skip to main content
research-article

Toward a Usage-Based Security Framework for Collaborative Computing Systems

Published:05 February 2008Publication History
Skip Abstract Section

Abstract

Collaborative systems such as Grids provide efficient and scalable access to distributed computing capabilities and enable seamless resource sharing between users and platforms. This heterogeneous distribution of resources and the various modes of collaborations that exist between users, virtual organizations, and resource providers require scalable, flexible, and fine-grained access control to protect both individual and shared computing resources. In this article we propose a usage control (UCON) based security framework for collaborative applications, by following a layered approach with policy, enforcement, and implementation models, called the PEI framework. In the policy model layer, UCON policies are specified with predicates on subject and object attributes, along with system attributes as conditional constraints and user actions as obligations. General attributes include not only persistent attributes such as role and group memberships but also mutable usage attributes of subjects and objects. Conditions in UCON can be used to support context-based authorizations in ad hoc collaborations. In the enforcement model layer, our novel framework uses a hybrid approach for subject attribute acquisition with both push and pull modes. By leveraging attribute propagations between a centralized attribute repository and distributed policy decision points, our architecture supports decision continuity and attribute mutability of the UCON policy model, as well as obligation evaluations during policy enforcement. As a proof-of-concept, we implement a prototype system based on our proposed architecture and conduct experimental studies to demonstrate the feasibility and performance of our approach.

References

  1. Alfieri, R., Cecchinib, R., Ciaschinic, V., dell'Agnellod, L., Frohnere, A., Lorenteyf, K., and Spatarog, F. 2005. From gridmap-file to voms: Managing authorization in a grid environment. Future Gener. Comput. Syst. 21 Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Beck, K. 1999. Extreme Programming Explained: Embrace Change. Addison-Wesley. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Bell, D. E. and LaPadula, L. J. 1975. Secure computer systems: Mathematical foundations and model. Tech. rep., Mitre Corp., Bedford, MA.Google ScholarGoogle Scholar
  4. Bertino, E., Crispo, B., Joshi, J., Du, W. K., and Sandhu, R. S. 2004. Panel: Security for grid-based computing systems issues and challenges. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, 125. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Cohen, B. 2003. Incentives build robustness in bittorrent. In Proceedings of the 1st Workshop on Economics of Peer-to-Peer Systems. http://www.bittorrent.com/bittorrentecon.pdf.Google ScholarGoogle Scholar
  6. Covington, M. J., Long, W., Srinivasan, S., Dey, A. K., Ahamad, M., and Abowd, G. D. 2001. Securing context-aware applications using environment roles. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies (SACMAT '01). Chantilly, VA. 10--20. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Covington, M. J., Sastry, M. R., and Manohar, D. J. 2006. Attribute-based authentication model for dynamic mobile environments. In Proceedings of the 3rd International Conference on Security in Pervasive Computing (SPC'06). Lecture Notes in Computer Science, Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. DB4Object. http://www.db4o.com/.Google ScholarGoogle Scholar
  9. Denning, D. E. 1976. A lattice model of secure information flow. Comm. ACM 19, 5 (May). Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Foster, I., Kessekan, C., Tsudik, G., and Tueckel, S. 1998. A security architecture for computational grids. In Proceedings of ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Foster, I., Kesselman, C., and Tuecke, S. 2001. The anatomy of the grid: Enabling scalable virtual organization. Int. J. Supercomput. Appl. 15, 3. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Johnston, W. E. 2002. The computing and data grid approach: Infrastructure for distributed science applications. Computing the Informatics. Special Issue on Grid Computing.Google ScholarGoogle Scholar
  13. Joshi, J., Bhatti, R., Bertino, E., and Ghafoor, A. 2004. Access control language for multidomain environments. IEEE Intern. Comput., 40--50. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Lorch, M., Adams, D. B., Kafura, D., Koneni, M. S. R., Rathi, A., and Shah, S. 2003. The prima system for privilege management, authorization and enforcement in grid environments. In Proceedings of the 4th International Workshop on Grid Computing. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. mod_dav. a DAV module for Apache, http://www.webdav.org/mod_dav/.Google ScholarGoogle Scholar
  16. OASIS XACML. Core Specification: eXtensible Access Control Markup Language (XACML). OASIS XACML.Google ScholarGoogle Scholar
  17. OpenLDAP. http://www.openldap.org/.Google ScholarGoogle Scholar
  18. OpenSSL. http://www.openssl.org/.Google ScholarGoogle Scholar
  19. Park, J. 2003. Usage control: A unified framework for next generation access control. Ph.D. thesis, George Mason University. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Park, J. and Sandhu, R. 2004. The UCONabc usage control model. ACM Trans. Inform. Syst. Secur. 7, 1 (Feb), 128--174. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Park, J., Zhang, X., and Sandhu, R. 2004. Attribute mutability in usage control. In Proceedings of the Annual IFIP WG 11.3 Working Conference on Data and Applications Security. Sitges, Catalonia, Spain, 15--29.Google ScholarGoogle Scholar
  22. Park, J. S. and Sandhu, R. 2000. Binding identities and attributes using digitally signed certificates. In Proceedings of the Annual Computer Security Applications Conference. New Orleans, LA. 120--127. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Pearlman, L., Welch, V., Foster, I., and Kesselman, K. 2002. A community authorization service for group collaboration. In Proceedings of IEEE Workshop on Policies for Distributed Systems and Networks. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Sailer, R., Jaeger, T., Zhang, X., and van Doorn, L. 2004. Attestation-based policy enforcement for remote access. In Proceedings of ACM Conference on Computer and Communication Security. Washington, DC, USA, 308--317. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Sandhu, R. 1993. Lattice-based access control models. IEEE Comput. 26, 11 (Nov.). Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Sandhu, R. 2000. Engineering authority and trust in cyberspace: The OM-AM and RBAC way. In Proceedings of the 5th ACM Workshop on Role-based Access Control. Berlin, Germany, 111--119. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Sandhu, R., Ranganathan, K., and Zhang, X. 2006. Secure information sharing enabled by trusted computing and PEI models. In Proceedings of the ACM Symposium on Information, Computer, and Communication Security. Taipei, Taiwan. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Shafiq, B., Joshi, J., Bertino, E., and Ghafoor, A. 2005. Secure interoperation in a multidomain environment employing RBAC policies. IEEE Trans. Knowl. Data Eng. 17, 11 (Nov), 1557--1577. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Shehab, M., Bertino, E., and Ghafoor, A. 2005. Secure collaboration in mediator-free environments. In Proceedings of the 12th ACM Conference on Computer and Communication Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Subversion. http://subversion.tigris.org/.Google ScholarGoogle Scholar
  31. TCG MTM. 2006. Mobile trusted module specification, https://www.trustedcomputinggroup. org/specs/mobilephone/tcg-mobile-trusted-m odule-0.9.pdf.Google ScholarGoogle Scholar
  32. TCG TPM. 2003. Main part 1 design principles specification version 1.2, https://www. trustedcomputinggroup.org.Google ScholarGoogle Scholar
  33. Thomas, R. and Sandhu, R. 1997. Task-based authorization controls (TBAC): Models for active and enterprise-oriented authorization management. In Proceedings of the 11th IFIP WG 11.3 Working Conference on Database and Application Security. Published as Database Security XI: Status and Prospects. T. Y. Lin and X. Qian, Eds. North-Holland. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Thompson, M., Essiari, A., and Mudumbai, S. 2003. Certificate-based authorization policy in a pki environment. ACM Trans. Inform. Syst. Secur. 6, 4. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Tolone, W., Ahn, G., and Pai, T. 2005. Access control in collaborative systems. ACM Comput. Surv. 37, 1 (March). Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czaj, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, L., and Tuecke, S. 2003. Security for grid services. In Proceedings of the 12th IEEE International Symposium on High Performance Distributed Computing. Seattle, WA, 48--57. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. XACML. Sun's XACML implementation, http://sunxacml.sourceforge.net/.Google ScholarGoogle Scholar
  38. Zhang, G. and Parashar, M. 2003. Dynamic context-aware access control for grid applications. In Proceedings of the 4th International Workshop on Grid Computing. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Zhang, X., Parisi-Presicce, F., Sandhu, R., and Park, J. 2005. Formal model and policy specification of usage control. ACM Trans. Inform. Syst. Secur. 8, 4 (Nov), 351--387. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Toward a Usage-Based Security Framework for Collaborative Computing Systems

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!