Conference Paper

A general obligation model and continuity: enhanced policy enforcement engine for usage control.

DOI: 10.1145/1377836.1377856 Conference: SACMAT 2008, 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, USA, June 11-13, 2008, Proceedings
Source: DBLP

ABSTRACT The usage control model (UCON) has been proposed to aug- ment traditional access control models by integrating au- thorizations, obligations, and conditions and providing the properties of decision continuity and attribute mutability. Several recent work have applied UCON to support secu- rity requirements in dierent computing environments such as resource sharing in collaborative computing systems and data control in remote platforms. In this paper we iden- tify two individual but interrelated problems of the origi- nal UCON model and recent implementations: oversimpli- fying the concept of usage session of the model, and the lack of comprehensive ongoing enforcement mechanism of imple- mentations. We extend the core UCON model with con- tinuous usage sessions thus extensively augment the expres- siveness of obligations in UCON, and then propose a gen- eral, continuity-enhanced and configurable usage control en- forcement engine. Finally we explain how our approach can satisfy flexible security requirements with an implemented prototype for a healthcare information system.

  • Source
    Proceedings of the 16th ACM symposium on Access control models and technologies; 01/2011
  • [Show abstract] [Hide abstract]
    ABSTRACT: Operating systems traditionally use access control mechanisms to manage access to system resources like files, network connections, and memory areas. However, classic access control models are not suitable for regulating access to the diversity of ways data is available and used today. Modern usage control models go beyond traditional access control, addressing its limitations related to attribute mutability and continuous usage permission validation. The recently proposed UCONABC model establishes a predicate-based framework to satisfy the new access/usage control needs in computing systems. This paper defines a usage control model based on UCONABC and describes a framework to implement it in an operating system kernel, on top of the existing DAC mechanism. A language for representing usage control entities and rules is also proposed, and some typical access/usage control scenarios are represented using it, to show its usefulness. Finally, a prototype of the proposed framework was built in an operating system kernel, to control the usage of local files. The prototype evaluation shows that the proposed model is feasible, straightforward, and may serve as a basis for more complex usage control frameworks.
    J. Network and Computer Applications. 01/2011; 34:1342-1352.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Access control aims at restricting access to resources instantly. However, in collaborative computing environments with shared resources and distributed right management systems more advanced controlling mechanisms are required. For example, the control of the usage of a resource may need to be continuous, obligations is required, and concurrency is an important aspect when different users use a shared resource. To overcome these shortcomings of traditional access control, usage control has been proposed and investigated recently. In this paper we introduce a new usage control policy specification. Beyond existing approaches, the novelty of our policy is threefold: first, the ability to integrate the functional and security aspects of the system, thus lending support to control system behavior continuously. Second, post obligation is supported in a way that a violation of any rule during the current usage session, or after it ends, can affect the decisions of future usages. Finally, concurrency rules are embodied in the policy model, thus concurrent usages by different users to shared resources are controlled.
    On the Move to Meaningful Internet Systems: OTM 2009, Confederated International Conferences, CoopIS, DOA, IS, and ODBASE 2009, Vilamoura, Portugal, November 1-6, 2009, Proceedings, Part II; 01/2009

Full-text (2 Sources)

Available from
Oct 13, 2014