Abstract
Collaborative systems such as Grids provide efficient and scalable access to distributed computing capabilities and enable seamless resource sharing between users and platforms. This heterogeneous distribution of resources and the various modes of collaborations that exist between users, virtual organizations, and resource providers require scalable, flexible, and fine-grained access control to protect both individual and shared computing resources. In this article we propose a usage control (UCON) based security framework for collaborative applications, by following a layered approach with policy, enforcement, and implementation models, called the PEI framework. In the policy model layer, UCON policies are specified with predicates on subject and object attributes, along with system attributes as conditional constraints and user actions as obligations. General attributes include not only persistent attributes such as role and group memberships but also mutable usage attributes of subjects and objects. Conditions in UCON can be used to support context-based authorizations in ad hoc collaborations. In the enforcement model layer, our novel framework uses a hybrid approach for subject attribute acquisition with both push and pull modes. By leveraging attribute propagations between a centralized attribute repository and distributed policy decision points, our architecture supports decision continuity and attribute mutability of the UCON policy model, as well as obligation evaluations during policy enforcement. As a proof-of-concept, we implement a prototype system based on our proposed architecture and conduct experimental studies to demonstrate the feasibility and performance of our approach.
- Alfieri, R., Cecchinib, R., Ciaschinic, V., dell'Agnellod, L., Frohnere, A., Lorenteyf, K., and Spatarog, F. 2005. From gridmap-file to voms: Managing authorization in a grid environment. Future Gener. Comput. Syst. 21 Google Scholar
Digital Library
- Beck, K. 1999. Extreme Programming Explained: Embrace Change. Addison-Wesley. Google Scholar
Digital Library
- Bell, D. E. and LaPadula, L. J. 1975. Secure computer systems: Mathematical foundations and model. Tech. rep., Mitre Corp., Bedford, MA.Google Scholar
- Bertino, E., Crispo, B., Joshi, J., Du, W. K., and Sandhu, R. S. 2004. Panel: Security for grid-based computing systems issues and challenges. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, 125. Google Scholar
Digital Library
- Cohen, B. 2003. Incentives build robustness in bittorrent. In Proceedings of the 1st Workshop on Economics of Peer-to-Peer Systems. http://www.bittorrent.com/bittorrentecon.pdf.Google Scholar
- Covington, M. J., Long, W., Srinivasan, S., Dey, A. K., Ahamad, M., and Abowd, G. D. 2001. Securing context-aware applications using environment roles. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies (SACMAT '01). Chantilly, VA. 10--20. Google Scholar
Digital Library
- Covington, M. J., Sastry, M. R., and Manohar, D. J. 2006. Attribute-based authentication model for dynamic mobile environments. In Proceedings of the 3rd International Conference on Security in Pervasive Computing (SPC'06). Lecture Notes in Computer Science, Springer. Google Scholar
Digital Library
- DB4Object. http://www.db4o.com/.Google Scholar
- Denning, D. E. 1976. A lattice model of secure information flow. Comm. ACM 19, 5 (May). Google Scholar
Digital Library
- Foster, I., Kessekan, C., Tsudik, G., and Tueckel, S. 1998. A security architecture for computational grids. In Proceedings of ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Foster, I., Kesselman, C., and Tuecke, S. 2001. The anatomy of the grid: Enabling scalable virtual organization. Int. J. Supercomput. Appl. 15, 3. Google Scholar
Digital Library
- Johnston, W. E. 2002. The computing and data grid approach: Infrastructure for distributed science applications. Computing the Informatics. Special Issue on Grid Computing.Google Scholar
- Joshi, J., Bhatti, R., Bertino, E., and Ghafoor, A. 2004. Access control language for multidomain environments. IEEE Intern. Comput., 40--50. Google Scholar
Digital Library
- Lorch, M., Adams, D. B., Kafura, D., Koneni, M. S. R., Rathi, A., and Shah, S. 2003. The prima system for privilege management, authorization and enforcement in grid environments. In Proceedings of the 4th International Workshop on Grid Computing. Google Scholar
Digital Library
- mod_dav. a DAV module for Apache, http://www.webdav.org/mod_dav/.Google Scholar
- OASIS XACML. Core Specification: eXtensible Access Control Markup Language (XACML). OASIS XACML.Google Scholar
- OpenLDAP. http://www.openldap.org/.Google Scholar
- OpenSSL. http://www.openssl.org/.Google Scholar
- Park, J. 2003. Usage control: A unified framework for next generation access control. Ph.D. thesis, George Mason University. Google Scholar
Digital Library
- Park, J. and Sandhu, R. 2004. The UCONabc usage control model. ACM Trans. Inform. Syst. Secur. 7, 1 (Feb), 128--174. Google Scholar
Digital Library
- Park, J., Zhang, X., and Sandhu, R. 2004. Attribute mutability in usage control. In Proceedings of the Annual IFIP WG 11.3 Working Conference on Data and Applications Security. Sitges, Catalonia, Spain, 15--29.Google Scholar
- Park, J. S. and Sandhu, R. 2000. Binding identities and attributes using digitally signed certificates. In Proceedings of the Annual Computer Security Applications Conference. New Orleans, LA. 120--127. Google Scholar
Digital Library
- Pearlman, L., Welch, V., Foster, I., and Kesselman, K. 2002. A community authorization service for group collaboration. In Proceedings of IEEE Workshop on Policies for Distributed Systems and Networks. Google Scholar
Digital Library
- Sailer, R., Jaeger, T., Zhang, X., and van Doorn, L. 2004. Attestation-based policy enforcement for remote access. In Proceedings of ACM Conference on Computer and Communication Security. Washington, DC, USA, 308--317. Google Scholar
Digital Library
- Sandhu, R. 1993. Lattice-based access control models. IEEE Comput. 26, 11 (Nov.). Google Scholar
Digital Library
- Sandhu, R. 2000. Engineering authority and trust in cyberspace: The OM-AM and RBAC way. In Proceedings of the 5th ACM Workshop on Role-based Access Control. Berlin, Germany, 111--119. Google Scholar
Digital Library
- Sandhu, R., Ranganathan, K., and Zhang, X. 2006. Secure information sharing enabled by trusted computing and PEI models. In Proceedings of the ACM Symposium on Information, Computer, and Communication Security. Taipei, Taiwan. Google Scholar
Digital Library
- Shafiq, B., Joshi, J., Bertino, E., and Ghafoor, A. 2005. Secure interoperation in a multidomain environment employing RBAC policies. IEEE Trans. Knowl. Data Eng. 17, 11 (Nov), 1557--1577. Google Scholar
Digital Library
- Shehab, M., Bertino, E., and Ghafoor, A. 2005. Secure collaboration in mediator-free environments. In Proceedings of the 12th ACM Conference on Computer and Communication Security. Google Scholar
Digital Library
- Subversion. http://subversion.tigris.org/.Google Scholar
- TCG MTM. 2006. Mobile trusted module specification, https://www.trustedcomputinggroup. org/specs/mobilephone/tcg-mobile-trusted-m odule-0.9.pdf.Google Scholar
- TCG TPM. 2003. Main part 1 design principles specification version 1.2, https://www. trustedcomputinggroup.org.Google Scholar
- Thomas, R. and Sandhu, R. 1997. Task-based authorization controls (TBAC): Models for active and enterprise-oriented authorization management. In Proceedings of the 11th IFIP WG 11.3 Working Conference on Database and Application Security. Published as Database Security XI: Status and Prospects. T. Y. Lin and X. Qian, Eds. North-Holland. Google Scholar
Digital Library
- Thompson, M., Essiari, A., and Mudumbai, S. 2003. Certificate-based authorization policy in a pki environment. ACM Trans. Inform. Syst. Secur. 6, 4. Google Scholar
Digital Library
- Tolone, W., Ahn, G., and Pai, T. 2005. Access control in collaborative systems. ACM Comput. Surv. 37, 1 (March). Google Scholar
Digital Library
- Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czaj, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, L., and Tuecke, S. 2003. Security for grid services. In Proceedings of the 12th IEEE International Symposium on High Performance Distributed Computing. Seattle, WA, 48--57. Google Scholar
Digital Library
- XACML. Sun's XACML implementation, http://sunxacml.sourceforge.net/.Google Scholar
- Zhang, G. and Parashar, M. 2003. Dynamic context-aware access control for grid applications. In Proceedings of the 4th International Workshop on Grid Computing. Google Scholar
Digital Library
- Zhang, X., Parisi-Presicce, F., Sandhu, R., and Park, J. 2005. Formal model and policy specification of usage control. ACM Trans. Inform. Syst. Secur. 8, 4 (Nov), 351--387. Google Scholar
Digital Library
Index Terms
Toward a Usage-Based Security Framework for Collaborative Computing Systems
Recommendations
A usage-based authorization framework for collaborative computing systems
SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologiesCollaborative systems such as Grids provide efficient and scalable access to distributed computing capabilities and enable seamless resource sharing between users and platforms. This heterogeneous distribution of resources and the various modes of ...
The UCONABC usage control model
In this paper, we introduce the family of UCONABC models for usage control (UCON), which integrate Authorizations (A), oBligations (B), and Conditions (C). We call these core models because they address the essence of UCON, leaving administration, ...
A Usage Control Based Architecture for Cloud Environments
IPDPSW '12: Proceedings of the 2012 IEEE 26th International Parallel and Distributed Processing Symposium Workshops & PhD ForumToday modern computing systems leverage distributed models such as cloud, grid, etc. One of the obstacles of wide spreading these distributed computing models is security challenges which includes access control problem. These computing models because ...






Comments