skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: On automated RBAC assessment by constructing a centralized perspective for microservice mesh
It is important in software development to enforce proper restrictions on protected services and resources. Typically software services can be accessed through REST API endpoints where restrictions can be applied using the Role-Based Access Control (RBAC) model. However, RBAC policies can be inconsistent across services, and they require proper assessment. Currently, developers use penetration testing, which is a costly and cumbersome process for a large number of APIs. In addition, modern applications are split into individual microservices and lack a unified view in order to carry out automated RBAC assessment. Often, the process of constructing a centralized perspective of an application is done using Systematic Architecture Reconstruction (SAR). This article presents a novel approach to automated SAR to construct a centralized perspective for a microservice mesh based on their REST communication pattern. We utilize the generated views from SAR to propose an automated way to find RBAC inconsistencies.  more » « less
Award ID(s):
1854049
PAR ID:
10310330
Author(s) / Creator(s):
; ; ; ; ;
Date Published:
Journal Name:
PeerJ Computer Science
Volume:
7
ISSN:
2376-5992
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, ABAC’18: 3rd ACM Workshop on Attribute-Based Access Control, March 19–21, 2018, Tempe, AZ,)
    Apache Hadoop is a predominant software framework for distributed compute and storage with capability to handle huge amounts of data, usually referred to as Big Data. This data collected from different enterprises and government agencies often includes private and sensitive information, which needs to be secured from unauthorized access. This paper proposes extensions to the current authorization capabilities offered by Hadoop core and other ecosystem projects, specifically Apache Ranger and Apache Sentry. We present a fine-grained attribute-based access control model, referred as HeABAC, catering to the security and privacy needs of multi-tenant Hadoop ecosystem. The paper reviews the current multi-layered access control model used primarily in Hadoop core (2.x), Apache Ranger (version 0.6) and Sentry (version 1.7.0), as well as a previously proposed RBAC extension (OT-RBAC). It then presents a formal attribute-based access control model for Hadoop ecosystem, including the novel concept of cross Hadoop services trust. It further highlights different trust scenarios, presents an implementation approach for HeABAC using Apache Ranger and, discusses the administration requirements of HeABAC operational model. Some comprehensive, real-world use cases are also discussed to reflect the application and enforcement of the proposed HeABAC model in Hadoop ecosystem. 
    more » « less
  2. ; ; (, Artificial Intelligence for Engineering Design, Analysis and Manufacturing)
    Abstract This paper (Wu 2016), which was published in AI EDAM online on August 22, 2016, has been retracted by Cambridge University Press as it is very similar in content to a published ASME Conference Proceedings paper. The article in question and the ASME Conference Proceedings paper were submitted for review with AI EDAM and the ASME at similar times, but copyright was assigned to ASME before the paper was accepted in AI EDAM and therefore the article in AI EDAM is being retracted. (In recent years, industrial nations around the globe have invested heavily in new technologies, software, and services to advance digital design and manufacturing using cyber-physical systems, data analytics, and high-performance computing. Many of these initiatives, such as cloud-based design and manufacturing, fall under the umbrella of what has become known as Industry 4.0 or Industrial Internet and are often hailed as pillars of a new industrial revolution. While an increasing number of companies are developing or already offer commercial cloud-based software packages and services for digital design and manufacturing, little work has been reported on providing a review of the state of the art of these commercial software and services as well as identifying research gaps in this field. The objective of this paper is to present a state-of-the-art review of digital design and manufacturing software and services that are currently available on the cloud. The focus of this paper is on assessing to what extent engineering design, engineering analysis, manufacturing, and production across all phases of the product development lifecycles can already be performed based on the software and services accessed through the cloud. In addition, the key capabilities and benefits of these software packages and services are discussed. Based on the assessment of the core features of commercial software and services, it can be concluded that almost all phases of product realization can be conducted through digital design and manufacturing software and services on the cloud. Finally, existing research gaps and related challenges to overcome are identified. The state-of-the-art review serves to provide a technology guide for decision makers in their efforts to select suitable cloud-based software and services as alternatives to existing in-house resources as well as to recommend new research areas.) 
    more » « less
  3. ; ; ; ; (, Proceedings on Privacy Enhancing Technologies)
    Abstract Smart DNS (SDNS) services advertise access to geofenced content (typically, video streaming sites such as Netflix or Hulu) that is normally inaccessible unless the client is within a prescribed geographic region. SDNS is simple to use and involves no software installation. Instead, it requires only that users modify their DNS settings to point to an SDNS resolver. The SDNS resolver “smartly” identifies geofenced domains and, in lieu of their proper DNS resolutions, returns IP addresses of proxy servers located within the geofence. These servers then transparently proxy traffic between the users and their intended destinations, allowing for the bypass of these geographic restrictions. This paper presents the first academic study of SDNS services. We identify a number of serious and pervasive privacy vulnerabilities that expose information about the users of these systems. These include architectural weaknesses that enable content providers to identify which requesting clients use SDNS. Worse, we identify flaws in the design of some SDNS services that allow any arbitrary third party to enumerate these services’ users (by IP address), even if said users are currently offline. We present mitigation strategies to these attacks that have been adopted by at least one SDNS provider in response to our findings. 
    more » « less
  4. ; (, ACM Transactions on Embedded Computing Systems)
    Modern automotive systems feature dozens of electronic control units (ECUs) for chassis, body and powertrain functions. These systems are costly and inflexible to upgrade, requiring ever increasing numbers of ECUs to support new features such as advanced driver assistance (ADAS), autonomous technologies, and infotainment. To counter these challenges, we propose DriveOS, a safe, secure, extensible, and timing-predictable system for modern vehicle management in a centralized platform. DriveOS is based on a separation kernel, where timing and safety-critical ECU functions are implemented in a real-time OS (RTOS) alongside non-critical software in Linux or Android. The system enforces the separation, or partitioning, of both software and hardware among different OSes. DriveOS runs on a relatively low-cost embedded PC-class platform, supporting multiple cores and hardware virtualization capabilities. Instrument cluster, in-vehicle infotainment and advanced driver assistance system services are implemented in a Yocto Linux guest, which communicates with critical real-time services via secure shared memory. The RTOS manages a real-time controller area network (CAN) interface that is inaccessible to Linux services except via well-defined and legitimate communication channels. In this work, we integrate three Qt-based services written for Yocto Linux, running in parallel with a real-time longitudinal controller task and multiple CAN bus concentrators, for vehicular sensor data processing and actuation. We demonstrate the benefits and performance of DriveOS with a hardware-in-the-loop CARLA simulation using a real car dataset. 
    more » « less
  5. ; ; ; ; ; ; ; ; (, Remote Sensing)
    Coastal mangrove forests provide numerous ecosystem services, which can be disrupted by natural disturbances, mainly hurricanes. Canopy height (CH) is a key parameter for estimating carbon storage. Airborne Light Detection and Ranging (LiDAR) is widely viewed as the most accurate method for estimating CH but data are often limited in spatial coverage and are not readily available for rapid impact assessment after hurricane events. Hence, we evaluated the use of systematically acquired space-based Synthetic Aperture Radar (SAR) and optical observations with airborne LiDAR to predict CH across expansive mangrove areas in South Florida that were severely impacted by Category 3 Hurricane Irma in 2017. We used pre- and post-Irma LiDAR-derived canopy height models (CHMs) to train Random Forest regression models that used features of Sentinel-1 SAR time series, Landsat-8 optical, and classified mangrove maps. We evaluated (1) spatial transfer learning to predict regional CH for both time periods and (2) temporal transfer learning coupled with species-specific error correction models to predict post-Irma CH using models trained by pre-Irma data. Model performance of SAR and optical data differed with time period and across height classes. For spatial transfer, SAR data models achieved higher accuracy than optical models for post-Irma, while the opposite was the case for the pre-Irma period. For temporal transfer, SAR models were more accurate for tall trees (>10 m) but optical models were more accurate for short trees. By fusing data of both sensors, spatial and temporal transfer learning achieved the root mean square errors (RMSEs) of 1.9 m and 1.7 m, respectively, for absolute CH. Predicted CH losses were comparable with LiDAR-derived reference values across height and species classes. Spatial and temporal transfer learning techniques applied to readily available spaceborne satellite data can enable conservation managers to assess the impacts of disturbances on regional coastal ecosystems efficiently and within a practical timeframe after a disturbance event. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email