.09.1999. Careless mistake reveals subversion of Windows by NSA.
Lots of articles from the PEW foundation
Political cartoon that is related to CPSR's concerns about post-9/11 security frenzy:
Notes on Chautauqua course in security
Security encryption resources
Student page with some references.
Cybercop, Jodie Bernstein patrols the Web for the Federal Trade Commission, looking for swindlers and snake-oil salesmen. At 74, she's part John Wayne, part Jessica /Tandy -- and all business. Daniel H. Pink
Links , this is a very good link that points to lots of other places
PBS, Great Educational Web on Code breaking
cryptogram by Bruce Schneier
Communications of the ACM Volume 44, Number 2 (2001), Pages 28-30 Securing network software applications: Introduction Imran Bashir, Enrico Serafini, Kevin Wall Table of Contents Article References Authors Footnotes Ask a school-age child about Melissa, and instead of hearing about the "red-haired girl in Mrs. Stiefel's class," the most likely answer would point to the Microsoft Word macro virus that wreaked havoc around the world in March 1999. The impact of the ubiquitous World Wide Web, the fastest growing element of the Internet, is mind-boggling. The debate about its social and economic impacts will go on for ages, but one fact remains.the Internet is here to stay. Today we have the ability to conduct online shopping, talking, dating, and even smelling1 (business-to-consumer; B2C). Similarly, businesses can share and exchange information for more efficient business practices (business-to-business; B2B). And in the same vein, individuals.most of the time complete strangers.exchange useful and sometimes profitable information with each other (individual-to-individual; i2i) . Information sharing over the Internet has become a prevailing practice in every segment of our e-society. While extremely useful for conducting day-to-day business operations, the proliferation of e-commerce over the Internet has provided a perfect target for computer crackers, script-kiddies, and other such bad guys. Since the Web is being utilized by both small and large corporations, and by governments for conducting their business electronically, people with malicious intent do not have to leave their computers to bring a business to its knees. Although it is a little more difficult to take down a government's computer networks, it can be done. Recent cyber-warfare attacks between the Palestinians and Israelis in the Middle East conflicts indicate this is probably likely to become more common in the future. The reliance of a business on the Internet makes it extremely vulnerable to all sorts of attacks. While some readers may be viewing these words over the Internet, we can safely say that many people are trying to discover illegitimate ways to exploit loopholes in computers around the world. Completely securing a computer against unauthorized access is extremely difficult.there are many ways for an attacker to gain access. In general, however, an attacker employs the easiest ways to fulfill his or her malicious intentions. Some of these attacks include shoulder surfing, dumpster diving, network sniffing, exploiting code weaknesses (such as buffer overflows), denial-of-service attacks, and others. These attacks can come from outside as well as from within. Hence, it is equally important to provide adequate safeguards for both internal and external threat sources. At this point, it is important to understand some basic terminology. What exactly is security? According to Descartes, we know what time is until we are asked to define it. Similarly, we know or have a sense of what security is. But regardless of how we define it, security is a multidimensional concept that needs to be explored in detail to understand and measure it. Some of these dimensions include privacy, physical access restrictions, application availability, network confidentiality, content integrity, and access policy. Each of these dimensions is continuously evolving in terms of both scope and solution, but no standards can effectively address the subject. Security is all about managing risks. When people think of security, they generally refer to one or more of the following aspects (definitions as described by the Internet Society  are as follows): Authentication: The process of verifying an identity claimed by or for a system entity. Access control: Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy. Audit trail: A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to final results. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes (such as any unauthorized system entity). Integrity: The property that information has not been modified or destroyed in an unauthorized manner. Availability: The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system. Nonrepudiation: A security service that provides protection against false denial of involvement in a communication. With evolving technologies, enabling new economic models via increasingly integrated and distributed business environments, security has an even higher priority. How then, are companies to cope and manage security? The software community has developed commonly accepted metrics to measure quality and performance. Nevertheless, do we have a commonly accepted, and yet practical, method to define and measure security? The goal of this special section is to increase awareness of security-related issues. The intent is not to provide a how-to manual or an all-encompassing definition of security. Rather, we have attempted to highlight current and future dimensions of security that are expected to motivate investigations to answer these complex questions. Another objective of this section is to educate software professionals so that the security threats facing them in the development and deployment of Web-based software applications can be addressed. As quoted in various studies, the highest probability of threat sources comes from within . Hence, with our society's increased reliance on the Internet, it is equally, or more important, for the intranet as well as extranet applications to be highly secure. It is imperative for us, as software professionals, to research and provide answers to the security threats facing society today and in the future. The five articles selected for this special section cover various dimensions of security. "Security Models for Web-based Applications" by Joshi et al. concentrates on the need for access control in the context of Web-based applications. "The Privacy Practices of Web Browser Extensions" by Martin et al. addresses the privacy disclosure and data monitoring capabilities of browser extension software. Ghosh and Swaminatha's article, "Software Security and Privacy Risks in Mobile E-Commerce," examines software security and privacy risks unique to wireless (mobile) computing. "An Operating System Approach to Securing E-Services" by Dalton and Choo examines the problems surrounding software applications that compromise each other via loopholes from within, describing a Linux-based platform that implements the containment property to dynamically separate running untrusted or partially trusted services. And "Trust (and Mistrust) in Secure Applications" by Viega et al. explores several common ways in which erroneous trust assumptions in software applications can dramatically reduce security of those applications. Will there ever be a completely secure system? No one can answer this question with any certainty. There is one guarantee, however, that this game of cat-and-mouse between the two sides will continue to occur even with the establishment of a "completely secure system." Protectors will devise more secure systems, whereas attackers will continue their efforts for breaking the same. Only time will tell as to who succeeds where. We hope the articles presented here will raise awareness about security and its associated dimensions, stimulate ideas for further research and development in security, and provide solutions for securing our computing resources. References 1. Internet Society, RFC 2828. Internet Security Glossary, 2000; ftp.isi.edu/in-notes/rfc2828.txt. 2. Olson, J.S. and Olson, G.M. I2i trust in e-commerce. Commun. ACM 32, 12 (Dec. 2000), 41. Authors Imran Bashir (email@example.com) is Director of Network Engineering Systems (IT) at Qwest Communications International, in Ballston, VA. Enrico Serafini (firstname.lastname@example.org) is Director of Business Objects Development Center (IT) at Qwest Communications International in Dublin, OH. Kevin Wall (email@example.com) is Senior Architect (IT) at Qwest Communications International in Dublin, OH. Footnotes 1 www.digiscents.com ©2000 ACM 0002-0782/01/0200 $5.00 Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. The Digital Library is published by the Association for Computing Machinery. Copyright © 2001 ACM, Inc.
Communications of the ACM Volume 44, Number 2 (2001), Pages 38-44 Security models for Web-based applications James B. D. Joshi, Walid G. Aref, Arif Ghafoor, Eugene H. Spafford Table of Contents Lead-in Introduction Security in the Web Environment Justification for Access Control Access Control Models Discretionary Access Control (DAC) Model Mandatory Access Control (MAC) Model Role-based Access Control (RBAC) Model Access Control Models for Tasks and Workflows Agent-based Approach Certificate-based Approach Discussion Conclusion References Authors Footnotes Figures Tables Using traditional and emerging access control approaches to develop secure applications for the Web. The rapid proliferation of the Internet and the cost-effective growth of its key enabling technologies are revolutionizing information technology and creating unprecedented opportunities for developing large-scale distributed applications. At the same time, there is a growing concern over the security of Web-based applications, which are rapidly being deployed over the Internet . For example, e-commerce.the leading Web-based application.is projected to have a market exceeding $1 trillion over the next several years. However, this application has already become a security nightmare for both customers and business enterprises as indicated by the recent episodes involving unauthorized access to credit card information. Other leading Web-based applications with considerable information security and privacy issues include telemedicine-based health-care services and online services or businesses involving both public and private sectors. Many of these applications are supported by workflow management systems (WFMSs) . A large number of public and private enterprises are in the forefront of adopting Internet-based WFMSs and finding ways to improve their services and decision-making processes, hence we are faced with the daunting challenge of ensuring the security and privacy of information in such Web-based applications . Typically, a Web-based application can be represented as a three-tier architecture, depicted in the figure, which includes a Web client, network servers, and a back-end information system supported by a suite of databases. For transaction-oriented applications, such as e-commerce, middleware is usually provided between the network servers and back-end systems to ensure proper interoperability. Considerable security challenges and vulnerabilities exist within each component of this architecture. Existing public-key infrastructures (PKIs) provide encryption mechanisms for ensuring information confidentiality, as well as digital signature techniques for authentication, data integrity and non-repudiation . As no access authorization services are provided in this approach, it has a rather limited scope for Web-based applications. The strong need for information security on the Internet is attributable to several factors, including the massive interconnection of heterogeneous and distributed systems, the availability of high volumes of sensitive information at the end systems maintained by corporations and government agencies, easy distribution of automated malicious software by malfeasors, the ease with which computer crimes can be committed anonymously from across geographic boundaries, and the lack of forensic evidence in computer crimes, which makes the detection and prosecution of criminals extremely difficult. Two classes of services are crucial for a secure Internet infrastructure. These include access control services and communication security services. Access control services protect Internet resources from unauthorized use, whereas communication security services ensure confidentiality and integrity of data transmitted over the network, in addition to non-repudiation of services to the communicating entities. An important prerequisite for access control is user authentication, the process that establishes the identity of a user. In the context of the Internet, we assume authentication is handled by the communication security services. Security in the Web Environment End users are exposed to several security and privacy risks when using Web browsers, and browser vulnerabilities can result in compromising the security of a Web client . Information about a user such as login name or machine name can be collected and used to profile the user, thus raising serious privacy concerns. Cookies, the data stored on the client's machine and exchanged between the Web client and the Web server to maintain connection information, can be used for the purpose of gathering such information. A source of vulnerability at the client site also comes from the use of executable content on the Web, such as Java applets, ActiveX controls, and the like. The current improvement in JDK1.2, which allows signed applets, requires the client to use a security policy for downloadable applets. Many sites also use push technology to deliver Web content to clients. This process can result in serious security breaches, as the content provider can exploit browser vulnerabilities by sending malicious executable code or by overwhelming the system by pushing a high volume of information. Network servers are the places where most network services are located, such as the Web server, the mail server, and so forth. Firewall technology has become the most popular defense for these servers against the open untrusted Internet, as depicted in Figure 1. Though firewalls can prevent illegitimate traffic from traveling from the Internet to corporate networks, legitimate requests that pass through a firewall may be used for a data-driven attack on the networks or back-end systems [4, 5]. Configuration of firewalls and network servers is a formidable and error-prone task. This emphasizes the need to restrict or reduce complexity at the firewalls and networks and complement firewalls with robust host-based security. In large corporate intranets, the insider attack is a growing security concern. A joint study on computer crimes conducted by the Computer Security Institute (CSI) and the FBI indicates that the most serious losses in enterprises occur through unauthorized access by insiders, and 71% of respondents had detected unauthorized access by insiders . Therefore, there is a strong need for developing new access control models or extending the existing ones to neutralize security threats and address the diverse security requirements of Web-based applications. Justification for Access Control Public-key infrastructures have been an important development for addressing the security concerns of Web applications. Users can be authenticated using PKI facilities, however, such facilities do not provide any mechanism for access control at the end systems. The fact that insider attacks constitute a considerable threat further accentuates the need for robust host-based security, whereby substantial authentication and access control services must be deployed at the host. The insider attack threat further demonstrates a strong need for efficient security management and administration functions in an enterprise. Host-based security can also help the network servers and firewalls for added intranet security. Security models that allow efficient security management and administration can also be extended for multidomain environments, where interactions among heterogeneous policy domains are intensive. Typical applications of multidomain environments include e-commerce, corporate databases, and digital government. Such applications need to interconnect and interoperate their business logic while protecting sensitive information. The Web primarily uses a hypertext approach for information dissemination. With the growth of e-commerce applications, the Web is rapidly being transformed into an activity- or transaction-intensive environment. Security models for hypertext-based systems are rare and still in their infancy stages. For the Web, access models and mechanisms should facilitate dynamic changes in the content and context of information, allow monitoring of the state of the system, and facilitate carrying out transactional activities. Existing access models lack these features. Access Control Models Information systems security refers to protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against denial of service to authorized users, including measures necessary to detect, document, and counter such threats. The main goals of information security are confidentiality or secrecy, integrity, availability, accountability, and assurance. The goal of confidentiality is to ensure the information is not accessed by an unauthorized person. The goal of information integrity is to protect information from unauthorized modification. Information availability ensures the information is available when needed and is not made inaccessible by malicious data-denial activities. Information accountability ensures that every action of an entity can be uniquely traced back to the entity. Security assurance is the degree of confidence in the security of the system with respect to predefined security goals. Several models have been proposed to address the access control requirements of distributed applications. Traditional access control models are broadly categorized as discretionary access control (DAC) and mandatory access control (MAC) models. New models such as role-based access control (RBAC) or task-based access control (TBAC) models have been proposed to address the security requirements of a wider range of applications. We briefly highlight the main differences among these models and provide an assessment of their suitability for supporting Web-based applications. Discretionary Access Control (DAC) Model In DAC models, all the subjects and objects in a system are enumerated and the access authorization rules for each subject and object in the system are specified. Subjects can be users, groups, or processes that act on behalf of other subjects. If a subject is the owner of an object, the subject is authorized to grant or revoke access rights on the object to other subjects at his discretion. DAC policies are flexible and the most widely used for Web-based applications. However, these policies do not provide high security assurance. For example, DAC allows copying of data from one object to another, which can result in allowing access to a copy of data to a user who does not have access to the original data. Such risks can propagate to the entire Web environment, causing serious violation of security goals. Among the existing representations of DAC models, a noticeable one is the HRU (Harrison, Ruzzo and Ullman) access control matrix (ACM) model . The matrix specifies access rights of subjects for accessing objects in the system. In conjunction with ACM, the HRU model uses a set of commands to construct the overall authorization scheme. Safety in HRU is in general undecidable. The basic safety problem is to determine whether there exists a reachable state in which a particular subject possesses a particular privilege that it did not previously possess. Several new models have recently been proposed for systems for which safety problems are decidable and tractable. Most of these models are based on the notion of security type, and include the Schematic Protection Model (SPM), the Typed Access Matrix (TAM) model, and the Dynamically Typed Access Control (DTAC) model . Unlike SPM and TAM, which have subject types and object types, DTAC makes no distinction between subjects and objects. The DTAC model uses a dynamic typing mechanism that makes it suitable for a dynamic environment such as the Internet. In DTAC, a safety invariant is maintained by carrying out static analysis and dynamic checks on the security aspects of the system. This feature gives DTAC the power to model task-based security . By grouping entities into types, this model can reduce the size of the configuration and can enhance the administrative functions. While these extensions are intended to broaden the scope of ACM-based models, they are still in the theoretical development stage, with little or no experimental results. Mandatory Access Control (MAC) Model In a MAC model, all subjects and objects are classified based on predefined sensitivity levels that are used in the access decision process. An important goal of a MAC model is to control information flow in order to ensure confidentiality and integrity of the information, which is not addressed by DAC models. For example, to ensure information confidentiality in defense applications, a MAC model can be implemented using a multilevel security mechanism that uses no read-up and no write-down rules, also known as Bell-LaPadula restrictions. These rules are designed to ensure that information does not flow from a higher sensitivity level to a lower sensitivity level. To achieve information integrity, the access rules are formulated as no-read-down and no-write-up . The goal in this case is not to allow the flow of low integrity information to high integrity objects. The Chinese Wall policy, which addresses conflict of interest issues relevant to financial industries, can also be implemented using a MAC model . For Web-based applications, multilevel classification of information may be an essential requirement that can be enforced by a service provider to distinguish among the users and the type of information being accessed. Unlike DAC, MAC models provide more robust protection mechanisms for data, and deal with more specific security requirements, such as an information flow control policy . However, enforcement of MAC policies is often a difficult task, and in particular for Web-based applications, they do not provide viable solutions because they lack adequate flexibility. Furthermore, organizational security needs are often a mixture of policies that may need to use both DAC and MAC models, which necessitates seeking solutions beyond those provided by DAC and MAC models only. Originally, these models were not intended for Web-based applications. In particular, their design philosophy was not intended to serve hypertext-based systems, which is common in a Web-based environment. The hypertext information model uses special objects such as links, frames or slots, document nodes, and so forth, all of which need to be protected . Hypertext systems are characterized by three features, which include information about the connections among data items, their unique navigational aspects, and the absence of a schema. Although extensions enabling these models to address security concerns have been proposed in the literature, more challenging issues such as control of copy and dissemination of information, active object management, and support for multiple data types and complex interrelationships have yet to be explored in order to develop viable solutions for Web-based applications. Role-based Access Control (RBAC) Model Role-based access control (RBAC) models are receiving increased attention as a generalized approach to access control because they provide several well-recognized advantages . As roles represent organizational responsibilities and functions, a role-based model directly supports arbitrary, organization-specific security policies. The RBAC models have been shown to be "policy-neutral"  in the sense that using role hierarchies and constraints, a wide range of security policies can be expressed, including traditional DAC and MAC, and user-specific ones. Security administration is also greatly simplified by the use of roles to organize access privileges. For example, if a user moves to a new function within the organization, the user can simply be assigned to the new role and removed from the old one, whereas in the absence of an RBAC model, the user's old privileges would have to be individually revoked, and new privileges would have to be granted. Special administrative roles can be designated to manage other roles. Such administrative roles can be hierarchically organized to provide a well-organized security management structure, which is desirable in large Web-based enterprises where security management becomes a complex task. Several authorization-constraints may need to be enforced in an organization to protect information misuse and prevent fraudulent activities. A typical authorization constraint, which is relevant and well-known in the security area, is separation of duties (SOD). Reducing the risk of fraud by not allowing any individual to have sufficient authority within the system to single-handedly perpetrate fraud is the intent of SOD. Such constraints can be easily expressed using an RBAC model through SOD constraints on roles, user-role assignments and role-privilege assignments. Furthermore, using assigned roles, users can sign on with the least privilege set required for any access. In case of inadvertent errors, such least privilege assignment can ensure minimal damage. An important consideration in RBAC systems is the possible temporal constraints that may exist on roles, such as the time and duration of role activations, and timed-triggering of a role by an activation of another role . Using an RBAC model is a highly desirable goal for addressing the key security requirements of Web-based applications in general, and WFMSs in particular. Roles can be assigned to workflow tasks so that a user with any of the roles related to a task may be authorized to execute it. However, the challenge is to develop a robust RBAC framework to handle the complex security needs of a WFMS, where temporal, nontemporal, and dependency constraints among roles and tasks exist. A recent implementation of an RBAC system for the Web environment (RBAC/Web) has been reported in . The implementation consists of a Web server to enforce RBAC policies and an administrative tool to allow security administration. The system places no requirements on the browser. When a user issues an access request, a role is assigned to the requester after establishing a session using the available authentication and confidentiality services. These services include the Secure Socket Layer (SSL), Secure HTTP (SHTTP), and an authentication mechanism that uses username/passwords. To ensure better administration, RBAC/Web can be integrated with an administrative model such as URA97 (User-Role Assignment '97), which uses administrative roles to manage other roles. Several other RBAC implementations have been developed, including the hyperDrive System developed by the Internal Revenue Service, TrustedWeb, getAccess by enCommerce, and SESAME. TrustedWeb requires specific software in the client machine. The I-RBAC (RBAC for an intranet) model  uses software agents to distinguish between the local role hierarchies and the global role hierarchy of the entire intranet. The local network objects are known only to the local servers, whereas the global network objects are known throughout the intranet. Information about mapping between the global roles and local roles is kept in a database and is used when a global network object needs to access an object on another server. The disadvantage of I-RBAC is that maintaining consistent information about the roles becomes difficult as the number of roles increases. A key feature of RBAC is its potential support for a multidomain environment, which makes it an attractive candidate for Web-based applications. Role-hierarchy mapping between two RBAC-based policy domains can be used to define a metapolicy for secure interoperation. Access Control Models for Tasks and Workflows The models discussed previously use the subject-object view toward security. These models have a limited scope and are not flexible enough to allow access policies based on the content of information or the nature of tasks/transactions in a WFMS. WFMSs have emerged as a key technology for enabling activity-intensive Web applications that require extensive automated transactional functions. Such applications typically constitute a complex mix of tasks and transactions that span departmental, organizational, geographical and cultural boundaries, further exacerbating the complexity of Web security. Although there exists a pressing need to develop access control models that can provide strong support for activity and task-intensive applications, no existing access control models have the capability to address the major security issues related to these applications. Several authorization models related to WFMSs have been proposed. A viable approach to enforce arbitrary security requirements during the execution of workflow tasks is to assign roles to workflow tasks . The workflow tasks of Web-based applications can be distributed over multiple heterogeneous security domains, and may have strict temporal and inter-task dependency constraints. In addition, roles assigned to tasks may have their own temporal and nontemporal constraints that may be static or dynamic in nature. Although the use of an RBAC framework for ensuring workflow security has been proposed in the literature, substantial extensions are needed to address security issues related to Web applications and WFMSs. To address the security issues related to task-oriented systems and to effectively serve the unique needs of such systems, researchers in  propose a family of task-based access control (TBAC) models that constitutes four models arranged in form of a hierarchy. The TBAC0 model represents the base model that provides the basic or the minimum facilities, such as tasks, authorization steps, and their dependencies. The TBAC1 model is an extension of TBAC0 that includes the composite authorizations of two or more authorization steps. The TBAC2 model is another extension of TBAC0 that allows both static and dynamic constraints. The TBAC3 model is a consolidated model that has features of both the TBAC1 and TBAC2 models. Agent-based Approach With the increase of Internet applications, software agents are becoming popular as an emerging system-building paradigm. This paradigm can be effectively used to provide security features for Web applications. An agent is a process characterized by adaptation, cooperation, autonomy, and mobility. Some agent communication language can be used to negotiate policies during conflicts for secure interoperation among participating policy domains. Agents can be assigned security enforcement tasks at the servers and client machines. Although mobility and adaptability are essential to the efficient use of Internet resources, they pose several security threats. For example, an agent can engage in malicious behavior, thus disrupting normal operation of the host. Similarly, a host may be able to affect the activity of an agent by denying required access to local information resources. Certificate-based Approach Public-key infrastructure technology is maturing, and the use of PKI certificates is expected to be ubiquitous in the near future. Certificates issued by a PKI facility can be used for enforcing access control in the Web environment. An example is the use of an extended X.509 certificate that carries role information about a user . These certificates are issued by a certification authority that acts as a trust center in the global Web environment. The use of public-key certificates is suitable for simple applications. These techniques can be used to either support a host's access control method by carrying access control information or provide a separate access control mechanism based on trust centers. Discussion We have discussed several access control models and approaches that can be used to disseminate and exchange information securely, and allow secure execution of WFMSs. However, comprehensive frameworks are needed to address the multifaceted security issues related to Web-based applications. In particular, robust access control models are needed to allow: controlled access, dissemination and sharing of information based on content, context, or time; secure execution of tasks and workflows; secure interoperation in a dynamic distributed enterprise environment; and efficient management and administration of security. The table summarizes the key features of each access control model and approach discussed here. The DAC and MAC models lack capabilities needed to support security requirements of emerging enterprises and Web-based applications. Newer models such as SPM, TAM, and DTAC have the potential to support Web-based applications. In particular, DTAC's feature of using safety invariants in a dynamic environment is highly desirable for dynamic and transaction-intensive workflow-based applications. Hypertext-based authorization models are essential for secure composition and distribution of complex Web documents. However, these security models are yet to be fully developed and assessed for their efficacy and viability to support Web-based applications. Achieving secure interoperation in a heterogeneous Web environment is a difficult task, because of the inherent dynamism and evolving security requirements of the underlying autonomous administrative domains. Using RBAC models and software security agents are suitable approaches for such environments. The RBAC models have several desirable features such as flexibility, policy-neutrality, better support for security management and administration, the principle of least privilege, and other aspects that make them attractive candidates for developing secure Web-based applications. In addition, they can represent traditional DAC and MAC as well as user-defined or organization-specific security policies. Furthermore, an RBAC model provides a natural mechanism for addressing the security issues related to the execution of tasks and workflows. A key advantage of RBAC models is the ease of their deployment over the Internet. The use of RBAC in conjunction with PKI facilities can provide a pragmatic approach to addressing issues related to security of distributed Web-based applications and WFMSs. The TBAC models represent efforts toward finding effective security solutions for the unique needs of task-based systems. However, they are still in the early stages of development. Conclusion We have presented a comparative assessment of existing security models in terms of supporting Web-based applications and WFMSs. Although there has been phenomenal growth of Web-based applications on the Internet, access control issues related to Web security have largely been neglected. The RBAC models are expected to provide a viable framework for addressing a wide range of security requirements for large enterprises. However, several extensions to the existing RBAC models are needed to develop workable solutions to adequately address such needs. References 1. Bertino, E., Ferrari, E., and Atluri, V. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Info. Syst. Security 2, 1 (Feb. 1999), 65.104. 2. Bertino, E., Pagani, E., Rossi, G.P., and Samarati, P. Protecting information on the Web. Commun. ACM 43, 11 (Nov. 2000), 189.199. 3. Ferraiolo, D.F., Barkley, J.F., and Kuhn, D.R. A role-based access control model and reference implementation within a corporate intranet. ACM Trans. Info. Syst. Security 2, 1 (Feb. 1999), 34.64. 4. Garfinkel, S. and Spafford, E.H. Web Security and Commerce. O'Reilly and Associates, Sebastopol, CA, 1997. 5. Harrison, M.H., Ruzzo, W.L., and Ullman, J.D. Protection in operating systems. Commun. ACM 19, 8 (Oct. 1976), 461.471. 6. Power, R. Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace. Que/Macmillan Publishing, Aug. 31, 2000. 7. Proceedings of The Fifth ACM Workshop on Role-based Access Control. Berlin, Germany, Jul. 2000. 8. Sandhu, R. Lattice-based access control models. IEEE Computer 26, 11 (1993). 9. Tari, Z. and Chan, S. A role-based access control for intranet security. IEEE Internet Computing (Sept..Oct. 1997), 24.34. 10. Thomas, R.K. and Sandhu, R.S. Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented authorization management. In Proceedings of the IFIP WG11.3 Workshop on Database Security (Lake Tahoe, CA, Aug. 1997). 11. Wing, P. and O'Higgins, B. Using public-key infrastructure for security and risk management. IEEE Communications Magazine, (Sept. 1999), 71.73. Authors James B.D. Joshi (firstname.lastname@example.org) is a graduate student in the School of Electrical and Computer Engineering at Purdue University in West Lafayette, IN. Walid Aref (email@example.com) is an associate professor in the Department of Computer Science at Purdue University in West Lafayette, IN. Arif Ghafoor (firstname.lastname@example.org) is a professor in the School of Electrical and Computer Engineering at Purdue University in West Lafayette, IN. Eugene H. Spafford (email@example.com) is a professor and the director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University in West Lafayette, IN. Footnotes This work has been supported by a grant from CERIAS, Purdue University. Figures Figure. Multilayered architecture for Web-based applications. Tables Table. Approaches and features compared. ©2000 ACM 0002-0782/01/0200 $5.00 Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. The Digital Library is published by the Association for Computing Machinery. Copyright © 2001 ACM, Inc.
Last changed 7/13/08