CONTEXT-AWARE ACCESS CONTROL IN UBIQUITOUS COMPUTING (CRAAC)

Ubiquitous computing (UbiComp) envisions a new computing environment, wherecomputing devices and related technology are widespread (i.e. everywhere) andservices are provided at anytime. The technology is embedded discreetly in theenvironment to raise users? awareness. UbiComp environments support the proliferationof heterogeneous devices such as embedded computing devices, personaldigital assistants (PDAs), wearable computers, mobile phones, laptops, officedesktops (PCs), and hardware sensors. These devices may be interconnected bycommon networks (e.g. wired, wireless), and may have different levels of capabilities(i.e. computational power, storage, power consumption, etc). They areseamlessly integrated and interoperated to provide smart services (i.e. adaptiveservices). A UbiComp environment provides smart services to users based on theusers? and/or system?s current contexts. It provides the services to users unobtrusivelyand in turn the user?s interactions with the environment should be asnon-intrusive and as transparent as possible. Access to such smart services anddevices must be controlled by an effective access control system that adapts itsdecisions based on the changes in the surrounding contextual information.This thesis aims at designing an adaptive fine-grained access control solutionthat seamlessly fits into UbiComp environments. The solution should be flexiblein supporting the use of different contextual information and efficient, in terms ofaccess delays, in controlling access to resources with divergent levels of sensitivity.The main contribution of this thesis is the proposal of the Context-Risk-Aware Access Control (CRAAC) model. CRAAC achieves fine-grained accesscontrol based upon the risk level in the underlying access environment and/orthe sensitivity level of the requested resource object. CRAAC makes new contributionsto the access control field, those include 1) introducing the concept oflevel of assurance based access control, 2) providing a method to convert the contextualattributes values into the corresponding level of assurance, 3) Proposingtwo methods to aggregate the set of level of assurance into one requester level ofassurance, 4) supporting four modes of working each suits a different applicationcontext and/or access control requirements, 5) a comprehensive access control architecturethat supports the CRAAC four modes of working, and 6) an evaluationof the CRAAC performance at runtime.

[1]  David F. Ferraiolo,et al.  Assessment of Access Control Systems , 2006 .

[2]  Thomas L. Saaty,et al.  Multicriteria Decision Making: The Analytic Hierarchy Process: Planning, Priority Setting, Resource Allocation , 1990 .

[3]  Mustaque Ahamad,et al.  Generalized Role-Based Access Control for Securing Future Applications , 2000 .

[4]  Guangyou Xu,et al.  A programming framework for service association in ubiquitous computing environments , 2003, Fourth International Conference on Information, Communications and Signal Processing, 2003 and the Fourth Pacific Rim Conference on Multimedia. Proceedings of the 2003 Joint.

[5]  David W. Chadwick,et al.  Adding support to XACML for multi-domain user to user dynamic delegation of authority , 2009, International Journal of Information Security.

[6]  Nathan Dimmock,et al.  Using trust and risk for access control in global computing , 2005 .

[7]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[8]  Tai-Myung Chung,et al.  Context-Role Based Access Control for Context-Aware Application , 2006, HPCC.

[9]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[10]  Tor Didriksen Rule based database access control—a practical approach , 1997, RBAC '97.

[11]  Byeong Seok Ahn,et al.  Comparing methods for multiattribute decision making with ordinal weights , 2008, Comput. Oper. Res..

[12]  Ning Zhang,et al.  A Generic Authentication LoA Derivation Model , 2009, SEC.

[13]  Wonil Kim,et al.  Role-Based Access Control Model for Ubiquitous Computing Environment , 2005, WISA.

[14]  Tao Guo,et al.  The Consistency of an Access Control List , 2002, ICICS.

[15]  Indrakshi Ray,et al.  Short Paper: Towards a Location-Aware Role-Based Access Control Model , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[16]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[17]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[18]  Konrad Tollmar,et al.  Activity Zones for Context-Aware Computing , 2003, UbiComp.

[19]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[20]  Gregory D. Abowd,et al.  Software engineering issues for ubiquitous computing , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[21]  Manachai Toahchoodee,et al.  Ensuring spatio-temporal access control for real-world applications , 2009, SACMAT '09.

[22]  Haiyan Wang,et al.  The extended RBAC model based on grid computing , 2006 .

[23]  Hervé Martin,et al.  A generalized context-based access control model for pervasive environments , 2009, International Workshop on Security and Privacy in GIS and LBS.

[24]  Klara Nahrstedt,et al.  Gaia: a middleware platform for active spaces , 2002, MOCO.

[25]  Ee-Peng Lim,et al.  LTAM: A Location-Temporal Authorization Model , 2004, Secure Data Management.

[26]  Anind K. Dey,et al.  Understanding and Using Context , 2001, Personal and Ubiquitous Computing.

[27]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[28]  Alfons H. Salden,et al.  Context sensitive access control , 2005, SACMAT '05.

[29]  Ravi S. Sandhu Future Directions in Role-Based Access Control Models , 2001, MMM-ACNS.

[30]  Damir Bersinic,et al.  MCSA Windows Server 2003 All-in-One Exam Guide (Exams 70-270,70-290,70-291) , 2003 .

[31]  Yeping He,et al.  Spatial Context in Role-Based Access Control , 2006, ICISC.

[32]  Elisa Bertino,et al.  Context-Dependent Authentication and Access Control , 2009, iNetSeC.

[33]  Gregory D. Abowd,et al.  The context toolkit: aiding the development of context-enabled applications , 1999, CHI '99.

[34]  Matthias Baldauf,et al.  A survey on context-aware systems , 2007, Int. J. Ad Hoc Ubiquitous Comput..

[35]  Paolo Bellavista,et al.  Context-Aware Middleware for Resource Management in the Wireless Internet , 2003, IEEE Trans. Software Eng..

[36]  Schahram Dustdar,et al.  On the Evaluation of Quality of Context , 2008, EuroSSC.

[37]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[38]  S. Intille The Goal : Smart People , Not Smart Homes , 2006 .

[39]  Ning Zhang,et al.  A Context-Risk-Aware Access Control model for Ubiquitous environments , 2008, 2008 International Multiconference on Computer Science and Information Technology.

[40]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[41]  Carl Eklund,et al.  National Institute for Standards and Technology , 2009, Encyclopedia of Biometrics.

[42]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[43]  Seog Park,et al.  Task-role-based access control model , 2003, Inf. Syst..

[44]  Laurent Bussard,et al.  Context-Aware Access Control; Making Access Control Decisions Based on Context Information , 2006, 2006 Third Annual International Conference on Mobile and Ubiquitous Systems: Networking & Services.

[45]  Roy H. Campbell,et al.  Reasoning about Uncertain Contexts in Pervasive Computing Environments , 2004, IEEE Pervasive Comput..

[46]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[47]  Qixin Liu,et al.  A Role and Activity Based Access Control Model for University Identity and Access Management System , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[48]  Zhou Zhu,et al.  A Context-Aware Access Control Model for Pervasive Computing in Enterprise Environments , 2008, 2008 4th International Conference on Wireless Communications, Networking and Mobile Computing.

[49]  Mustaque Ahamad,et al.  Generalized role-based access control , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[50]  José L. Jimeno,et al.  Another potential shortcoming of AHP , 2006 .

[51]  Antonio Corradi,et al.  Context-based access control management in ubiquitous environments , 2004, Third IEEE International Symposium on Network Computing and Applications, 2004. (NCA 2004). Proceedings..

[52]  Roy H. Campbell,et al.  Access control for Active Spaces , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[53]  Heejo Lee,et al.  Activity-Oriented Access Control for Ubiquitous Environments , 2009, 2009 6th IEEE Consumer Communications and Networking Conference.

[54]  Laurent Bussard,et al.  Context-Aware Access Control; Making Access Control Decisions Based on Context Information , 2006 .

[55]  Manish Parashar,et al.  Dynamic context-aware access control for grid applications , 2003, Proceedings. First Latin American Web Congress.

[56]  Mustaque Ahamad,et al.  A context-aware security architecture for emerging applications , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[57]  Liang Chen,et al.  On spatio-temporal constraints and inheritance in role-based access control , 2008, ASIACCS '08.

[58]  Adriano J. C. Moreira,et al.  A flexible location-context representation , 2004, 2004 IEEE 15th International Symposium on Personal, Indoor and Mobile Radio Communications (IEEE Cat. No.04TH8754).

[59]  James B. D. Joshi,et al.  LoT-RBAC: A Location and Time-Based RBAC Model , 2005, WISE.

[60]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[61]  F. H. Barron,et al.  Selecting a best multiattribute alternative with partial information about attribute weights , 1992 .

[62]  Ernesto Damiani,et al.  OpenAmbient : a pervasive access control architecture , 2006 .

[63]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[64]  Jeong-Oog Lee,et al.  Context-Aware Access Control Mechanism for Ubiquitous Applications , 2005, AWIC.

[65]  Omaima Bamasak,et al.  A context-constrained authorisation (CoCoA) framework for pervasive grid computing , 2010, Wirel. Networks.

[66]  Ernesto Damiani,et al.  Supporting location-based conditions in access control policies , 2006, ASIACCS '06.

[67]  D. A. Seaver,et al.  A comparison of weight approximation techniques in multiattribute utility decision making , 1981 .

[68]  Heejo Lee,et al.  Enforcing Access Control Using Risk Assessment , 2007, Fourth European Conference on Universal Multiservice Networks (ECUMN'07).

[69]  A. Benzekri,et al.  An extensible XACML authorization decision engine for context aware applications , 2009, 2009 Joint Conferences on Pervasive Computing (JCPC).

[70]  Jia-Guang Sun,et al.  Task-activity based access control for process collaboration environments , 2009, Comput. Ind..

[71]  Weiming Shen,et al.  Collaborative engineering: From concurrent engineering to enterprise collaboration , 2009, Comput. Ind..

[72]  F. Hansen,et al.  Spatial role-based access control model for wireless networks , 2003, 2003 IEEE 58th Vehicular Technology Conference. VTC 2003-Fall (IEEE Cat. No.03CH37484).

[73]  Elisa Bertino,et al.  Hybrid role hierarchy for generalized temporal role based access control model , 2002, Proceedings 26th Annual International Computer Software and Applications.

[74]  Steven J. Murdoch,et al.  Covert channel vulnerabilities in anonymity systems , 2007 .

[75]  Kun-Mo Lee,et al.  Application of Multiattribute Decision-Making Methods for the Determination of Relative Significance Factor of Impact Categories , 2003, Environmental management.

[76]  Trent Jaeger,et al.  Practical safety in flexible access control models , 2001, TSEC.

[77]  Donal O'Mahony,et al.  ÆTHER: an Authorization Management Architecture for Ubiquitous Computing , 2004, EuroPKI.

[78]  Shih-Chien Chou An RBAC-Based Access Control Model for Object-Oriented Systems Offering Dynamic Aspect Features , 2005, IEICE Trans. Inf. Syst..

[79]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[80]  Fatemah Ghotb,et al.  A Case Study Comparison of the Analytic Hierarchy Process and a Fuzzy Decision Methodology , 1995 .

[81]  Bruce E. Barrett,et al.  Decision quality using ranked attribute weights , 1996 .

[82]  Ian T. Foster,et al.  A security architecture for computational grids , 1998, CCS '98.

[83]  Jakob E. Bardram,et al.  From Desktop Task Management to Ubiquitous Activity-Based Computing , 2006 .

[84]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..