Pluggable Authorization and Distributed Enforcement with pam_xacml

Access control is a critical functionality in distributed systems. Services and resources must be protected from unauthorized access. The prevalent practice is that service specific policies reside at the services and govern the access control. It is hard to keep distributed authorization policies consistent with the global security policy of an organization. A recent trend is to unify the different policies in one coherent authorization policy. XACML is a prominent XML standard for formulating authorization rules and for implementing different authorization models. Unifying authorization policies requires an integration of the authorization method with a large application base. The XACML standard does not provide a strategy for the integration of XACML with existing applications. We present pam_xacml, an authorization extension for the Pluggable Authentication Modules (PAM). We argue how existing applications can leverage XACML without modification and state the benefits of using our extended version of the authorization API for PAM. Our experimental results quantify the impact of security and connection establishment of using remote Policy Decision Points (PDP). Our approach provides a method for introducing XACML authorization into existing applications and is an important step towards unified authorization policies.

[1]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[2]  Jim Boyle,et al.  Accept-Ranges : bytes Content-Length : 55967 Connection : close Content-Type : text / plain Internet Draft , 2012 .

[3]  Emil C. Lupu,et al.  Ponder: A Language for Specifying Security and Management Policies for Distributed Systems , 2000 .

[4]  G. Gheorghiu,et al.  Authorization for metacomputing applications , 1998, Proceedings. The Seventh International Symposium on High Performance Distributed Computing (Cat. No.98TB100244).

[5]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[6]  Phillip Hallam-Baker,et al.  Web services security: soap message security , 2003 .

[7]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[8]  Leon Gommans,et al.  Using SAML and XACML for Complex Authorisation Scenarios in Dynamic Resource Provisioning , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[9]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[10]  Jean Jacques Moreau,et al.  SOAP Version 1. 2 Part 1: Messaging Framework , 2003 .

[11]  Dennis G. Kafura,et al.  First experiences using XACML for access control in distributed systems , 2003, XMLSEC '03.

[12]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[13]  Rebekah Lepro,et al.  Cardea: Dynamic Access Control in Distributed Systems , 2004 .

[14]  Wpin Samur Unified Login with Pluggable Authentication Modules ( PAM ) , 1999 .

[15]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[16]  Vipin Samar,et al.  Unified login with pluggable authentication modules (PAM) , 1996, CCS '96.

[17]  Moorsel A van,et al.  Performance Measurement of Web Services Security Software , 2005 .

[18]  Elisa Bertino,et al.  Access Control in Dynamic XML-Based Web-Services with X-RBAC , 2003, ICWS.

[19]  Georg Carle,et al.  The networking perspective of security performance - A measurement study , 2006, MMB.

[20]  Leon Gommans,et al.  Authorization of a QoS path based on generic AAA , 2003, Future Gener. Comput. Syst..

[21]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[22]  Rajeev Gupta,et al.  A Generic XACML Based Declarative Authorization Scheme for Java , 2005, ESORICS.