Access control lists in password capability environments

With reference to a protection system featuring active subjects that attempt to access passive, typed objects,we propose a set of mechanisms supporting the distribution,verification,review and revocation of access privileges. In our approach, a protection domain is a collection of access rights for the protected objects. An access control list is associated with each object to specify the access rights in each domain. Objects are grouped into clusters.To access the objects in a given cluster, a subject presents a gate referencing this cluster. The gate is a form of password capability that identifies one or more domains.The gate grants the access rights specified for these domains by the access control lists of the objects in the cluster. A subject that holds a gate and is aimed at distributing the access privileges in this gate in restricted form can reduce the gate to eliminate domains; the gate reduction procedure requires no intervention of the protection system. A small set of protection primitives allows subjects to manage objects and access control lists. Forms of revocation of access permissions are supported, at both levels of gates and access control lists

Password capabilities revisited

With reference to a distributed system consisting of nodes connected by a local area network, we present a new formulation of the password capability paradigm that takes advantage of techniques of symmetric-key cryptography to represent password capabilities in memory.We assign a cryptographic key to each application; the password capabilities held by a process of a given application are encrypted by using the key of this application. Passwords are associated with object types;two or more objects of the same type, which are allocated to the same node, share the same set of passwords. Our password capability paradigm preserves all the advantages concerning simplicity in access right representation and administration (distribution,verification,review and revocation) that characterize the classical paradigm, while keeping the memory requirements for password storage low and solving the problems connected with password capability stealing and forging

Memory protection in embedded systems

With reference to an embedded system featuring no support for memory management, we present a model of a protection system based on passwords. At the hardware level, our model takes advantage of a memory protection unit (MPU) interposed between the processor and the complex of the main memory and the input-output devices. The MPU supports both concepts of a protection context and a protection domain. A protection context is a set of access rights for the memory pages; a protection domain is a set of one or more protection contexts. Passwords are associated with protection domains. A process that holds a given password can take advantage of this password to activate the corresponding domain. A small set of protection primitives makes it possible to modify the composition of the domains in a strictly controlled fashion. The proposed protection model is evaluated from a number of important viewpoints, which include password distribution, review and revocation, the memory requirements for storage of the information concerning protection, and the time necessary for password validation

Access right management by extended password capabilities

With reference to a classic protection system featuring active subjects that reference protected objects, we approach the problem of identifying the objects that each subject can access, and the operations that the subject can carry out on these objects. Password capabilities are a classical solution to this problem. We propose a new form of password capability, called extended password capability (or e-capability, for short). An e-capability can specify any combination of access rights. A subject that holds a given e-capability can generate new e-capabilities for reduced sets of access rights. Furthermore, a subject that created a given object is in a position to revoke the access permissions granted by every e-capability referencing this object, completely or in part. The size of an e-capability is comparable to that of a traditional password capability. The number of passwords that need to be stored in memory permanently is kept to a minimum, and is equal to a single password for each object

Key management in tree shaped hierarchies

We refer to an access control system based on subjects and objects. Subjects are active entities, e.g. processes, while objects are passive entities, e.g. messages exchanged between the nodes of a distributed computing environment. The system is partitioned into security classes organized into a tree shaped hierarchy. A subject assigned to a given class can access the objects in this class and in all the classes that descend from this class in the class hierarchy. To this aim, a key is associated with each class. A mechanism of the protection system, called key derivation, allows a subject that holds the key of a given class to transform this key into the keys of the descendant classes. This mechanism is based on a single, publicly known one-way function. If the class hierarchy is modified, by adding a new class or deleting an existing class, the necessary form of key redistribution is partial, and is limited to the classes in the subtree of the root that is involved in the change

Object Protection in Distributed Systems

Withreferencetoadistributedsystemconsistingofnodesconnectedbyalocalareanetwork,we consider a salient aspect of the protection problem, the representation of access permissions and protection domains. We present a model of a protection system supporting typed objects. Possession of an access permission for a given object is certified by possession of an object pointer including the specification of a set of access rights. We associate an encryption key with each object and a password with each domain. Object pointers are stored in memory in a ciphertext form obtained by using the object key and including the value of the domain password. Each process is executed in a domain and can take advantage of a given object pointer only if this object pointer was encrypted by including the password of this domain. A set of protection primitives makes it possible to use object pointers for object reference and to control the movements of the objects across the network. The resulting protection environment is evaluated from a number of salient viewpoints, including ease of access right distribution and revocation, interprocess interaction and cooperation, protection against fraudulent actions of access right manipulation and stealing, storage overhead, and network traffic

Protection Structures in Multithreaded Systems

We consider a single-address-space system which implements a form of segmentation with paging within the framework of the multithreaded model of program execution. A salient problem of a system of this type is the definition of the set of mechanisms enforcing memory protection. We present a paradigm for the protection system design that is based on the well-known concepts of protection domains and access rights. The resulting environment guarantees an effective separation of the memory resources of the different processes, whose loosely coupled interactions correspond to explicit actions of information sharing. Within the boundaries of a single multithreaded process, a less-stringent protection requirement is to confine the consequences of a programming error in the thread that originated the error. These results are obtained by taking advantage of techniques of symmetric-key cryptography to represent access privileges in memory at the level of the single pages that form a segment

Key management in wireless sensor networks

We refer to a distributed architecture consisting of sensor nodes connected by wireless links and organized in a tree shaped hierarchy. We present a paradigm for the management of the cryptographic keys used by nodes to communicate, and we consider the problems connected with key generation, distribution, and replacement. In our paradigm, names are assigned to nodes by using a uniform scheme, which is based on the position of the given node in the node hierarchy. Each node holds a hierarchical key to communicate with its ancestors, and a level key to communicate with its siblings. A single, publicly-known parametric one-way function is used to assign hierarchical keys to nodes, in an iterative procedure that starts from the key of the root of the node hierarchy, and proceeds downwards to the lowest hierarchical levels. A similar procedure is used to generate the level keys. The total memory requirements for key storage are extremely low. The number of keys exchanged in a key replacement process is kept to a minimum. Dynamic access control is fully supported, whereby new nodes can be added to the node hierarchy, and existing nodes can be evicted from the hierarchy

Hardware support for memory protection in sensor nodes

With reference to the typical hardware configuration of a sensor node, we present the architecture of a memory protection unit (MPU) designed as a low-complexity addition to the microcontroller. The MPU is aimed at supporting memory protection and the privileged execution mode. It is connected to the system buses, and is seen by the processor as a memory-mapped input/output device. The contents of the internal MPU registers specify the composition of the protection contexts of the running program in terms of access rights for the memory pages. The MPU generates a hardware interrupt to the processor when it detects a protection violation. The proposed MPU architecture is evaluated from a number of salient viewpoints, which include the distribution, review and revocation of access permissions, and the support for important memory protection paradigms, including hierarchical contexts and protection rings

Distributed storage protection in wireless sensor networks

With reference to a distributed architecture consisting of sensor nodes connected in a wireless network, we present a model of a protection system based on segments and applications. An application is the result of the joint activities of a set of cooperating nodes. A given node can access a segment stored in the primary memory of a different node only by presenting a gate for that segment. A gate is a form of pointer protected cryptographically, which references a segment and specifies a set of access rights for this segment. Gates can be freely transmitted between nodes, thereby granting the corresponding access permissions. Two special node functionalities are considered, segment servers and application servers. Segment servers are used for inter-application communication and information gathering. An application server is used in each application to support key management and rekeying. The rekey mechanism takes advantage of key naming to cope with losses of rekey messages. The total memory requirements for key and gate storage result to be a negligible fraction of the overall memory resources of the generic network node