Abstract
Autonomic communication and computing is a new paradigm for dynamic service integration over a network. An autonomic network crosses organizational and management boundaries and is provided by entities that see each other just as partners. For many services no autonomic partner may guess a priori what will be sent by clients nor clients know a priori what credentials are required to access a service.
To address this problem we propose a new interactive access control: servers should interact with clients, asking for missing credentials necessary to grant access, whereas clients may supply or decline the requested credentials. Servers evaluate their policies and interact with clients until a decision of grant or deny is taken.
This proposal is grounded in a formal model on policy-based access control. It identifies the formal reasoning services of deduction, abduction and consistency. Based on them, the work proposes a comprehensive access control framework for autonomic systems. An implementation of the interactive model is given followed by system performance evaluation.
- Apt, K. 1990. Logic programming. In Handbook of Theoretical Computer Science, J. van Leeuwen, Ed. Elsevier. Google Scholar
Digital Library
- Baselice, S., Bonatti, P. A., and Faella, M. 2007. On interoperable trust negotiation strategies. In Proceedings of the IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07). IEEE Computer Society, 39--50. Google Scholar
Digital Library
- Becker, M. Y. and Nanz, S. 2008. The role of abduction in declarative authorization policies. In Proceedings of the 10th International Symposium on Practical Aspects of Declarative Languages (PADL'08). Google Scholar
Digital Library
- Bertino, E., Catania, B., Ferrari, E., and Perlasca, P. 2001. A logical framework for reasoning about access control models. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT). ACM Press, 41--52. Google Scholar
Digital Library
- Bertino, E., Ferrari, E., and Squicciarini, A. C. 2004. Trust-X: A peer-to-peer framework for trust establishment. IEEE Trans. Knowl. Data Eng. 16, 7, 827--842. Google Scholar
Digital Library
- Bonatti, P. and Samarati, P. 2002. A unified framework for regulating access and information release on the web. J. Comput. Secur. 10, 3, 241--272. Google Scholar
Digital Library
- Constandache, I., Olmedilla, D., and Siebenlist, F. 2007. Policy-driven negotiation for authorization in the grid. In Proceedings of the IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07). IEEE Computer Society, 211--220. Google Scholar
Digital Library
- Damianou, N., Dulay, N., Lupu, E., and Sloman, M. 2001. The Ponder policy specification language. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'01). IEEE Computer Society, 18--38. Google Scholar
Digital Library
- De Capitani di Vimercati, S. and Samarati, P. 2001. Access control: Policies, models, and mechanism. In Foundations of Security Analysis and Design—Tutorial Lectures, R. Focardi and F. Gorrieri, Eds. Lecture Notes in Computer Science, vol. 2171. Springer-Verlag.Google Scholar
- Denecker, M. and Schreye, D. D. 1998. SLDNFA: An abductive procedure for abductive logic programs. J. Logic Progr. 34, 2, 111--167.Google Scholar
Cross Ref
- Eiter, T., Gottlob, G., and Leone, N. 1997. Abduction from logic programs: Semantics and complexity. Theor. Comput. Sci. 189, 1-2, 129--177. Google Scholar
Digital Library
- Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., and Chandramouli, R. 2001. Proposed NIST standard for role-based access control. ACM Trans. Inform. Syst. Secur. 4, 3, 224--274. Google Scholar
Digital Library
- Gelfond, M. and Lifschitz, V. 1988. The stable model semantics for logic programming. In Proceedings of the 5th International Conference on Logic Programming (ICLP'88), R. Kowalski and K. Bowen, Eds. MIT-Press, 1070--1080.Google Scholar
- Kapadia, A., Sampemane, G., and Campbell, R. H. 2004. Know why your access was denied: Regulating feedback for usable security. In Proceedings of the 11th ACM Conference on Computer and Communications Security. ACM Press, 52--61. Google Scholar
Digital Library
- Koshutanski, H. and Massacci, F. 2005. Interactive credential negotiation for stateful business processes. In Proceedings of the 3rd International Conference on Trust Management (iTrust). Lecture Notes in Computer Science, vol. 3477. Springer-Verlag, 257--273. Google Scholar
Digital Library
- Koshutanski, H. and Massacci, F. 2007. A negotiation scheme for access rights establishment in autonomic communication. J. Netw. Syst. Manag. 15, 1, 117--136. Springer. Google Scholar
Digital Library
- Leone, N., Pfeifer, G., Faber, W., Eiter, T., Gottlob, G., Perri, S., and Scarcello, F. 2006. The DLV system for knowledge representation and reasoning. ACM Trans. Comput. Logic. http://www.arxiv.org/ps/cs.AI/0211004. Google Scholar
Digital Library
- Li, J., Li, N., and Winsborough, W. H. 2005. Automated trust negotiation using cryptographic credentials. In Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM Press, 46--57. Google Scholar
Digital Library
- Li, N., Grosof, B. N., and Feigenbaum, J. 2003. Delegation logic: A logic-based approach to distributed authorization. ACM Trans. Inform. Syst. Secur. 6, 1, 128--171. Google Scholar
Digital Library
- Li, N., Mitchell, J. C., and Winsborough, W. H. 2002. Design of a role-based trust-management framework. In Proceedings of the IEEE Symposium on Security and Privacy (S&P'02). IEEE Press, 114--130. Google Scholar
Digital Library
- Lymberopoulos, L., Lupu, E., and Sloman, M. 2003. An adaptive policy based framework for network services management. J. Netw. Syst. Manag. 11, 3, 277--303. Google Scholar
Digital Library
- Nejdl, W., Olmedilla, D., and Winslett, M. 2004. PeerTrust: Automated trust negotiation for peers on the semantic web. In VLDB Workshop on Secure Data Management (SDM). Lecture Notes in Computer Science, vol. 3178. Springer, 118--132.Google Scholar
- Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proc. IEEE 63, 9, 1278--1308.Google Scholar
Cross Ref
- Seamons, K. and Winsborough, W. 2002. Automated trust negotiation. US Patent and Trademark Office. IBM Corporation, patent application filed March 7, 2000.Google Scholar
- Shanahan, M. 1989. Prediction is deduction but explanation is abduction. In Proceedings of the 11th International Joint Conference on Artificial Intelligence. Morgan Kaufmann, 1055--1060.Google Scholar
- Sloman, M. and Lupu, E. 1999. Policy specification for programmable networks. In Proceedings of the 1st International Working Conference on Active Networks. Springer-Verlag, 73--84. Google Scholar
Digital Library
- Smirnov, M. 2003. Rule-based systems security model. In Proceedings of the 2nd International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security (MMM-ACNS). Springer-Verlag Press, 135--146.Google Scholar
Cross Ref
- SPKI. 1999. SPKI certificate theory. IETF RFC 2693.Google Scholar
- Verbaeten, S. 1999. Termination analysis for abductive general logic programs. In Proceedings of the International Conference on Logic Programming. MIT Press, 365--379. Google Scholar
Digital Library
- Weeks, S. 2001. Understanding trust management systems. In Proceedings of the IEEE Symposium on Security and Privacy (SS&P). IEEE Press. Google Scholar
Digital Library
- Winsborough, W. H. and Li, N. 2006. Safety in automated trust negotiation. ACM Trans. Inform. Syst. Secur. 9, 3, 352--390. Google Scholar
Digital Library
- Winslett, M., Yu, T., Seamons, K., Hess, A., Jacobson, J., Jarvis, R., Smith, B., and Yu, L. 2002. Negotiating trust in the Web. IEEE Internet Comput. 6, 6, 30--37. Google Scholar
Digital Library
- Winslett, M., Zhang, C. C., and Bonatti, P. A. 2005. PeerAccess: a logic for distributed authorization. In Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM Press, 168--179. Google Scholar
Digital Library
- X.509. 2005. The directory: Public-key and attribute certificate frameworks. ITU-T Recommendation X.509:2005 ∣ ISO/IEC 9594-8:2005.Google Scholar
- Yu, T. and Winslett, M. 2003. A unified scheme for resource protection in automated trust negotiation. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE press, 110--122. Google Scholar
Digital Library
- Yu, T., Winslett, M., and Seamons, K. E. 2003. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Trans. Inform. Syst. Secur. 6, 1, 1--42. Google Scholar
Digital Library
Index Terms
Interactive access control for autonomic systems: From theory to implementation
Recommendations
An access control framework for business processes for web services
XMLSEC '03: Proceedings of the 2003 ACM workshop on XML securityBusiness Processes for Web Services are the new paradigm for the lightweight integration of business from different enterprises.Whereas the security and access control policies for basic web services and distributed systems are well studied and almost ...
Flexible support for multiple access control policies
Although several access control policies can be devised for controlling access to information, all existing authorization models, and the corresponding enforcement mechanisms, are based on a specific policy (usually the closed policy). As a consequence, ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...






Comments