A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,

Slides:



Advertisements
Similar presentations
Cyber-Identity, Authority and Trust in an Uncertain World
Advertisements

1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
© 2004 Ravi Sandhu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University.
1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.
Attribute Mutability in Usage Control July 26, 2004, IFIP WG11.3 Jaehong Park, University of Maryland University College Xinwen Zhang, George Mason University.
Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.
1 Safety Analysis of Usage Control (UCON) Authorization Model Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce George Mason University AsiaCCS.
Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.
11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu.
Institute for Cyber Security
1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
Institute for Cyber Security
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
SSL Trust Pitfalls Prof. Ravi Sandhu.
Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.
A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.
ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.
A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project.
11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 4 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.
1 of 18 Information Access Introduction to Information Access © FAO 2005 IMARK Investing in Information for Development Information Access Introduction.
Introduction to Product Family Engineering. 11 Oct 2002 Ver 2.0 ©Copyright 2002 Vortex System Concepts 2 Product Family Engineering Overview Project Engineering.
Cultural Heritage in REGional NETworks REGNET Auction System.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
MULTIPLICATION EQUATIONS 1. SOLVE FOR X 3. WHAT EVER YOU DO TO ONE SIDE YOU HAVE TO DO TO THE OTHER 2. DIVIDE BY THE NUMBER IN FRONT OF THE VARIABLE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Teacher Name Class / Subject Date A:B: Write an answer here #1 Write your question Here C:D: Write an answer here.
Addition Facts
|epcc| NeSC Workshop Open Issues in Grid Scheduling Ali Anjomshoaa EPCC, University of Edinburgh Tuesday, 21 October 2003 Overview of a Grid Scheduling.
Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Introduction to the new mainframe: Large-Scale Commercial Computing © Copyright IBM Corp., All rights reserved. Chapter 2: Capacity.
Cloud Computing for Education & Cloud Learning Minjuan Wang to BT Research Center (Abu Dhabi) Educational Technology San Diego State University
© S Haughton more than 3?
Twenty Questions Subject: Twenty Questions
New EU Rules on Derivatives Trading The EMIR Reporting Technical Standards Victoria Cooley OTC Derivatives & Post Trade Policy Financial Conduct Authority.
AIM Operational Concept
Linking Verb? Action Verb or. Question 1 Define the term: action verb.
Past Tense Probe. Past Tense Probe Past Tense Probe – Practice 1.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
Executional Architecture
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Addition 1’s to 20.
25 seconds left…...
Test B, 100 Subtraction Facts
Week 1.
1 Lesson 15 Evaluating Electronic Information Computer Concepts BASICS 4 th Edition Wells.
Reporting Systems and OLAP Chapter Extension 13. ce13-2 Study Questions Q1: How do reporting systems enable people to create information? Q2: What are.
Microsoft Volume Licensing
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.
INSTITUTE FOR CYBER SECURITY A Hybrid Enforcement Model for Group-Centric Secure Information Sharing (g-SIS) Co-authored with Ram Krishnan, PhD Candidate,
A Conceptual Framework for Group-Centric Secure Information Sharing Ram Krishnan (George Mason University) Ravi Sandhu, Jianwei Niu, William Winsborough.
1 Usage Control (UCON) or ABAC on Steroids Prof. Ravi Sandhu Executive Director and Endowed Chair February 26, 2016
Assured Information Sharing
Presentation transcript:

A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation, USA George Mason University, USA University of Texas, San Antonio, USA

Copyright © Intel Corporation, Outline Introduction Usage Scenario Characteristics of Multi-Domain Interactions Concept of Dynamic Attributes UCON Background EUCON Model & Components Summary

Copyright © Intel Corporation, Introduction Emergence of mobile devices & ubiquitous n/w –Anytime, Anywhere connectivity Mobility causes users to transcend domains Traditional ABAC unsuitable for dynamic env –Attributes pre-defined –Extensive a-priori agreement of attribute semantics New paradigm for modeling access control –Dynamic & Multi-domain interactions

Copyright © Intel Corporation, Usage Scenario Alice makes a purchase of $100 at Coffee Shop Coffee Shop provides a $10 credit to Alice Credit usable at multiple stores Later, Alice uses credit to purchase a book at Book Store Coffee Shop (CS) Book Shop (BS) Purchase Credit Alice

Copyright © Intel Corporation, Characteristics of Multi-Domain Interactions Subjects/Objects interact with multiple systems –E.g., Alice interacts with Coffee Shop & Book Store Information is dynamic & transcends systems –E.g., Alice acquired a credit at Coffee Shop & used it to buy a book at the Book Store Prior agreement of semantics not desirable –E.g., Coffee Shop issues credit to Alice that has to be interpreted by Book Store at authorization time; next day, Coffee Shop may issue coupon Multi-Domain Attributes Dynamic Attributes

Copyright © Intel Corporation, Concept of Dynamic Attributes Not pre-defined attributes Not attributes whose value is dynamic New-born attributes with new name-value pairs E.g., Credit was dynamically created by Coffee Shop; Book Store needs to interpret the semantics when Alice uses it to buy a book

Copyright © Intel Corporation, Usage Control Model (UCON) Background Proposed extensions to UCON -> EUCON

Copyright © Intel Corporation, Classification of EUCON Attributes Classification based on two factors –Time of attribute definition Pre-defined Attributes Dynamic Attributes –Scope of attribute definition Local Attributes Multi-Domain Attributes

Copyright © Intel Corporation, EUCON Attributes: PLA, PMA, DLA Pre-Defined Local Attributes (PLA) –Same as current notion of attributes in attribute- based access control models such as UCON Pre-Defined Multi-Domain Attributes (PMA) –A-priori agreement of attribute semantics across multiple domains Dynamic Local Attributes (DLA) –Dynamically created but interpretable within same domain –E.g., Coffee Shop could create an attribute discount that is usable at a later date at the same store

Copyright © Intel Corporation, EUCON Attributes: DMA Dynamic Multi-Domain Attributes (DMA) –New approach to model emerging usage scenarios –Attributes created on the fly and interpretable in multiple domains at authorization time –Subject & Object Attributes can be DMA E.g., Credit is a new-born subject (Alice) attribute created by the Coffee Shop. Book Store interacts with CS at run time when Alice uses it to purchase a book E.g., Alice checks in with airport security and the objects she carries gets a DMA cleared=true. Alice uses this DMA at the airline system to board

Copyright © Intel Corporation, EUCON Authorizations Rules based on subject and object attributes Pre-defined Local Authorization –Current UCON authorization Pre-defined Multi-Domain Authorization –Current authorization methods for multi-domain Dynamic Local Authorization –Construction of rules based on DLA Dynamic Multi-Domain Authorization –Construction of dynamic authorization rules by interpreting DMA –E.g., Book Store interprets credit at runtime and constructs dynamic authorization rules

Copyright © Intel Corporation, EUCON Obligations Subject pre-req before access can be granted –E.g., Alice agrees to a license before she can access whitepaper Pre-defined Local & Dynamic Obligations –Obligations on local & dynamic attributes Pre-defined Multi-Domain Obligations –Obligations interpretable across multiple domains Dynamic Multi-Domain Obligations –Obligations on DMA –Defined dynamically and interpreted at multiple domains –E.g., Before Alice can use credit at Book Store, she is obligated to engage in a transaction with another Coffee Shop within the Book Store

Copyright © Intel Corporation, EUCON Conditions System factors held before access granted Dynamic Multi-Domain Conditions –Conditions on DMA interpretable at multiple domains –E.g., Book Store could dynamically discover a condition on using credit such that current credit usage on all Coffee Shop systems is not > $1000

Copyright © Intel Corporation, Extended UCON (EUCON)

Copyright © Intel Corporation, Summary Emergence of mobile & dynamic apps Users transcend domains in mobile env. Current access control models unsuitable New paradigm for dynamic, multi-domain Proposed extensions to UCON - EUCON

Copyright © Intel Corporation, Thank You!

BACKUP

Copyright © Intel Corporation, Related Work Damiani, Vimercati & Samarati identify reqs –Similar to our requirements for a mobile env. –Survey extensions proposed for other models; however, our concept of DMA is different Covington & Sastry have proposed CABAC –Authorization policies based entirely on attributes –Transaction attributes defined in this work is similar to our pre-defined multi-domain attributes

Copyright © Intel Corporation, Background: Continuity & Mutability

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.