Lecture Notes in Computer Science 3956 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen UniversityofDortmund,Germany MadhuSudan MassachusettsInstituteofTechnology,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA MosheY.Vardi RiceUniversity,Houston,TX,USA GerhardWeikum Max-PlanckInstituteofComputerScience,Saarbruecken,Germany Gilles Barthe Benjamin Grégoire Marieke Huisman Jean-Louis Lanet (Eds.) Construction and Analysis of Safe, Secure, and Interoperable Smart Devices Second International Workshop, CASSIS 2005 Nice, France, March 8-11, 2005 Revised Selected Papers 1 3 VolumeEditors GillesBarthe BenjaminGrégoire MariekeHuisman INRIASophiaAntipolis ProjetEVEREST 2004routedesLucioles,B.P.93,06902SophiaAntipolisCedex,France E-mail:{Gilles.Barthe,Benjamin.Gregoire,Marieke.Huisman}@sophia.inria.fr Jean-LouisLanet GemplusLaVigie AvenueduJujubier,Z.I.AtheliaIV,13705LaCiotatCedex,France E-mail:[email protected] LibraryofCongressControlNumber:2006924174 CRSubjectClassification(1998):D.2,C.3,D.1,D.3,D.4,F.3,E.3 LNCSSublibrary:SL4–SecurityandCryptology ISSN 0302-9743 ISBN-10 3-540-33689-3SpringerBerlinHeidelbergNewYork ISBN-13 978-3-540-33689-1SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. SpringerisapartofSpringerScience+BusinessMedia springer.com ©Springer-VerlagBerlinHeidelberg2006 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SPIN:11741060 06/3142 543210 Preface This volume contains a selection of refereed papers from participants of the second“ConstructionandAnalysis ofSafe,SecureandInteroperableSmartDe- vices” (Cassis) workshop,held March 8-11, 2005 in Nice, France: http://www-sop.inria.fr/everest/events/cassis05 The workshop was organized by INRIA (Institut National de Recherche en Informatique et en Automatique), France. It was attended by over 70 partic- ipants, who were invited for their contributions to relevant areas of computer science. TheaimoftheCASSISworkshopistobringtogetherexpertsfromthesmart devices industry and academic researchers, in order to stimulate research on formal methods and security, and to encourage the smart device industry to adoptinnovativesolutionsdrawnfromacademicresearch.Inordertoaddressthe different issues raisedby the evolutionof smart devices, the workshopconsisted of seven thematic sessions: Session 1: Research trends in smart devices The session was organized by Jean-Jacques Vandewalle from Gemplus. It provided perspectives on possible evolutions of smart devices. The keynote speaker was Gilles Privat from France Telecom R&D. Session 2: Web services The session was organized by C´edric Fournet and Andy Gordon from Mi- crosoft Research Cambridge. It focused on security issues for web services, including trust and identity management, and formal and automatic veri- fication of web services deployments. The session was followed by a panel discussiononsecurityofwebservices,chairedbyAndyGordon.Thekeynote speaker was C´edric Fournet. Session 3: Virtual machine technology This session was organized by Benjamin Gr´egoire. It covered new develop- mentsinJavatechnologyfordevelopinggeneric,adaptableandmaintainable platforms for smart devices. The keynote speaker was Sophia Drossopoulou from Imperial College London. Session 4: Security ThissessionwasorganizedbyGillesBartheandMariekeHuisman.Itstudied security issues from a wider perspective and addressed issues such as elec- tronic voting, Internet threat analysis, privacy and language-basedsecurity. The keynote speaker was Dan Wallach from Rice University, Texas. Session 5: Validation and formal methods ThissessionwasorganizedbyThomasJensenfromIRISARennes.Itfocused onverificationtechniquesforJava-likeapplications,includingrun-timeveri- fication,programanalyses,andinteractiveverification.Thekeynotespeaker VI Preface was Klaus Havelund from Kestrel Technology at NASA Ames Research Center. Session 6: Proof-Carrying Code The session was organized by Adriana Compagnoni. It presented Proof- CarryingCodearchitecturesandtheirapplicationtoadvancedsecuritypoli- cies concerning resource control and information flow. The keynote speaker was George Necula from the University of California at Berkeley. Session 7: Embedded devices The finalsessionwasorganizedby TraianMuntean,fromMarseillesUniver- sity,andJean-LouisLanet,nowatGemplus.Thesessionfocusedontechnol- ogyissues thatarisefromthe evolutionofembeddeddevices into networked mobile devices. The keynote speaker was RajeshGupta fromthe University of California at Irvine. The organizers would like to thank the session organizers, speakers and par- ticipants for helping to make CASSIS 2005 a stimulating and enjoyable event. The organizers would also like to acknowledge financial support from ERCIM, Gemplus InternationalS.A, and Oberthur Card Systems. A special thanks goes to the support teams at INRIA Sophia Antipolis, and in particular to Nathalie Bellesso and Monique Simonetti for their help in organizationalmatters. December 2005 Gilles Barthe Benjamin Gr´egoire Marieke Huisman Jean-Louis Lanet Organization Organizing Committee Gilles Barthe INRIA Sophia-Antipolis, France Benjamin Gr´egoire INRIA Sophia-Antipolis, France Marieke Huisman INRIA Sophia-Antipolis, France Jean-Louis Lanet INRIA DirDRI Sophia-Antipolis, France Referees Frederic Besson Thomas Jensen German Puebla Christophe Bidan Florian Kammueller Tamara Rezk Lilian Burdy Gerwin Klein Bernard Serpette Pierre Cregut Peter Gorm Larsen Robert De Simone Guillaume Dufay Bruno Legeard Mario Sudholt Sandro Etalle Francesco Logozzo Pierre Vanel Andy Gordon Fabio Martinelli Jerome Vouillon Valerie Issarny Mariela Pavlova Romain Janvier Olivier Potoniee Table of Contents The Architecture of a Privacy-Aware Access Control Decision Component Claudio A. Ardagna, Marco Cremonini, Ernesto Damiani, Sabrina De Capitani di Vimercati, Pierangela Samarati............. 1 Mobile Resource Guarantees and Policies David Aspinall, Kenneth MacKenzie ............................. 16 Information Flow Analysis for a Typed Assembly Language with Polymorphic Stacks Eduardo Bonelli, Adriana Compagnoni, Ricardo Medel ............. 37 Romization: Early Deployment and Customization of Java Systems for Constrained Devices Alexandre Courbot, Gilles Grimaud, Jean-Jacques Vandewalle ....... 57 Typed Compilation Against Non-manifest Base Classes Christopher League, Stefan Monnier ............................. 77 The Design of Application-Tailorable Operating System Product Lines Daniel Lohmann, Wolfgang Schr¨oder-Preikschat, Olaf Spinczyk ...... 99 Bringing Ease and Adaptability to MPSoC Software Design: A Component-Based Approach Ali Erdem O¨zcan, S´ebastien Jean, Jean-Bernard Stefani ............ 118 Modular Proof Principles for ParameterisedConcretizations David Pichardie ............................................... 138 FormalisationandVerificationoftheGlobalPlatformCardSpecification Using the B Method Santiago Zanella B´eguelin ...................................... 155 Author Index................................................... 175 The Architecture of a Privacy-Aware Access Control Decision Component Claudio A. Ardagna, Marco Cremonini, Ernesto Damiani, Sabrina De Capitani di Vimercati, and Pierangela Samarati Dipartimento diTecnologie dell’Informazione, Universit`a degli Studidi Milano, Crema 26013, Italy {ardagna, cremonini, damiani, decapita, samarati}@dti.unimi.it Abstract. TodaymanyinteractionsarecarriedoutonlinethroughWeb sites and e-services and often privateand/or sensitive information is re- quiredbyserviceproviders.Agrowingconcernrelatedtothiswidespread diffusion ofon-lineapplications thatcollect personalinformation isthat users’ privacy is often poorly managed and sometimes abused. For in- stance, it is well known how personal information is often disclosed to thirdpartieswithouttheconsentoflegitimatedataownersorthatthere are professional services specialized on gathering and correlating data from heterogeneousrepositories, which permit tobuilduserprofilesand possiblytodisclosesensitiveinformationnotvoluntarilyreleasedbytheir owners. For thesereasons, it has gained great importance todesign sys- tems able to fully preserve information privacy by managing in a trust- worthy and responsible way all identity and profile information. Inthispaper,weinvestigatesomeproblemsconcerningidentityman- agementfore-servicesandpresentthearchitectureoftheAccessControl Decision Function, a software component in charge of managing access request in a privacy-aware fashion. The content of this paper is a result of our ongoing activity in the framework of the PRIME project (Pri- vacy and Identity Management for Europe) [18], funded by the Euro- pean Commission, whose objective is the development of privacy-aware solutions for enforcing security. 1 Introduction From the growing offering of e-services provided by a number of organizations, usershavenotonly gainedbenefits interms ofvariety andrichnessofaccessible services. The drawback of such an increase in service provision is that a cor- responding growing amount of personal information is communicated by users of e-services to the corresponding providers. Personal identifiable information (PII) are required by e-service providers for many legitimate reasons (e.g., to offerpersonalizedservices).Also,requiringpersonalinformationpermitstomit- igate abuses of e-services and to avoid, for example, the access by means of automatic software instead of physical users. Finally, personal information of G.Bartheetal.(Eds.):CASSIS2005,LNCS3956,pp.1–15,2006. (cid:2)c Springer-VerlagBerlinHeidelberg2006 2 C.A. Ardagna et al. e-serviceusersisneededformarketingpurposes,suchaspromotingnewservices or producing access statistics for advertisers. However, despite all these reasons for collecting personal information are certainly legitimate, many concerns exist about the privacy of e-service users. Suchconcernsaremotivatedbyobservingthatthenumberandtypeofpersonal information collected by service providers permit to easily profile user’s habits and preferences in a very detailed and precise way. In addition, it is well known how personalinformation is often disclosed to third parties without the consent of legitimate data owners or that there are professional services specialized on gatheringandcorrelatingdatafromheterogeneousrepositories,whichpermitto build user profiles and possibly to disclose sensitive information not voluntarily released by their owners. As a consequence, users concerned about their private information are in- creasingly refusing to benefit from such a widespread offering of e-services be- cause they prefer not to have their personaldata under the controlof anyoneat anytime. A key aspect to address these concerns is the notion of privacy-aware access control, which encompasses and combine the notions of privacy and of access control in an homogeneous framework. Traditional access control systems are basedonregulations(policies)thatestablishwhocan,orcannot,executecertain actionsonsomeresourcesandthewaytheycomputeaccessdecisionsisbasedon the requester’s credentials carrying her identity and other personal information (e.g., affiliation, membership, and so on) [10]. Other requirements that traditional access control systems usually do not take into account are related to data usage, which is the possibility to specify how data accessed by an authorized party must be handled. This represents a novel feature for access control that is no simply concerned with authorizing the access to data and resources but also with defining and enforcing the way data and resources are subsequently managed. Also, in modern systems, the definition of an access control model is complicated by the need to formally represent complex policies, where access decisions depend on the application of differentrulescomingfromlawspractices,organizationalregulations,andsoon. Privacyawarenessandfeaturestomanagerequesterscredentialsaccordingly are not taken into account by access control systems in use today. Requiring privacyawarenessmeansthatcredentialsandpersonalinformationofusersthat requeste-servicescannotbefreelyavailableandmanageablebyserviceproviders. Privacy poses constraints on which data can be required for a certain service andonthe waypersonalinformationoncecollectedbyaserviceprovidercanbe handled, released to third parties, or recorded. Despite recent advancements in access controlmodels have permitted to use generic attributes/properties of both requesters and resources, access control systems are not yet designed for enforcing privacy policies. Therefore, by considering privacy issues, there is the need to improve au- thorization policies and models and to develop new solutions for access control, authorizationspecification,andenforcement.Thedevelopmentofsuchsolutions The Architectureof a Privacy-Aware Access Control Decision Component 3 will require to investigate open research problems as well as to implement an access control architecture addressing privacy concerns from its foundations. In this paper, we describe an approach aimed at providing users with a privacy-awareaccess control system that enforces privacy requirements. In par- ticular, we present the architecture of the Access Control Decision Function (ACDF), an autonomous software component for controlling access to data in the framework of e-services.The ACDF component is based on a flexible model andXML-basedlanguage[2].Ourworkhasbeencarriedoutinthecontextofthe Privacy and Identity Management for Europe (PRIME) project, an European project whose goal is the development of privacy-aware solutions for enforcing security. The remainder of this paper is organized as follows. Section 2 summarizes the maincontributions inthe fieldofprivacy-awareaccesscontrolanddescribes thewayourapproachdiffersfromthepreviousones.Section3describesthenew requirements for a privacy-aware access control and gives an overview of the PRIME project. Section 4 summarizes our proposal for a privacy-aware access controlpolicy.Section5presentsthearchitectureoftheAccessControlDecision Function, explaining its interactions with external components and the overall work flow. Finally, Section 6 draws our conclusions and sketches future work. 2 Related Work A number of projects and research papers about privacy have been presented in the last few years, although not many of them have addressed the issue of privacy-aware access control. More in detail, two lines of research are closely related to the topic of this paper: i) the definition and development of access controlandprivacylanguages,andii) thedefinitionofinfrastructurestoprotect and preserve privacy of either services or clients. Forwhatconcernsthefirstresearchtopic,somelanguageshavebeendefined startingfromlanguagesforaccesscontrolasXACML(eXtensibleAccessControl Markup Language) [22] to data handling languages (i.e., languages regulating howpersonalinformationcouldbe managedoncecollected) asfor instanceP3P (Platform for Privacy Preferences Project) [5,8] and EPAL (Enterprise Privacy Authorization Language) [4,5]. XACML [22] is an XML-based language used to define access control poli- cies.The maindifferences betweenXACML and the languagedeveloped for our ACDFcomponentarethatXACMLdoesnotconsiderdatahandlingconstraints, itdoesnotexplicitlysupportneitherprivacyfeaturesnorvariablesinthedefini- tionofpolicies(afeaturethatpermitstogreatlyenhancepolicyexpressiveness), and it is not integrated with the ontological approach that our ACDF solution exploits in the more general context of the PRIME Project. In addition to the language,XACMLdefinesbothanarchitecturefortheevaluationofpoliciesand a communicationprotocolfor messagesinterchange.The most importantdiffer- ence between the XACML’s system design and architecture and our proposalis thatXACMLassumestohaveallthe informationaboutarequesteravailableat