Chapter

Access Control Challenges in Enterprise Ecosystems: Blockchain-Based Technologies as an Opportunity for Enhanced Access Control

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

There is an increasing gap between the needs of modern, complex, and distributed environments in regards to control of access to data and the level to which classical access control solutions can fulfill those needs. The purpose of this chapter is to highlight the current state of art of existing research over access control in increasingly decentralized environments and to argue how the subject of access control is more relevant than ever before, with increasing research opportunities emerging. In this chapter, the authors analyze the current state of the art of access control mechanisms and systems over decentralized applications with a focus on enterprise ecosystems, analyze the current challenges and opportunities that the new technological landscape offers, specifically over the application of blockchain-based technologies in access control, and propose new research directions for the future.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
Full-text available
Access Control systems are used in computer security to regulate the access to critical or valuable resources. The rights of subjects to access such resources are typically expressed through access control policies, which are evaluated at access request time against the current access context. This paper proposes a new approach based on blockchain technology to publish the policies expressing the right to access a resource and to allow the distributed transfer of such right among users. In our proposed protocol the policies and the rights exchanges are publicly visible on the blockchain, consequently any user can know at any time the policy paired with a resource and the subjects who currently have the rights to access the resource. This solution allows distributed auditability, preventing a party from fraudulently denying the rights granted by an enforceable policy. We also show a possible working implementation based on XACML policies, deployed on the Bitcoin blockchain.
Conference Paper
Full-text available
Bitcoin is the first and most popular decentralized cryptocurrency to date. In this work, we extract and analyze the core of the Bitcoin protocol, which we term the Bitcoin backbone, and prove two of its fundamental properties which we call common prefix and chain quality in the static setting where the number of players remains fixed. Our proofs hinge on appropriate and novel assumptions on the “hashing power” of the adversary relative to network synchronicity; we show our results to be tight under high synchronization. Next, we propose and analyze applications that can be built “on top” of the backbone protocol, specifically focusing on Byzantine agreement (BA) and on the notion of a public transaction ledger. Regarding BA, we observe that Nakamoto’s suggestion falls short of solving it, and present a simple alternative which works assuming that the adversary’s hashing power is bounded by 1/3. The public transaction ledger captures the essence of Bitcoin’s operation as a cryptocurrency, in the sense that it guarantees the liveness and persistence of committed transactions. Based on this notion we describe and analyze the Bitcoin system as well as a more elaborate BA protocol, proving them secure assuming high network synchronicity and that the adversary’s hashing power is strictly less than 1/2, while the adversarial bound needed for security decreases as the network desynchronizes.
Article
Full-text available
In this paper, an extensive state of the art review of different access control solutions in IoT within the Objectives, Models, Architecture and Mechanisms (OM-AM) way is provided. An analysis of the security and privacy requirements for the most dominant IoT application domains, including Personal and home, Government and utilities, and Enterprise and industry, is conducted. The pros and cons of traditional, as well as recent access control models and protocols from an IoT perspective are highlighted. Furthermore, a qualitative and a quantitative evaluation of the most relevant IoT related-projects that represent the majority of research and commercial solutions proposed in the field of access control conducted over the recent years (2011- 2016) is achieved. Finally, potential challenges and future research directions are defined.
Technical Report
Full-text available
Cryptocurrencies, based on and led by Bitcoin, have shown promise as infrastructure for pseudonymous online payments, cheap remittance, trustless digital asset exchange, and smart contracts. However, Bitcoin-derived blockchain protocols have inherent scalability limits that trade-off between throughput and latency and withhold the realization of this potential. This paper presents Bitcoin-NG, a new blockchain protocol designed to scale. Based on Bitcoin's blockchain protocol, Bitcoin-NG is Byzantine fault tolerant, is robust to extreme churn, and shares the same trust model obviating qualitative changes to the ecosystem. In addition to Bitcoin-NG, we introduce several novel metrics of interest in quantifying the security and efficiency of Bitcoin-like blockchain protocols. We implement Bitcoin-NG and perform large-scale experiments at 15% the size of the operational Bitcoin system, using unchanged clients of both protocols. These experiments demonstrate that Bitcoin-NG scales optimally, with bandwidth limited only by the capacity of the individual nodes and latency limited only by the propagation time of the network.
Article
Full-text available
Context-aware access control systems should reactively adapt access control decisions to dynamic environmental conditions. In this paper we present ERBAC - an event-driven extension of the TRBAC model that allows the specification and enforcement of general reactive policies - and its implementation. While almost all the individual features of ERBAC occur separately in some previous model, the detailed design of the policy language, its implementation in XACML, and its testing contribute to the development of expressive, event-driven policy frameworks by demonstrating that this rich model can be satisfactorily implemented, and that its expressivity and performance are compatible with a variety of realistic application scenarios. In particular, a number of examples illustrate ERBAC's expressive power, and its ability of handling exceptional situations in a flexible way, while keeping policies compact and manageable. The prototype extends XACML's language and the implementation of the PDP to support the new model. Systematic scalability experiments show that the computational cost of policy rule evaluation in ERBAC is compatible with real-world applications.
Article
Full-text available
We propose a new decentralized access control scheme for secure data storage in clouds that supports anonymous authentication. In the proposed scheme, the cloud verifies the authenticity of the series without knowing the user's identity before storing data. Our scheme also has the added feature of access control in which only valid users are able to decrypt the stored information. The scheme prevents replay attacks and supports creation, modification, and reading data stored in the cloud. We also address user revocation. Moreover, our authentication and access control scheme is decentralized and robust, unlike other access control schemes designed for clouds which are centralized. The communication, computation, and storage overheads are comparable to centralized approaches.
Article
Full-text available
An integrity policy defines formal access constraints which, if effectively enforced, protect data from improper modification. The author identifies the integrity problems posed by a secure military computer utility. Integrity policies addressing these problems are developed and their effectiveness evaluated. A prototype secure computer utility, Multics, is then used as a testbed for the application of the developed access controls.
Article
Full-text available
Andrew is a distributed computing environment that is a synthesis of the personal computing and timesharing paradigms. When mature, it is expected to encompass over 5,000 workstations spanning the Carnegie Mellon University campus. This paper examines the security issues that arise in such an environment and describes the mechanisms that have been developed to address them. These mechanisms include the logical and physical separation of servers and clients, support for secure communication at the remote procedure call level, a distributed authentication service, a file-protection scheme that combines access lists with UNIX mode bits, and the use of encryption as a basic building block. The paper also discusses the assumptions underlying security in Andrew and analyzes the vulnerability of the system. Usage experience reveals that resource control, particularly of workstation CPU cycles, is more important than originally anticipated and that the mechanisms available to address this issue are rudimentary.
Article
Full-text available
A model of protection mechanisms in computing systems is presented and its appropriateness is argued. The “safety” problem for protection systems under this model is to determine in a given situation whether a subject can acquire a particular right to an object. In restricted cases, it can be shown that this problem is decidable, i.e. there is an algorithm to determine whether a system in a particular configuration is safe. In general, and under surprisingly weak assumptions, it cannot be decided if a situation is safe. Various implications of this fact are discussed.
Conference Paper
Full-text available
In this work we ask the question: what are the challenges of managing a physical or file system access-control pol- icy for a large organization? To answer the question, we conducted a series of interviews with thirteen administrators who manage access-control policy for either a file system or a physical space. Based on these interviews we identi- fied three sets of real-world requirements that are either ig- nored or inadequately addressed by technology: 1) policies are made/implemented by multiple people; 2) policy makers are distinct from policy implementers; and 3) access-control systems don't always have the capability to implement the desired policy. We present our interview results and propose several possible solutions to address the observed issues.
Conference Paper
Full-text available
We investigate a security framework for collaborative appli- cations that relies on the role-based access control (RBAC) model. In our framework, roles are pre-defined and organized in a hierarchy (par- tial order). However, we assume that users are not previously identified, therefore the actions that they can perform are dynamically determined based on their own attribute values and on the attribute values associ- ated with the resources. Those values can vary over time (e.g., the user's location or whether the resource is open for visiting) thus enabling or disabling a user's ability to perform an action on a particular resource. In our framework, constraint values form partial orders and determine the association of actions with the resources and of users with roles. We have implemented our framework by exploring the capabilities of se- mantic web technologies, and in particular of OWL 1.1, to model both our framework and the domain of interest and to perform several types of reasoning. In addition, we have implemented a user interface whose purpose is twofold: (1) to offer a visual explanation of the underlying reasoning by displaying roles and their associations with users (e.g., as the user's locations vary); and (2) to enable monitoring of users that are involved in a collaborative application. Our interface uses the Google Maps API and is particularly suited to collaborative applications where the users' geospatial locations are of interest.
Conference Paper
Full-text available
Conventional access control models like role based access control are suitable for regulating access to resources by known users. However, these models have often found to be inadequate for open and decentralized multi-centric sys- tems where the user population is dynamic and the identity of all users are not known in advance. For such systems, cre- dential based access control has been proposed. Credential based systems achieve access control by implementing a bi- nary notion of trust. If a user is trusted by virtue of success- ful evaluation of its credentials it is allowed access, otherwise not. However, such credential based models have also been found to be lacking because of certain inherent drawbacks with the notion of credentials. In this work, we propose a trust based access control model called TrustBAC. It ex- tends the conventional role based access control model with the notion of trust levels. Users are assigned to trust levels instead of roles based on a number of factors like user creden- tials, user behavior history, user recommendation etc. Trust levels are assigned to roles which are assigned to permissions as in role based access control. The TrustBAC model thus incorporates the advantages of both the role based access control model and credential based access control models.
Conference Paper
Full-text available
In Peer-to-Peer (P2P) computing environments, each participant (peer) acts as both client and content provider. This satisfies the requirement that resources should be increasingly made available by being published to other users from a user's machine. Compared with services performed by the client-server model, P2P-based services have several advantages. However, wide-scale application of P2P computing is constrained by limitations associated with the especially sophisticated control mechanisms needed between peers. To overcome these limitations, we introduce a controlled P2P computing architecture by extending the concept of Web services to the peer-to-peer level through a generic middleware. Specifically, in this paper we tailor our approach to support RBAC. Although our approach supports both brokered and purist P2P models, all of the policy decisions can be made on the peer side, because policy information is transferred from the policy servers to the corresponding peers through metadata that peers can understand. Each peer makes the access control decision based on the enterprise, the community, and the peer policies without asking other components. This approach supports RBAC services for collaborative enterprise in P2P computing environments, not only within one community but also within inter-communities. Furthermore, it also supports peers' autonomous decisions without causing policy conflicts. The broad dissemination of our approach would enable P2P technology to be applicable to more reliable and efficient services, providing controlled communications between peers.
Conference Paper
Full-text available
With the growing use of wireless networks and mobile devices, we are moving towards an era where location information will be necessary for access control. The use of location information can be used for enhancing the security of an application, and it can also be exploited to launch attacks. For critical appli- cations, a formal model for location-based access control is needed that increases the security of the application and ensures that the location information cannot be exploited to cause harm. In this paper, we show how the Role-Based Access Control (RBAC) model can be extended to incorporate the notion of location. We show how the different components in the RBAC model are related with location and how this location information can be used to determine whether a subject has access to a given object. This model is suitable for applications consisting of static and dynamic objects, where location of the subject and object must be considered before granting access.
Conference Paper
Full-text available
New cryptographic protocols which take full advantage of the unique properties of public key cryptosystems are now evolving. Several protocols for public key distribution and for dig~tal signatures are briefly compared with each other and with the conventional alternative. 1.
Conference Paper
Full-text available
Attribute based access control (ABAC) grants accesses to services based on the attributes possessed by the requester. Thus, ABAC differs from the traditional discretionary access control model by replacing the subject by a set of attributes and the object by a set of services in the access control matrix. The former is appropriate in an identity-less system like the Internet where subjects are identified by their characteristics, such as those substantiated by certificates. These can be modeled as attribute sets. The latter is appropriate because most Internet users are not privy to method names residing on remote servers. These can be modeled as sets of service options. We present a framework that models this aspect of access control using logic programming with set constraints of a computable set theory [DPPR00]. Our framework specifies policies as stratified constraint flounder-free logic programs that admit primitive recursion. The design of the policy specification framework ensures that they are consistent and complete. Our ABAC policies can be transformed to ensure faster runtimes.
Article
Full-text available
Role-based access control (RBAC) models are receiving increasing attention as a generalized approach to access control. Roles can be active at certain time periods and non active at others; moreover, there can be activation dependencies among roles. To tackle such dynamic aspects, we introduce Temporal-RBAC (TRBAC), an extensions of the RBAC model. TRBAC supports both periodic activations and deactivations of roles, and temporal dependencies among such actions, expressed by means of role triggers, whose actions may be either executed immediately, or be deferred by an explicity specified amount of time. Both triggers and periodic activations/deactivations may have a priority associated with them, in order to resolve conflicting actions. A formal semantics for the specification language is provided, and a polynomial safeness check is introduced to reject ambiguous or inconsistent specifications. Finally, an implementation architecture is outlined.
Article
Full-text available
While Mandatory Access Controls (MAC) are appropriate for multilevel secure military applications, Discretionary Access Controls (DAC) are often perceived as meeting the security processing needs of industry and civilian government. This paper argues that reliance on DAC as the principal method of access control is unfounded and inappropriate for many commercial and civilian government organizations. The paper describes a type of non-discretionary access control - role-based access control (RBAC) - that is more central to the secure processing needs of non-military systems than DAC. Comment: pp. 554 - 563
Conference Paper
Full-text available
The authors describe a system whose purpose is to explore the use of certificates for the distributed management of access rights for resources that have multiple, independent, and geographically dispersed stakeholders. The stakeholders assert their use-conditions in authorization certificates and designate those trusted to attest to the corresponding attributes. These use-conditions implicitly define access groups through their requirement for certain attributes. All use-conditions must be satisfied simultaneously, so the actual access group is the intersection of all of the groups. A policy engine collects the use-condition certificates and attribute certificates when a user attempts to access a particular resource. If all of the use-conditions are met, a capability is generated for the resource. The policy engine can provide several different policy models depending on whether any relationship is established among the use-conditions. The system architecture and implementation is described, together with some of the identified strengths, weaknesses, and vulnerabilities
Article
Full-text available
Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. In many practical scenarios, users may be restricted to assume roles only at predefined time periods. Furthermore, roles may only be invoked on prespecified intervals of time depending upon when certain actions are permitted. To capture such dynamic aspects of a role, a temporal RBAC (TRBAC) model has been recently proposed. However, the TRBAC model addresses the role enabling constraints only. In This work, we propose a generalized temporal role-based access control (GTRBAC) model capable of expressing a wider range of temporal constraints. In particular, the model allows expressing periodic as well as duration constraints on roles, user-role assignments, and role-permission assignments. In an interval, activation of a role can further be restricted as a result of numerous activation constraints including cardinality constraints and maximum active duration constraints. The GTRBAC model extends the syntactic structure of the TRBAC model and its event and trigger expressions subsume those of TRBAC. Furthermore, GTRBAC allows expressing role hierarchies and separation of duty (SoD) constraints for specifying fine-grained temporal semantics.
Article
Full-text available
The paper presents a discretionary access control model in which authorizations contain temporal intervals of validity. An authorization is automatically revoked when the associated temporal interval expires. The proposed model provides rules for the automatic derivation of new authorizations from those explicitly specified. Both positive and negative authorizations are supported. A formal definition of those concepts is presented, together with the semantic interpretation of authorizations and derivation rules as clauses of a general logic program. Issues deriving from the presence of negative authorizations are discussed. We also allow negation in rules: it is possible to derive new authorizations on the basis of the absence of other authorizations. The presence of this type of rule may lead to the generation of different sets of authorizations, depending on the evaluation order. An approach is presented, based on establishing an ordering among authorizations and derivation rules, which guarantees a unique set of valid authorizations. Moreover, we give an algorithm detecting whether such an ordering can be established for a given set of authorizations and rules. Administrative operations for adding, removing, or modifying authorizations and derivation rules are presented and efficiency issues related to these operations are also tackled in the paper. A materialization approach is proposed, allowing to efficiently perform access control
Chapter
This chapter investigates how an electronic patient record (EPR) document can be managed by a number of active XML (AXML) peers representing hospitals, MDs, insurance companies, and Department of Health. These peers are living on remote servers, laptops, and mobile devices. Each of them provides integrated information/filtering services, or a combination of these, such as a hospital provides information about visits, while an insurance company gives reimbursement reports, and access control on both of them is enforced by both the regulations of the Department of Health, and their own respective privacy policies. The chapter also illustrates how the distributed data can be queried by different users, and how the specified access control rules are enforced along the way. It also investigates how the queries are executed efficiently—only the relevant/permissible parts of the AXML document are exchanged among peers, an AXML peer can fully or partially evaluate a query by delegating some of the computation to filtering peers or information sources.
Conference Paper
Access control in enterprises is a key research area in the realm of Computer Security because of the unique needs of the target enterprise. As the enterprise typically has large user and resource pools, administering the access control based on any framework could in itself be a daunting task. This work presents X-GTRBAC Admin, an administration model that aims at enabling policy administration within a large enterprise. In particular, it simplifies the process of user-to-role and permission-to-role assignments, and thus allows decentralization of the policy administration tasks. Secondly, it also allows for specifying the domain of authority of the system administrators, and hence provides mechanism to distribute the administrative authority over multiple domains within the enterprise. The paper also illustrates the applicability of the administrative concepts presented in our framework for enterprise-wide access control.
Conference Paper
Recently, there has been considerable interest in attribute based access control (ABAC) to overcome the limitations of the dominant access control models (i.e, discretionary-DAC, mandatory-MAC and role based-RBAC) while unifying their advantages. Although some proposals for ABAC have been published, and even implemented and standardized, there is no consensus on precisely what is meant by ABAC or the required features of ABAC. There is no widely accepted ABAC model as there are for DAC, MAC and RBAC. This paper takes a step towards this end by constructing an ABAC model that has "just sufficient" features to be "easily and naturally" configured to do DAC, MAC and RBAC. For this purpose we understand DAC to mean owner-controlled access control lists, MAC to mean lattice-based access control with tranquility and RBAC to mean flat and hierarchical RBAC. Our central contribution is to take a first cut at establishing formal connections between the three successful classical models and desired ABAC models.
Conference Paper
We propose a new model for data storage and access in clouds. Our scheme avoids storing multiple encrypted copies of same data. In our framework for secure data storage, cloud stores encrypted data (without being able to decrypt them). The main novelty of our model is addition of key distribution centers (KDCs). We propose DACC (Distributed Access Control in Clouds) algorithm, where one or more KDCs distribute keys to data owners and users. KDC may provide access to particular fields in all records. Thus, a single key replaces separate keys from owners. Owners and users are assigned certain set of attributes. Owner encrypts the data with the attributes it has and stores them in the cloud. The users with matching set of attributes can retrieve the data from the cloud. We apply attribute-based encryption based on bilinear pairings on elliptic curves. The scheme is collusion secure; two users cannot together decode any data that none of them has individual right to access. DACC also supports revocation of users, without redistributing keys to all the users of cloud services. We show that our approach results in lower communication, computation and storage overheads, compared to existing models and schemes.
Article
In this paper, we propose a new privacy preserving authenticated access control scheme for securing data in clouds. In the proposed scheme, the cloud verifies the authenticity of the user without knowing the user's identity before storing information. Our scheme also has the added feature of access control in which only valid users are able to decrypt the stored information. The scheme prevents replay attacks and supports creation, modification, and reading data stored in the cloud. Moreover, our authentication and access control scheme is decentralized and robust, unlike other access control schemes designed for clouds which are centralized. The communication, computation, and storage overheads are comparable to centralized approaches.
Article
At present, the system described in this paper has not been approved by the Department of Defense for processing classified information. This paper does not represent DOD policy regarding industrial application of time- or resource-sharing of EDP equipment.
Article
Current approaches to access control on Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architec-tures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current Web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches .
Article
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
Article
Cloud computing presents new security challenges to control access to information in cloud services. This article describes an authorization model suitable for cloud computing that supports hierarchical role-based access control, path-based object hierarchies, and federation. The authors also present an authorization system architecture for implementing the model. In particular, they provide some technical implementation details, together with performance results from the prototype. They also describe security, privacy, and trust management aspects for the authorization system.
Conference Paper
Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.
Article
In the schematic protection model subjects are classified into protection types. Creation is authorized by a can-create binary relation on types. It is shown that with arbitrary cycles in can-create safety is undecidable. Whereas it has been previously shown safety is decidable for acyclic can-create. It is also shown that safety remains undedicable even if all creates are attenuating in that tickets (capabilities) given to a subject on its creation are attenuated copies of tickets available to its parent. This contrasts with decidable safety for attenuating cycles of length one. It appears safety is decidable for the practically useful cases while undecidability results from undue laxity in authorizing creation.
Conference Paper
Cloud computing, as an emerging computing paradigm, enables users to remotely store their data into a cloud so as to enjoy scalable services on-demand. Especially for small and medium-sized enterprises with limited budgets, they can achieve cost savings and productivity enhancements by using cloud-based services to manage projects, to make collaborations, and the like. However, allowing cloud service providers (CSPs), which are not in the same trusted domains as enterprise users, to take care of confidential data, may raise potential security and privacy issues. To keep the sensitive user data confidential against untrusted CSPs, a natural way is to apply cryptographic approaches, by disclosing decryption keys only to authorized users. However, when enterprise users outsource confidential data for sharing on cloud servers, the adopted encryption system should not only support fine-grained access control, but also provide high performance, full delegation, and scalability, so as to best serve the needs of accessing data anytime and anywhere, delegating within enterprises, and achieving a dynamic set of users. In this paper, we propose a scheme to help enterprises to efficiently share confidential data on cloud servers. We achieve this goal by first combining the hierarchical identity-based encryption (HIBE) system and the ciphertext-policy attribute-based encryption (CP-ABE) system, and then making a performance-expressivity tradeoff, finally applying proxy re-encryption and lazy re-encryption to our scheme.
Conference Paper
It has been recognized for some time that software alone does not provide an adequate foundation for building a high-assurance trusted platform. The emergence of industry-standard trusted computing technologies promises a revolution in this respect by providing roots of trust upon which secure applications can be developed. These technologies offer a particularly attractive platform for security in peer-to-peer environments. In this paper we propose a trusted computing architecture to enforce access control policies in such applications. Our architecture is based on an abstract layer of trusted hardware which can be constructed with emerging trusted computing technologies. A trusted reference monitor (TRM) is introduced beyond the trusted hardware. By monitoring and verifying the integrity and properties of running applications in a platform using the functions of trusted computing, the TRM can enforce various policies on behalf of object owners. We further extend this platform-based architecture to support user-based control policies, cooperating with existing services for user identity and attributes. This architecture and its refinements can be extended in future work to support general access control models such as lattice-based access control, role-based access control, and usage control.
Conference Paper
In traditional access control models like mandatory access control (MAC), discretionary access con- trol (DAC), and role-based access control (RBAC), authorization decisions are determined according to the identities of subjects and objects, which are authenticated by a system completely. Recent access con- trol practices, such as digital rights management (DRM), trust management, and usage control, require flexible authorization policies. In such systems, a subject may be only partially authenticated according to one or more attributes. Authorization policies are specified with subject and object attribute values. In this paper we propose an attribute-based access matrix model, named ABAM, which extends the original access matrix model. We show that ABAM enhances the expressive power of the access matrix model by supporting attribute-based authorizations and dynamic permission propagations. Specifically, ABAM is comprehensive enough to encompass traditional access control models as well as some usage control features. As expressive power and safety are two fundamental but conflictive objectives of an access con- trol model, we study the safety property of ABAM and conclude that the safety problem is decidable for a restricted case where attribute relationship graph allows no cycles containing creating-attribute tuples. The restricted case is shown to sustain good expressive power to model practical systems.
Conference Paper
In this paper, we introduce the notion of TeaM-based Access Control (TMAC) as an approach to applying rolebased access control in collaborative environments. Our focus is on collaborative activity that is best accomplished through organized teams. Thus, central to the TMAC approach is the notion of a “team” as an abstraction that encapsulates a collection of users in specific roles with the objective of accomplishing a specific task or goal. We were led to the idea of TMAC when our investigations revealed two interesting requirements for certain collaborative environments. The first was the need for a hybrid access control model that incorporated the advantages of broad, role-based permissions across object types, yet required fine-grained, identity-based control on individual users in certain roles and to individual object instances. The second was a need to distinguish the passive concept of permission assignment from the active concept of context-based permission activation. It remains to be seen whether these requirements should lead to yet another variation of one or more models of RBAC, or whether such requirements and
Article
The Internet enables global sharing of data across organizational boundaries. Distributed file systems facilitate data sharing in the form of remote file access. However, traditional access control mechanisms used in distributed file systems are intended for machines under common administrative control, and rely on maintaining a centralized database of user identities. They fail to scale to a large user base distributed across multiple organizations. We provide a survey of decentralized access control mechanisms in distributed file systems intended for large scale, in both administrative domains and users. We identify essential properties of such access control mechanisms. We analyze both popular production and experimental distributed file systems in the context of our survey.
Article
Keeping confidential who sends which messages, in a world where any physical transmission can be traced to its origin, seems impossible. The solution presented here is unconditionally or cryptographically secure, depending on whether it is based on one-time-use keys or on public keys, respectively. It can be adapted to address efficiently a wide variety of practical considerations.
Article
The protection state of a system is defined by the privileges possessed by subjects at a given moment. Operations that change this state are themselves authorized by the current state. This poses a design problem in constructing the initial state so that all derivable states conform to a particular policy. It also raises an analysis problem of characterizing the protection states derivable from a given initial state. A protection model provides a framework for both design and analysis. Design generality and tractable analysis are inherently conflicting goals. Analysis is particularly difficult if creation of subjects is permitted. The schematic protection model resolves this conflict by classifying subjects and objects into protection types. The privileges possessed by a subject consist of a type-determined part specified by a static protection scheme and a dynamic part consisting of tickets (capabilities). It is shown that analysis is tractable for this model provided certain restrictions are imposed on subject creation. A scheme authorizes creation of subjects via a binary relation on subject types. Our principal constraint is that this relation be acyclic, excepting loops that authorize a subject to create subjects of its own type. Our assumptions admit a variety of useful systems.
Article
It is shown that the large-scale automated transaction systems of the near future can be designed to protect the privacy and maintain the security of both individuals and organizations. A new approach is described in which: (1) an individual uses a different account number or 'digital pseudonym' with each organization; (2) individuals conduct transactions using personal card computers that might take a form similar to a credit-card-sized calculator, and include a character display, keyboard, and a limited distance communication capability; (3) individuals keep secret keys from organizations and organizations devise other secret keys that are kept from individuals.
Article
This paper investigates mechanisms that guarantee secure information flow in a computer system. These mechanisms are examined within a mathematical framework suitable for formulating the requirements of secure information flow among security classes. The central component of the model is a lattice structure derived from the security classes and justified by the semantics of information flow. The lattice properties permit concise formulations of the security requirements of different existing systems and facilitate the construction of mechanisms that enforce security. The model provides a unifying view of all systems that restrict information flow, enables a classification of them according to security objectives, and suggests some new approaches. It also leads to the construction of automatic program certification mechanisms for verifying the secure flow of information through a program.
Article
Thesis. 1977. M.S.--Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science. MICROFICHE COPY AVAILABLE IN ARCHIVES AND ENGINEERING. Bibliography : leaves 131-139. M.S.
Article
As computing technology becomes more pervasive and broadband services are deployed into residential communities, new applications will emerge for the home and community environment. These applications will assist people in a variety of daily activities by enabling them to create, access, and manipulate information about the residents and resources in their homes. In a connected community, resources in the home and information about the residents of the home will be remotely accessible to both residents and guests, as well as to potentially malicious users. These new applications, as well as their users and environment, pose new security challenges. The challenges stem from two factors: the nature of the home itself---a private space with a wealth of personal and sensitive information---and the limited technical knowledge and capabilities of the home's residents. We are addressing the problem of securing applications that will access and control information resources in the home of the future. Specifically, we are designing a security system based on a paradigm called Generalized Role-Based Access Control (GRBAC). GRBAC is an extension of traditional Role-Based Access Control (RBAC). It enhances traditional RBAC by incorporating the notion of object roles and environment roles, with the traditional notion of subject roles. These new types of roles allow one to define rich, easy-to-understand security policies without having significant technical knowledge of the underlying computer systems that implement those policies. In this paper, we motivate the need for GRBAC, provide a high-level description of it and demonstrate its usefulness and flexibility via several example applications.
Article
The protection mechanisms of computer systems control the access to objects, especially information objects. The principles of protection system design are formalized as a model (theory) of protection. Each process has a unique identification number which is attached by the system to each access attempted by the process. Details of system implementation are discussed, taking into account the storing of the access matrix, aspects of efficiency, and the selection of subjects and objects. Two systems which have protection features incorporating all the elements of the model are described.
Conference Paper
For companies and government agencies alike, the emergence of Web services technologies and the evolution of distributed systems toward service oriented architectures (SOA) have helped promote collaboration and information sharing by breaking down "stove-piped" systems and connecting them via loosely coupled, interoperable system-to-system interfaces. Such architectures, however, also bring about their own security challenges that require due consideration. Unfortunately, the current information security mechanisms are insufficient to address these challenges. In particular, the access control models today are mostly static and coarsely grained; they are not well-suited for the service-oriented environments where information access is dynamic and ad-hoc in nature. This paper outlines the access control challenges for Web services and SOA, and proposes an attribute based access control (ABAC) model as a new approach, which is based on subject, object, and environment attributes and supports both mandatory and discretionary access control needs. The paper describes the ABAC model in terms of its authorization architecture and policy formulation, and makes a detailed comparison between ABAC and traditional role-based models, which clearly shows the advantages of ABAC. The paper then describes how this new model can be applied to securing Web service invocations, with an implementation based on standard protocols and open-source tools. The paper concludes with a summary of the ABAC model's benefits and some future directions.
Conference Paper
The typed access matrix (TAM) model is defined by introducing the notion of strong typing into the Harrison, Ruzzo, and Ullman model (HRU) (M. H. Harrison et al., 1978). It is shown that monotonic TAM (MTAM) has decidable, but NP-hard, safety for its acyclic creation cases. It is further shown that ternary MTAM has polynomial time safety analysis for its acyclic cases, even though it is, in general, equivalent to MTAM. Ternary MTAM thus has strong safety properties. The expressive power of ternary MTAM has been shown to be equivalent to MTAM in general. The results establish that strong typing is crucial to achieving a useful demarcation between decidable and undecidable safety, and ternary monotonic commands are critical for tractable safety analysis