Access and Usage Control in Grid

Grid is a computational environment where heterogeneous resources are virtualized and outsourced to multiple users across the Internet. The increasing popularity of the resources visualization is explained by the emerging suitability of such technology for automated execution of heavy parts of business and research processes. Efficient and flexible framework for the access and usage control over Grid resources is a prominent challenge. The primary objective of this thesis is to design the novel access and usage control model providing the fine-grained and continuous control over computational Grid resources. The approach takes into account peculiarities of Grid: service-oriented architecture, long-lived interactions, heterogeneity and distribution of resources, openness and high dynamics. We tackle the access and usage control problem in Grid by Usage CONtrol (UCON) model, which presents the continuity of control and mutability of authorization information used to make access decisions. Authorization information is formed by attributes of the resource requestor, the resource provider and the environment where the system operates. Our access and usage control model is considered on three levels of abstraction: policy, enforcement and implementation. The policy level introduces security policies designed to specify the desired granularity of control: coarse-grained policies that manages access and usage of Grid services, and fine-grained policies that monitor the usage of underlying resources allocated for a particular Grid service instance. We introduce U-XACML and exploit POLPA policy languages to specify and formalize security policies. Next, the policy level presents attribute management models. Trust negotiations are applied to collect a set of attributes needed to produce access decisions. In case of mutable attributes, a risk-aware access and usage control model is given to approximate the continuous control and timely acquisition of fresh attribute values. The enforcement level presents the architecture of the state-full reference monitor designed to enforce security policies on coarse- and fine-grained levels of control. The implementation level presents a proof-of-concept realization of our access and usage control model in Globus Toolkit, the most widely used middleware to setup computational Grids

An Implementation of Role-Base Trust Management Extended with Weights on Mobile Devices

AbstractThis paper describes the implementation of a library for the management and evaluation of Role-based Trust Management (RT) credentials and policies written in RTML, also extended with weights, in mobile devices. In particular, it describes the implementation of the library in J2ME. It is worth noticing, that RTML credentials are XML-like documents and thus the capability of porting these features on mobile devices makes the overall framework very interoperable with other RT frameworks (as for GRID systems). As policy language, we use actually a variant of RTML, whose policies are added with weights and are able to express quantitative experience-based notions of trust. It allow also to encode certain reputation and recommendation models. The obtained results show how the implementation on mobile devices is feasible and the running time acceptable for several applications

Cost-Effective Enforcement of Access and Usage Control Policies under Uncertainties

In Usage CONtrol (UCON) access decisions relyon mutable attributes. A reference monitor should re-evaluatesecurity policies each time attributes change their values. Identifyingall attribute changes in a timely manner is a challengingissue, especially if the attribute provider and the referencemonitor reside in different security domains. Some attributechanges might be missed, corrupted, and delayed. As a result,the reference monitor may erroneously grant access to malicioususers and forbid it for eligible ones.This paper proposes a set of policy enforcement modelswhich help to mitigate the uncertainties associated with mutableattributes. In our model the reference monitor, as usual, evaluateslogical predicates over attributes and, additionally, makes someestimates on how much observed attribute values differ from thereal state of the world. The final access decision takes into accountboth factors. We assign costs for granting and revoking access tolegitimate and malicious users and compare the proposed policyenforcement models in terms of cost-efficiency

Usage Control, Risk and Trust

Abstract. In this paper we describe our general framework for usage control (UCON) enforcement on GRID systems. It allows both GRID services level enforcement of UCON as well as fine-grained one at the level of local GRID node resources. In addition, next to the classical checks for usage control: checks of conditions, authorizations, and obligations, the framework also includes trust and risk management functionalities. Indeed, we show how trust and risk issues naturally arise when considering usage control in GRID systems and services and how our architecture is flexible enough to accommodate both notions in a pretty uniform way

A prototype for Enforcing Usage Control Policies Based on XACML

The OASIS XACML standard emerged as a pure declarative language allowing to express access control. Later, it was enriched with the concept of obligations which must be carried out when the access is granted or denied. In our previous work, we presented U-XACML, an extension of XACML that allows to express Usage Control (UCON). In this paper we propose an architecture for the enforcement of U-XACML, a model for retrieving mutable attributes, and a proof-of-concept implementation of the authorization framework based on web-services

Influence of Attribute Freshness on Decision Making in Usage Control

The usage control (UCON) model demands for continuous control over objects of a system. Access decisions are done several times within a usage session and are performed on the basis of mutable attributes. Values of attributes in modern highly-dynamic and distributed systems sometimes are not up-to-date, because attributes may be updated by several entities and reside outside the system domain. Thus, the access decisions about a usage session are made under uncertainties, while existing usage control approaches are based on the assumption that all attributes are up-to-date. In this paper we propose an approach which helps to make a rational access decision even if some uncertainty presents. The proposed approach uses the continuous-time Markov chains (CTMC) in order to compute the probability of unnoticed changes of attributes and risk analysis for making a decision

Cost-effective enforcement of UCON policies

In Usage CONtrol (UCON) access decisions rely on mutable attributes. A reference monitor should re-evaluate security policies each time when attributes change their values. Catching timely all attribute changes is a challenging issue, especially if the attribute provider and the reference monitor reside in different security domains. Some attribute changes might be missed, corrupted, and delayed. As a result, the reference monitor may erroneously grant the access to malicious users and forbid it for eligible users. This paper proposes a set of policy enforcement models which help to tolerate uncertainties associated with mutable attributes. In our model the reference monitor as usually evaluates logical predicates over attributes and additionally makes some estimates on how much observed attribute values differ from the real state of the world. The final access decision counts both factors. We assign monetary outcomes for granting and revoking access to legitimate and malicious users and compare the proposed policy enforcement models in terms of cost-efficiency

Usage Control in Cloud Systems

Cloud system peculiarities, such as enormous resources and long-lasting accesses, introduce new security and management challenges. This paper presents an advanced authorization framework based on the Usage Control (UCON) model and the OASIS XACML standard to regulate the usage of Cloud resources. Our framework addresses the issue of long lasting accesses and it is able to interrupt accesses that are in progress when the corresponding access rights do not hold any more. We provide the implementation of our framework and its integration with the OpenNebula toolkit

Extending Security-by-Contract with Quantitative Trust on Mobile Devices

Security-by-Contract (S?C) is a novel paradigm providing security assurances for mobile applications. In this work, we present an extension of S?C enriched with an au- tomatic trust management infrastructure. Indeed, we enhance the already existing architecture by adding new modules and configurations for contracts managing. At deploy-time, our system decides the run-time configuration depending on the credentials of the contract provider. Roughly, the run-time environment can both enforce a security policy and monitor the declared contract. According to the actual behaviour of the running program our architecture updates the trust level associated with the contract provider. The main advantage of this method is an automatic management of the level of trust of software and contract releaser

Enabling Data Sharing in Contextual Environments

Internet of Things environments enable us to capture more and more data about the physical environment we live in and about ourselves. The data enable us to optimise resources, personalise services and offer unprecedented insights into our lives. However, to achieve these insights data need to be shared (and sometimes sold) between organisations imposing rights and obligations upon the sharing parties and in accordance with multiple layers of sometimes conflicting legislation at international, national and organisational levels. In this work, we show how such rules can be captured in a formal representation called "Data Sharing Agreements". We introduce the use of abductive reasoning and argumentation based techniques to work with context dependent rules, detect inconsistencies between them, and resolve the inconsistencies by assigning priorities to the rules. We show how through the use of argumentation based techniques use-cases taken from real life application are handled flexibly addressing trade-offs between confidentiality, privacy, availability and safety