Interactive access control for autonomic systems: From theory to implementation

Autonomic communication and computing is a new paradigm for dynamic service integration over a network. An autonomic network crosses organizational and management boundaries and is provided by entities that see each other just as partners. For many services no autonomic partner may guess a priori what will be sent by clients nor clients know a priori what credentials are required to access a service. To address this problem we propose a new interactive access control: servers should interact with clients, asking for missing credentials necessary to grant access, whereas clients may supply or decline the requested credentials. Servers evaluate their policies and interact with clients until a decision of grant or deny is taken. This proposal is grounded in a formal model on policy-based access control. It identifies the formal reasoning services of deduction, abduction and consistency. Based on them, the work proposes a comprehensive access control framework for autonomic systems. An implementation of the interactive model is given followed by system performance evaluation.

[1]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[2]  Michael Smirnov Rule-Based Systems Security Model , 2003, MMM-ACNS.

[3]  Elisa Bertino,et al.  Trust-/spl Xscr/;: a peer-to-peer framework for trust establishment , 2004, IEEE Transactions on Knowledge and Data Engineering.

[4]  Fabio Massacci,et al.  Interactive Credential Negotiation for Stateful Business Processes , 2005, iTrust.

[5]  Sebastian Nanz,et al.  The Role of Abduction in Declarative Authorization Policies , 2008, PADL.

[6]  Georg Gottlob,et al.  Abduction from Logic Programs: Semantics and Complexity , 1997, Theor. Comput. Sci..

[7]  Marianne Winslett,et al.  PeerAccess: a logic for distributed authorization , 2005, CCS '05.

[8]  K.E. Seamons,et al.  Automated trust negotiation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[9]  Fabio Massacci,et al.  A Negotiation Scheme for Access Rights Establishment in Autonomic Communication , 2006, Journal of Network and Systems Management.

[10]  Ninghui Li,et al.  Automated trust negotiation using cryptographic credentials , 2005, CCS '05.

[11]  Marianne Winslett,et al.  Negotiating Trust on the Web , 2002, IEEE Internet Comput..

[12]  Piero A. Bonatti,et al.  On Interoperable Trust Negotiation Strategies , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[13]  Emil C. Lupu,et al.  Policy Specification for Programmable Networks , 1999, IWAN.

[14]  Ninghui Li,et al.  Safety in automated trust negotiation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[15]  Elisa Bertino,et al.  A logical framework for reasoning about access control models , 2001, SACMAT '01.

[16]  SamaratiPierangela,et al.  A uniform framework for regulating service access and information release on the web , 2002 .

[17]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[18]  J. van Leeuwen,et al.  Logic Programming , 2002, Lecture Notes in Computer Science.

[19]  Emil C. Lupu,et al.  An Adaptive Policy-Based Framework for Network Services Management , 2003, Journal of Network and Systems Management.

[20]  Marianne Winslett,et al.  A unified scheme for resource protection in automated trust negotiation , 2003, 2003 Symposium on Security and Privacy, 2003..

[21]  Ionut Constandache,et al.  Policy-Driven Negotiation for Authorization in the Grid , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[22]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[23]  Stephen Weeks,et al.  Understanding trust management systems , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[24]  Roy H. Campbell,et al.  KNOW Why your access was denied: regulating feedback for usable security , 2004, CCS '04.

[25]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[26]  Marianne Winslett,et al.  Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation , 2003, TSEC.

[27]  Wolfgang Faber,et al.  The DLV system for knowledge representation and reasoning , 2002, TOCL.

[28]  Murray Shanahan,et al.  Prediction is Deduction but Explanation is Abduction , 1989, IJCAI.

[29]  Danny De Schreye,et al.  SLDNFA: An Abductive Procedure for Abductive Logic Programs , 1998, J. Log. Program..

[30]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[31]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[32]  Krzysztof R. Apt,et al.  Logic Programming , 1990, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[33]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[34]  Sofie Verbaeten Termination Analysis for Abductive General Logic Programs , 1999, ICLP.

[35]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[36]  Marianne Winslett,et al.  PeerTrust: Automated Trust Negotiation for Peers on the Semantic Web , 2004, Secure Data Management.