The protection of customer privacy is a fundamental issue in today's corporate marketing strategies. Not surprisingly, many research efforts have proposed new privacy-aware technologies. Among them, Hippocratic databases offer mechanisms for enforcing privacy rules in database systems for inter-organizational business processes (also known as virtual organizations). This paper extends these mechanisms to allow for hierarchical purposes, distributed authorizations and minimal disclosure supporting the business processes of virtual organizations that want to offer their clients a number of ways to fulfill a service. Specifically, we use a goal-oriented approach to analyze privacy policies of the enterprises involved in a business process. Based on the purpose hierarchy derived through a goal refinement process, we provide algorithms for determining the minimum set of authorizations needed to achieve a service. This allows us to automatically derive access control policies for an inter-organizational business process from the collection of privacy policies associated with different participating enterprises. By using effective on-line algorithms, the derivation of such minimal information can also be done on-the-fly by the customer wishing to access a service.

This paper proposes a model to control information flows among objects. It improves flexibility of the control by independently assigning security levels to attributes, arguments, and return values. It uses associations and multiple labels to control information flows among objects that may be dynamically instantiated during program execution. According to our survey, no model offers the control as precisely as our model does. In addition to controlling objects, the model also controls foreign objects, which are those dynamically retrieved for reuse during program execution. Rules are designed to prevent foreign objects from becoming Trojan horses.

The OMG CORBA security specification defines the core facilities and interfaces for ensuring the required level of security in CORBA-compliant systems. However, for a secure application it is not enough to control access to objects, without taking into account the information flow paths implied by a given, outstanding collection of access rights. The requirement to prevent insecure information leakage among objects is a key concern that has to be satisfied. We describe a Colored Petri Net model that allows simulating and verifying information flow security for access control policies specified in the OMG CORBA Security setting. The proposed model possesses the virtue of simulating insecure information leakage in a graphical environment and allows querying about the detected information flow paths and their dependencies.

We introduce a Colored Petri Net model for simulating and verifying information flow in distributed object systems. Access control is specified as prescribed by the OMG CORBA security specification. An insecure flow arises when information is transferred from one object to another in violation of the applied security policy. We provide precise definitions, which determine how discretionary access control is related to the secure or insecure transfer of information between objects. The model can be queried regarding the detected information flow paths and their dependencies. This is a valuable mean for the design of multilevel mandatory access control that addresses the problem of enforcing object classification constraints to prevent undesirable leakage and inference of sensitive information. 1

Access control is a crucial concern to build secure IT systems and, more specifically, to protect the confidentiality of information. However, access control is necessary, but not sufficient. Actually, IT systems can manipulate data to provide services to users. The results of a data processing may disclose information concerning the objects used in the data processing itself. Therefore, the control of information flow results fundamental to guarantee data protection. In the last years many information flow control models have been proposed. However, these frameworks mainly focus on the detection and prevention of improper information leaks and do not provide support for the dynamical creation of new objects. In this