CPSC 601.40: Syllabus and Reading List

$Id: ref.html,v 1.5 2018/01/15 18:27:37 pwlfong Exp $

Remarks: Make sure you read the Remarks, which tell you which part of a paper you should read, or provide additional information regarding a paper. Also, papers that are marked Supplementary are optional readings. They are listed for those who are keen.

1. Introduction
   • David F. Ferraiolo, D. Richard Kuhn, and Ramaswamy Chandramouli. Role-Based Access Control (2nd Edition), Chapters 1-2. Artech House, 2007. The book is available electronically from the University Library website.
2. Modeling Access Control Systems
   • Philip W. L. Fong. Modelling an Access Control System. This is an early draft of a chapter taken from my upcoming book to be published by the Cambridge University Press. Please do not distribute.
   • Supplementary:
     • G. Scott Graham and Peter J. Denning. Protection: principles and practice. In Proceedings of the 1972 AFIPS Spring Joint Computer Conference, volume 40, pages 417-429, Atlantic City, New Jersey, USA, May 1972.
     • Ninghui Li and Mahesh V. Tripunitara. On safety in discretionary access control. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P'05), pages 96-109, Oakland, California, USA, May 2005.
       • Remarks: Read only up to and including Section 4.1. Read also the history behind the above paper, especially the section entitled Towards raising the level of rigorousness in access control research.
3. The Harrison-Ruzzo-Ullman Model and Safety Analysis
   • Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman. Protection in operating systems. Communications of the ACM, 19(8):461-471, August 1976.
     • Remarks: In case you are rusty in Turing Machines and undecidability proofs, consult Chapters 8 and 9 of Hopcroft, Motwani, and Ullman, Introduction to Automata Theory, Languages, and Computation, Addison Wesley, 2007.
     • Remarks: In case you are rusty in the theory of NP-completeness and reduction proofs, consult Chapters 1-3 of Garey and Johnson, Computers and Intractability, Freeman, 1979.
   • Supplementary: Mahesh V. Tripunitara and Ninghui Li. The Foundational Work of Harrison-Ruzzo-Ullman Revisited. IEEE Transactions on Dependable and Secure Computing, 10(1), January 2013.
4. Workflow Authorization Models and Safety/Resiliency Analysis
   • Qihua Wang and Ninghui Li. Satisfiability and Resiliency in Workflow Authorization Systems. ACM Transactions on Information and System Security, 13(4), December 2010.
     • Remarks: In case you do not have background in the polynomial hierarchy, consult Section 7.2 of Garey and Johnson, Computers and Intractability, Freeman, 1979. If you want a more technical treatment of the subject, consult Chapter 5 of Arora and Barak, Computational Complexity: A Modern Approach, Cambridge, 2009.
5. Information Flow Control
   1. The Bell-La-Padula Model
      • Leonard J. LaPadula and D. Elliott Bell. MITRE Technical Report 2547, Volume II: Secure Computer Systems, Journal of Computer Security, 4(2-3):239-263, 1996.
   2. Noninterference
      • John Rushby. Noninterference, Transitivity, and Channel-Control Security Policies, Technical Report CSL 92-02, Computer Science Laboratory, SRI International, 1992.
        • Remarks: Read only Chapters 2 and 3.
6. Propositional Logic
   • H&R Sections 1.1-1.5
7. Attribute-Based Access Control and Policy Analysis
   • Vincent C. Hu, David ferraiolo, Rick Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, and Karen Scarfone. Guide to Attribute Based Access Control (ABAC) Definition and Considerations, NIST Special Publication 800-162, National Institute of Standards and Technology, January 2014.
   • Glenn Bruns and Michael Huth. Access Control via Belnap Logic: Intuitive, Expressive and Analyzable Policy Composition. ACM Transactions on Information and System Security, 14(1), May 2011.
8. Facebook-style Social Network Systems
   • Mohd Anwar, Zhen Zhao, and Philip W. L. Fong. An Access Control Model for Facebook-style Social Network Systems. Technical Report 2010-959-08, Department of Computer Science, University of Calgary, Calgary, Alberta, Canada, July 2010.
     • Remarks: An earlier version of the above paper was published as: Philip W. L. Fong, Mohd Anwar and Zhen Zhao. A Privacy Preservation Model for Facebook-Style Social Network Systems. In Proceedings of the 14th European Symposium on Research In Computer Security (ESORICS'09), volume 5789 of Lecture Notes in Computer Science, pages 303-320, Saint Malo, France, September 21-23, 2009. Springer.
   • Philip W. L. Fong. Preventing Sybil Attacks by Privilege Attenuation: A Design Principle for Social Network Systems. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (S&P'11), pages 263-278, Oakland, California, USA, May 22-25, 2011.
9. Modal Logic
   • H&R Sections 5.1-5.3
10. Relationship-Based Access Control
    • Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 19(2):38-47, February 1996.
    • Philip W. L. Fong. Relationship-Based Access Control: Protection Model and Policy Language. In Proceedings of the First ACM Conference on Data and Application Security and Privacy (CODASPY'11), San Antonio, Taxas, USA, February 21-23, 2011.
    • Glenn Bruns, Philip W. L. Fong, Ida Siahaan, and Michael Huth. Relationship-Based Access Control: Its Expression and Enforcement Through Hybrid Logic. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy (CODASPY'2012), San Antonio, TX, USA, February 7-9, 2012.
11. Temporal Logic
    • H&R Sections 3.1-3.5
12. History-Based Access Control and Policy Characterization
    • Fred B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 3(1):30-50, February 2000.
    • Supplementary: B. Alpern and F. B. Schneider. Defining liveness. Information Processing Letters, 21(4):181-185, October 1985.
    • Edward Chang, Zohar Manna, and Amir Pnueli. The Safety-Progress Classification. Logic and Algebra of Specification, pages 143-202, volume 94 of NATO ASI Series, Springer, 1993. pages
13. Model Checking
    • H&R Sections 3.6-3.7
14. History-Based Access Control and Reputation Systems
    • Karl Krukow, Mogens Nielsen, and Vladimiro Sassone. A logical framework for history-based access control and reputation systems. Journal of Computer Security, 16(1):63-101, 2008.

$Id: ref.html,v 1.5 2018/01/15 18:27:37 pwlfong Exp $