Representation and evaluation of security policies for distributed system services

We present a new model for authorization that integrates both local and distributed access control policies and that is extensible across applications and administrative domains. We introduce a general mechanism that is capable of implementing several security policies including role-based access control, Clark-Wilson, ACLs, capabilities, and lattice-based access controls. The generic authorization and access-control API (GAA API) provides a generic framework by which applications facilitate access control decisions and request authorization information about a particular resource. We have integrated our system with the Prospero resource manager and globus security, infrastructure.

[1]  Li Gong,et al.  Implementing Protection Domains in the JavaTM Development Kit 1.2 , 1998, NDSS.

[2]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[3]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[4]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[5]  Ami Marowka,et al.  The GRID: Blueprint for a New Computing Infrastructure , 2000, Parallel Distributed Comput. Pract..

[6]  Nataraj Nagaratnam,et al.  Resource Access Control for an Internet User Agent , 1997, COOTS.

[7]  Prasun Dewan,et al.  Access control for collaborative environments , 1992, CSCW '92.

[8]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[9]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[10]  Katia Obraczka,et al.  The performance of a reliable, request-response transport protocol , 1999, Proceedings IEEE International Symposium on Computers and Communications (Cat. No.PR00250).

[11]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[12]  Simon S. Lam,et al.  Designing a distributed authorization service , 1998, Proceedings. IEEE INFOCOM '98, the Conference on Computer Communications. Seventeenth Annual Joint Conference of the IEEE Computer and Communications Societies. Gateway to the 21st Century (Cat. No.98.

[13]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[14]  B. Clifford Neuman,et al.  Proxy-based authorization and accounting for distributed systems , 1993, [1993] Proceedings. The 13th International Conference on Distributed Computing Systems.

[15]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[16]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[17]  Ravi S. Sandhu,et al.  Role-based access control: a multi-dimensional view , 1994, Tenth Annual Computer Security Applications Conference.