{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:19:18Z","timestamp":1750306758976,"version":"3.41.0"},"reference-count":24,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2013,9,1]],"date-time":"2013-09-01T00:00:00Z","timestamp":1377993600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100004963","name":"Seventh Framework Programme","doi-asserted-by":"publisher","award":["225336, SERSCIS"],"award-info":[{"award-number":["225336, SERSCIS"]}],"id":[{"id":"10.13039\/501100004963","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2013,9]]},"abstract":"<jats:p>Access control is a critical feature of many systems, including networks of services, processes within a computer, and objects within a running process. The security consequences of a particular architecture or access control policy are often difficult to determine, especially where some components are not under our control, where components are created dynamically, or where access policies are updated dynamically.<\/jats:p>\n          <jats:p>The SERSCIS Access Modeller (SAM) takes a model of a system and explores how access can propagate through it. It can both prove defined safety properties and discover unwanted properties. By defining expected behaviours, recording the results as a baseline, and then introducing untrusted actors, SAM can discover a wide variety of design flaws.<\/jats:p>\n          <jats:p>SAM is designed to handle dynamic systems (i.e., at runtime, new objects are created and access policies modified) and systems where some objects are not trusted. It extends previous approaches such as Scollar and Authodox to provide a programmer-friendly syntax for specifying behaviour, and allows modelling of services with mutually suspicious clients.<\/jats:p>\n          <jats:p>Taking the Confused Deputy example from Authodox we show that SAM detects the attack automatically; using a web-based backup service, we show how to model RBAC systems, detecting a missing validation check; and using a proxy certificate system, we show how to extend it to model new access mechanisms. On discovering that a library fails to follow an RFC precisely, we re-evaluate our existing models under the new assumption and discover that the proxy certificate design is not safe with this library.<\/jats:p>","DOI":"10.1145\/2516951.2516952","type":"journal-article","created":{"date-parts":[[2013,9,25]],"date-time":"2013-09-25T13:12:59Z","timestamp":1380114779000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Modelling Access Propagation in Dynamic Systems"],"prefix":"10.1145","volume":"16","author":[{"given":"Thomas","family":"Leonard","sequence":"first","affiliation":[{"name":"IT Innovation Centre, University of Southampton"}]},{"given":"Martin","family":"Hall-May","sequence":"additional","affiliation":[{"name":"IT Innovation Centre, University of Southampton"}]},{"given":"Mike","family":"Surridge","sequence":"additional","affiliation":[{"name":"IT Innovation Centre, University of Southampton"}]}],"member":"320","published-online":{"date-parts":[[2013,9]]},"reference":[{"volume-title":"Electronic Systems Division, Air Force Systems Command, Hanscom Field","author":"Anderson J. P.","key":"e_1_2_1_1_1","unstructured":"Anderson , J. P. 1972. Computer security technology planning study. Tech. rep ., Electronic Systems Division, Air Force Systems Command, Hanscom Field , Bedford, MA . Anderson, J. P. 1972. Computer security technology planning study. Tech. rep., Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2007.18"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/1640089.1640108"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/69.43410"},{"key":"e_1_2_1_5_1","volume-title":"Proceedings of the 15th NIST-NCSC National Computer Security Conference.","volume":"563","author":"Ferraiolo D.","unstructured":"Ferraiolo , D. and Kuhn , R . 1992. Role-based access control . In Proceedings of the 15th NIST-NCSC National Computer Security Conference. Vol. 563 , NIST, Baltimore, MD, 554--563. Ferraiolo, D. and Kuhn, R. 1992. Role-based access control. In Proceedings of the 15th NIST-NCSC National Computer Security Conference. Vol. 563, NIST, Baltimore, MD, 554--563."},{"volume-title":"Failures-Divergence Refinement - FDR2 User Manual","author":"Formal Systems (Europe) Ltd and Oxford University Computing Laboratory 2010.","key":"e_1_2_1_6_1","unstructured":"Formal Systems (Europe) Ltd and Oxford University Computing Laboratory 2010. Failures-Divergence Refinement - FDR2 User Manual . Formal Systems (Europe) Ltd and Oxford University Computing Laboratory . Formal Systems (Europe) Ltd and Oxford University Computing Laboratory 2010. Failures-Divergence Refinement - FDR2 User Manual. Formal Systems (Europe) Ltd and Oxford University Computing Laboratory."},{"key":"e_1_2_1_7_1","doi-asserted-by":"crossref","unstructured":"Hall-May M. Chakravarthy A. Leonard T. and Surridge M. 2011. Semantic modelling of resource dependability for SLA-based service governance. In Handbook of Research on Service-Oriented Systems and Non-Functional Properties: Future Directions S. Reiff-Marganiec and M. Tilly Eds. IGI Global Hershey PA 401--441.  Hall-May M. Chakravarthy A. Leonard T. and Surridge M. 2011. Semantic modelling of resource dependability for SLA-based service governance. In Handbook of Research on Service-Oriented Systems and Non-Functional Properties: Future Directions S. Reiff-Marganiec and M. Tilly Eds. IGI Global Hershey PA 401--441.","DOI":"10.4018\/978-1-61350-432-1.ch018"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/54289.871709"},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the Cetus Users and Compiler Infrastructure Workshop (CETUS","author":"Lam P.","year":"2011","unstructured":"Lam , P. , Bodden , E. , Lhot\u00e1k , O. , and Hendren , L . 2011. The Soot framework for Java program analysis: A retrospective . In Proceedings of the Cetus Users and Compiler Infrastructure Workshop (CETUS 2011 ). Lam, P., Bodden, E., Lhot\u00e1k, O., and Hendren, L. 2011. The Soot framework for Java program analysis: A retrospective. In Proceedings of the Cetus Users and Compiler Infrastructure Workshop (CETUS 2011)."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1977.229904"},{"volume-title":"SERSCIS access modeller 0.16","author":"Leonard T.","key":"e_1_2_1_11_1","unstructured":"Leonard , T. 2012. SERSCIS access modeller 0.16 . IT Innovation Centre , University of Southampton, http:\/\/www.serscis.eu\/sam\/. Leonard, T. 2012. SERSCIS access modeller 0.16. IT Innovation Centre, University of Southampton, http:\/\/www.serscis.eu\/sam\/."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1391984.1391987"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/605434.605438"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/322017.322025"},{"volume-title":"Proceedings of the NDSS Symposium. Internet Society","author":"Mettler A.","key":"e_1_2_1_15_1","unstructured":"Mettler , A. , Wagner , D. , and Close , T . 2010. Joe-E: A security-oriented subset of Java . In Proceedings of the NDSS Symposium. Internet Society , San Diego, CA. Mettler, A., Wagner, D., and Close, T. 2010. Joe-E: A security-oriented subset of Java. In Proceedings of the NDSS Symposium. Internet Society, San Diego, CA."},{"key":"e_1_2_1_17_1","unstructured":"Murray T. 2008. Authodox Version 0.2.0 Manual. Oxford University Computing Laboratory.  Murray T. 2008. Authodox Version 0.2.0 Manual . Oxford University Computing Laboratory."},{"volume-title":"Proceedings of the NICTA Invitational Workshop on Operating System Verification","author":"Shapiro J.","key":"e_1_2_1_20_1","unstructured":"Shapiro , J. , Doerrie , M. S. , Northup , E. , Swaroop , S. , and Miller , M . 2004. Towards a verified, general-purpose operating system kernel . In Proceedings of the NICTA Invitational Workshop on Operating System Verification . Sydney, Australia, 1--19. Shapiro, J., Doerrie, M. S., Northup, E., Swaroop, S., and Miller, M. 2004. Towards a verified, general-purpose operating system kernel. In Proceedings of the NICTA Invitational Workshop on Operating System Verification. Sydney, Australia, 1--19."},{"key":"e_1_2_1_23_1","series-title":"Lecture Notes in Computer Science Series","volume-title":"A practical formal model for safety analysis in capability-based systems","author":"Spiessens F.","unstructured":"Spiessens , F. and Van Roy , P. 2005. A practical formal model for safety analysis in capability-based systems . In Trustworthy Global Computing, R. De Nicola and D. Sangiorgi Eds., Lecture Notes in Computer Science Series , vol. 3705 , Springer , Berlin, Heidelberg , 248--278. Spiessens, F. and Van Roy, P. 2005. A practical formal model for safety analysis in capability-based systems. In Trustworthy Global Computing, R. De Nicola and D. Sangiorgi Eds., Lecture Notes in Computer Science Series, vol. 3705, Springer, Berlin, Heidelberg, 248--278."},{"volume-title":"IRIS - Integrated Rule Inference System - API and User Guide","key":"e_1_2_1_24_1","unstructured":"STI. 2008. IRIS - Integrated Rule Inference System - API and User Guide . Semantic Technology Institute (STI) Innsbruck . STI. 2008. IRIS - Integrated Rule Inference System - API and User Guide. Semantic Technology Institute (STI) Innsbruck."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.39"},{"key":"e_1_2_1_26_1","volume-title":"et al","author":"van Rossum G.","year":"2011","unstructured":"van Rossum , G. et al . 2011 . Python 2.7.2\u2019s urllib2.py. van Rossum, G. et al. 2011. Python 2.7.2\u2019s urllib2.py."},{"volume-title":"Proceedings of the 19th USENIX Security Symposium. The USENIX Association.","author":"Watson R. N. M.","key":"e_1_2_1_27_1","unstructured":"Watson , R. N. M. , Anderson , J. , Kennaway , K. , and Laurie , B . 2010. Capsicum: Practical capabilities for UNIX . In Proceedings of the 19th USENIX Security Symposium. The USENIX Association. Watson, R. N. M., Anderson, J., Kennaway, K., and Laurie, B. 2010. Capsicum: Practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium. The USENIX Association."},{"volume-title":"Proceedings of the 3rd Annual PKI R&D Workshop. NIST","author":"Welch V.","key":"e_1_2_1_28_1","unstructured":"Welch , V. , Foster , I. , Kesselman , C. , Mulmo , O. , Pearlman , L. , Tuecke , S. , Gawor , J. , Meder , S. , and Siebenlist , F . 2004. X.509 proxy certificates for dynamic delegation . In Proceedings of the 3rd Annual PKI R&D Workshop. NIST , Baltimore. Welch, V., Foster, I., Kesselman, C., Mulmo, O., Pearlman, L., Tuecke, S., Gawor, J., Meder, S., and Siebenlist, F. 2004. X.509 proxy certificates for dynamic delegation. In Proceedings of the 3rd Annual PKI R&D Workshop. NIST, Baltimore."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.scico.2004.08.006"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2516951.2516952","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2516951.2516952","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T07:28:40Z","timestamp":1750231720000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2516951.2516952"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013,9]]},"references-count":24,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2013,9]]}},"alternative-id":["10.1145\/2516951.2516952"],"URL":"https:\/\/doi.org\/10.1145\/2516951.2516952","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"type":"print","value":"1094-9224"},{"type":"electronic","value":"1557-7406"}],"subject":[],"published":{"date-parts":[[2013,9]]},"assertion":[{"value":"2012-03-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2013-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2013-09-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}