skip to main content
research-article

Interactive access control for autonomic systems: From theory to implementation

Published:13 August 2008Publication History
Skip Abstract Section

Abstract

Autonomic communication and computing is a new paradigm for dynamic service integration over a network. An autonomic network crosses organizational and management boundaries and is provided by entities that see each other just as partners. For many services no autonomic partner may guess a priori what will be sent by clients nor clients know a priori what credentials are required to access a service.

To address this problem we propose a new interactive access control: servers should interact with clients, asking for missing credentials necessary to grant access, whereas clients may supply or decline the requested credentials. Servers evaluate their policies and interact with clients until a decision of grant or deny is taken.

This proposal is grounded in a formal model on policy-based access control. It identifies the formal reasoning services of deduction, abduction and consistency. Based on them, the work proposes a comprehensive access control framework for autonomic systems. An implementation of the interactive model is given followed by system performance evaluation.

References

  1. Apt, K. 1990. Logic programming. In Handbook of Theoretical Computer Science, J. van Leeuwen, Ed. Elsevier. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Baselice, S., Bonatti, P. A., and Faella, M. 2007. On interoperable trust negotiation strategies. In Proceedings of the IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07). IEEE Computer Society, 39--50. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Becker, M. Y. and Nanz, S. 2008. The role of abduction in declarative authorization policies. In Proceedings of the 10th International Symposium on Practical Aspects of Declarative Languages (PADL'08). Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bertino, E., Catania, B., Ferrari, E., and Perlasca, P. 2001. A logical framework for reasoning about access control models. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT). ACM Press, 41--52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Bertino, E., Ferrari, E., and Squicciarini, A. C. 2004. Trust-X: A peer-to-peer framework for trust establishment. IEEE Trans. Knowl. Data Eng. 16, 7, 827--842. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Bonatti, P. and Samarati, P. 2002. A unified framework for regulating access and information release on the web. J. Comput. Secur. 10, 3, 241--272. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Constandache, I., Olmedilla, D., and Siebenlist, F. 2007. Policy-driven negotiation for authorization in the grid. In Proceedings of the IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07). IEEE Computer Society, 211--220. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Damianou, N., Dulay, N., Lupu, E., and Sloman, M. 2001. The Ponder policy specification language. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'01). IEEE Computer Society, 18--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. De Capitani di Vimercati, S. and Samarati, P. 2001. Access control: Policies, models, and mechanism. In Foundations of Security Analysis and Design—Tutorial Lectures, R. Focardi and F. Gorrieri, Eds. Lecture Notes in Computer Science, vol. 2171. Springer-Verlag.Google ScholarGoogle Scholar
  10. Denecker, M. and Schreye, D. D. 1998. SLDNFA: An abductive procedure for abductive logic programs. J. Logic Progr. 34, 2, 111--167.Google ScholarGoogle ScholarCross RefCross Ref
  11. Eiter, T., Gottlob, G., and Leone, N. 1997. Abduction from logic programs: Semantics and complexity. Theor. Comput. Sci. 189, 1-2, 129--177. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., and Chandramouli, R. 2001. Proposed NIST standard for role-based access control. ACM Trans. Inform. Syst. Secur. 4, 3, 224--274. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Gelfond, M. and Lifschitz, V. 1988. The stable model semantics for logic programming. In Proceedings of the 5th International Conference on Logic Programming (ICLP'88), R. Kowalski and K. Bowen, Eds. MIT-Press, 1070--1080.Google ScholarGoogle Scholar
  14. Kapadia, A., Sampemane, G., and Campbell, R. H. 2004. Know why your access was denied: Regulating feedback for usable security. In Proceedings of the 11th ACM Conference on Computer and Communications Security. ACM Press, 52--61. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Koshutanski, H. and Massacci, F. 2005. Interactive credential negotiation for stateful business processes. In Proceedings of the 3rd International Conference on Trust Management (iTrust). Lecture Notes in Computer Science, vol. 3477. Springer-Verlag, 257--273. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Koshutanski, H. and Massacci, F. 2007. A negotiation scheme for access rights establishment in autonomic communication. J. Netw. Syst. Manag. 15, 1, 117--136. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Leone, N., Pfeifer, G., Faber, W., Eiter, T., Gottlob, G., Perri, S., and Scarcello, F. 2006. The DLV system for knowledge representation and reasoning. ACM Trans. Comput. Logic. http://www.arxiv.org/ps/cs.AI/0211004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Li, J., Li, N., and Winsborough, W. H. 2005. Automated trust negotiation using cryptographic credentials. In Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM Press, 46--57. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Li, N., Grosof, B. N., and Feigenbaum, J. 2003. Delegation logic: A logic-based approach to distributed authorization. ACM Trans. Inform. Syst. Secur. 6, 1, 128--171. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Li, N., Mitchell, J. C., and Winsborough, W. H. 2002. Design of a role-based trust-management framework. In Proceedings of the IEEE Symposium on Security and Privacy (S&P'02). IEEE Press, 114--130. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Lymberopoulos, L., Lupu, E., and Sloman, M. 2003. An adaptive policy based framework for network services management. J. Netw. Syst. Manag. 11, 3, 277--303. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Nejdl, W., Olmedilla, D., and Winslett, M. 2004. PeerTrust: Automated trust negotiation for peers on the semantic web. In VLDB Workshop on Secure Data Management (SDM). Lecture Notes in Computer Science, vol. 3178. Springer, 118--132.Google ScholarGoogle Scholar
  23. Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proc. IEEE 63, 9, 1278--1308.Google ScholarGoogle ScholarCross RefCross Ref
  24. Seamons, K. and Winsborough, W. 2002. Automated trust negotiation. US Patent and Trademark Office. IBM Corporation, patent application filed March 7, 2000.Google ScholarGoogle Scholar
  25. Shanahan, M. 1989. Prediction is deduction but explanation is abduction. In Proceedings of the 11th International Joint Conference on Artificial Intelligence. Morgan Kaufmann, 1055--1060.Google ScholarGoogle Scholar
  26. Sloman, M. and Lupu, E. 1999. Policy specification for programmable networks. In Proceedings of the 1st International Working Conference on Active Networks. Springer-Verlag, 73--84. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Smirnov, M. 2003. Rule-based systems security model. In Proceedings of the 2nd International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security (MMM-ACNS). Springer-Verlag Press, 135--146.Google ScholarGoogle ScholarCross RefCross Ref
  28. SPKI. 1999. SPKI certificate theory. IETF RFC 2693.Google ScholarGoogle Scholar
  29. Verbaeten, S. 1999. Termination analysis for abductive general logic programs. In Proceedings of the International Conference on Logic Programming. MIT Press, 365--379. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Weeks, S. 2001. Understanding trust management systems. In Proceedings of the IEEE Symposium on Security and Privacy (SS&P). IEEE Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Winsborough, W. H. and Li, N. 2006. Safety in automated trust negotiation. ACM Trans. Inform. Syst. Secur. 9, 3, 352--390. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Winslett, M., Yu, T., Seamons, K., Hess, A., Jacobson, J., Jarvis, R., Smith, B., and Yu, L. 2002. Negotiating trust in the Web. IEEE Internet Comput. 6, 6, 30--37. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Winslett, M., Zhang, C. C., and Bonatti, P. A. 2005. PeerAccess: a logic for distributed authorization. In Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM Press, 168--179. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. X.509. 2005. The directory: Public-key and attribute certificate frameworks. ITU-T Recommendation X.509:2005 ∣ ISO/IEC 9594-8:2005.Google ScholarGoogle Scholar
  35. Yu, T. and Winslett, M. 2003. A unified scheme for resource protection in automated trust negotiation. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE press, 110--122. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Yu, T., Winslett, M., and Seamons, K. E. 2003. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Trans. Inform. Syst. Secur. 6, 1, 1--42. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Interactive access control for autonomic systems: From theory to implementation

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!