Principles of Data Protection

Course code: 2IMS25

Academic Year: 2020/2021

Quartile 1

Time: Tuesday, hours 3 and 4 (from 10:45 till 12:30)
Time: Thursday, hours 5 and 6 (from 13:30 till 15:15)

Lectures

Due to the current COVID situation, lectures will be given in the form of recordings. The complete set of lectures is available on videocollege.tue.nl:
https://videocollege.tue.nl/Mediasite/Showcase/e67b8e0ccb0b42b5b737321255bb30cf44/Channel/1cb316e0873a43ec91b53cdc2ae64f5e4d

The slides are available at https://svn.win.tue.nl/repos/security_public/teaching/dtm/Slides/

Lecture hours will be used for Q&A sessions held on CANVAS Conference. Questions can also be asked using the discussion section in CANVAS.

Assessment

Grades for the course are based on a final exam. The final exam is a 3 hours closed-book exam covering ALL topics presented during the course.

There is the possibility that the exam will be online. More information will be provided when available.

Final exam

Date: 30 October 2020 13:30-16:30
Place TBD

Date: 18 January 2021 18:00-21:00
Place: TBD

Course syllabus (numbers correspond to lectures):

Introduction. (Nicola Zannone)
Discretionary Access Control. (Nicola Zannone)
- (Obligatory) Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman. Protection in Operating Systems. Communications of the ACM 19(8): 461-471. 1976
- (Obligatory) Butler W. Lampson. Protection. ACM SIGOPS Operating Systems Review 8(1): 18-24. 1974.
- (Suggested) Pierangela Samarati, Sabrina De Capitani di Vimercati. Access Control: Policies, Models, and Mechanisms. Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures.
Mandatory Access Control. (Nicola Zannone)
- (Obligatory) Ravi S. Sandhu. Lattice-Based Access Control Models. Computer 26(11):9-19. 1993.
- (Suggested) Pierangela Samarati, Sabrina De Capitani di Vimercati. Access Control: Policies, Models, and Mechanisms. Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures.
Role-Based Access Control. (Nicola Zannone)
- (Obligatory) R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman. 1996. Role-Based Access Control Models, IEEE Computer 29(2): 38-47
- (Suggested) Pierangela Samarati, Sabrina De Capitani di Vimercati. Access Control: Policies, Models, and Mechanisms. Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures.
Attribute-Based Access Control. (Nicola Zannone)
- (Recommended) Vincent C. Hu, David Ferraiolo, Rick Kuhn. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication 800-162.
Role-Based Trust Management I. (Sandro Etalle)
- (Obligatory) Ninghui Li, William H. Winsborough, John C. Mitchell Distributed Credential Chain Discovery in Trust Management. (the type system and the forward and backward algorithms)
- (Suggested) Marianne Winslett. An Introduction to Trust Negotiation. iTrust 2003: 275-283.
Role-Based Trust Management II. (Sandro Etalle)
- (Obligatory) Ninghui Li, John C. Mitchell, William H. Winsborough. Design of a Role-Based Trust-Management Framework.
- (Obligatory) Czenko, M.R. and Etalle, S. and Li, D. and Winsborough, W.H. (2007) An Introduction to the Role Based Trust Management Framework RT.
Usage Control. (Nicola Zannone)
- (Obligatory) Jaehong Park and Ravi Sandhu. 2004. The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7, 1, 128-174.
Introduction to Privacy. (Nicola Zannone)
- (Obligatory) Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu. Hippocratic Databases. VLDB 2002: 143-154 (2002)
- (Suggested) P. Guarda and N. Zannone. Towards the Development of Privacy-Aware Systems. Information and Software Technology. 51(2):337-350. 2009.
Privacy-aware Access Control I. (Nicola Zannone)
- (Obligatory) Ji-Won Byun, Ninghui Li. Purpose based access control for privacy protection in relational database systems. VLDB J. 17(4): 603-619 (2008)
Privacy-aware Access Control II. (Nicola Zannone)
- (Obligatory) Michael Backes, Günter Karjoth, Walid Bagga, Matthias Schunter. Efficient comparison of enterprise privacy policies. SAC 2004: 375-382 (2004)
- (Suggested) Enterprise Privacy Authorization Language (EPAL 1.2)
eXtensible Access Control Markup Language (XACML) I. (Nicola Zannone)
- (Recommended) XACML 3.0 Core: eXtensible Access Control Markup Language (XACML) version 3.0
- (Suggested) Ninghui Li, Qihua Wang, Wahbeh Qardaji, Elisa Bertino, Prathima Rao, Jorge Lobo, and Dan Lin. Access control policy combining: theory meets practice. In Proceedings of the 14th ACM symposium on Access control models and technologies (SACMAT '09), pages 135-144, ACM, 2009.
eXtensible Access Control Markup Language (XACML) II. (Nicola Zannone)
- (Recommended) Core and hierarchical role based access control (RBAC) profile of XACML v3.0
- (Recommended) Privacy policy profile of XACML v3.0
Reduction of Access Control Decisions (Nicola Zannone)
- (Obligatory) Charles Morisset, Nicola Zannone: Reduction of access control decisions. In Proceedings of the ACM symposium on Access control models and technologies (SACMAT 2014), pages 53-62, ACM, 2014.

Old exams:

Solution for selected exercises.

2019/2020

Exam (November), here.
Exam (January), here.

2018/2019

Exam (November), here.
Exam (January), here.

2017/2018

Exam (November), here.
Exam (January), here.

2016/2017

Exam (November), here.
Exam (January), here.

2015/2016

Exam (October), here.
Exam (January), here.

2014/2015

Exam (January), here.
Exam (April), here.

2013/2014

Exam (January), here.
Exam (April), here.

2012/2013

Exam (January), here.
Exam (April), here.

2011/2012

Exam (February), here.
Exam (April), here.