Conflict Detection and Resolution in Context-Aware Authorization

Pervasive computing environments introduce new requirements in expressiveness and flexibility of access control policies which are almost addressable leveraging contextual information. Although context-awareness augments the expressiveness of policies, it increases the probability of arising conflicts. Generally, context-aware authorizations are defined using some contextual constraints on the involved entities in an access request. Accordingly, principles like "more specific overrides", which are employed to resolve possible conflicts, are required to consider the contextual constraints. In this paper, we formalize the use of context constraints in a typical context-aware multi-authority policy model; each authority is capable of defining an expressive conflict resolution policy leveraging context-based precedence establishment principles. Based on the policy model, we propose a comprehensive graph-based approach to resolve conflicts. The strength of the approach is that conflict detection which requires context-based inference is almost done statically and resolution is left for run-time.

[1]  Amirreza Masoumzadeh,et al.  Context-Aware Provisional Access Control , 2006, ICISS.

[2]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[3]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[4]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[5]  Ravi S. Sandhu,et al.  Models, protocols, and architectures for secure pervasive computing: challenges and research directions , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[6]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[7]  Weili Han,et al.  Context-sensitive access control model and implementation , 2005, The Fifth International Conference on Computer and Information Technology (CIT'05).

[8]  Simona Ronchi Della Rocca,et al.  λ Δ -Models , 2004 .

[9]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[10]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[11]  Klara Nahrstedt,et al.  A Middleware Infrastructure for Active Spaces , 2002, IEEE Pervasive Comput..

[12]  Roy H. Campbell,et al.  Cerberus: a context-aware security scheme for smart spaces , 2003, Proceedings of the First IEEE International Conference on Pervasive Computing and Communications, 2003. (PerCom 2003)..

[13]  Anind K. Dey,et al.  Understanding and Using Context , 2001, Personal and Ubiquitous Computing.

[14]  Vijay Varadharajan,et al.  A formal graph based framework for supporting authorization delegations and conflict resolutions , 2003, International Journal of Information Security.

[15]  Elisa Bertino,et al.  A model of authorization for next-generation database systems , 1991, TODS.

[16]  Ravi S. Sandhu,et al.  Induced role hierarchies with attribute-based RBAC , 2003, SACMAT '03.

[17]  Jadwiga Indulska,et al.  Methods for conflict resolution in policy-based management systems , 2003, Seventh IEEE International Enterprise Distributed Object Computing Conference, 2003. Proceedings..

[18]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[19]  Alessandra Russo,et al.  Using event calculus to formalise policy specification and analysis , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[20]  Seng Wai Loke,et al.  Methods for policy conflict detection and resolution in pervasive computing environments. , 2005, WWW 2005.