Download presentation
Presentation is loading. Please wait.
1
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September 19, 2000
2
Digital Library Context Repositories of simple, familiar entities Repositories of complex, dynamic objects
3
Access Control Challenge Enforcement of highly expressive access control policies to support context-specific and object- specific requirements of digital libraries.
4
General-Purpose Policy Enforcement
5
Context-Specific Policy Enforcement
6
Limitations of traditional access control mechanisms Limited expressiveness for policies Fixed set of abstractions –objects are files, directories, etc. –actions are read, write, execute, etc. Not easily extended for complex or fine- grained policies
7
Policy Enforcement Continuum repository-centric object-centric Digital Objects general-purpose policiescontext-specific policies
8
Policy-Carrying, Policy-Enforcing Digital Objects - motivation Semantics of policy language must parallel the behavioral semantics of real-world entities Secure enforcement of fine-grained, context-sensitive policies Extensibility for policies and enforcement mechanisms Support for portability and mobile computing (enforce policies on un-trusted mobile agents) Decentralized policy management
9
Digital Libraries: context-specific policies Distance Education (“Lecture object”): –“guests may view course syllabus and slides 1-10 of Lecture 1, but may not view the Lecture 1 video or other slides.” –“students may not view Lecture 2 video unless they submit assignment for Lecture 1.” Library digitization (“Book object”): –“before copyright expiration on 1/1/2002 CU students can access chapters 1-6 and CU alumni can access pages 1-20 of chapter 2; after expiration, all users can access all pages of all chapters.” Business Strategy (“Technology portfolio object”): –“managers may view product specification only after product safety report has been certified by head of R&D.” –“only the executive team may run the market share simulation”
10
Building on existing work Fedora - digital object and repository architecture (Payette and Lagoze, 1998, 2000) Security Automata (Schneider, 1999) PoET - Policy Enforcement Toolkit (Erlingsson and Schneider, 1999, 2000)
11
FEDORA: Digital Object Architecture Interoperability – among heterogeneous digital objects Interface Stability - for accessing digital objects Extensibility – of digital object behaviors Distribution - of digital object data and executables Security - flexible policy enforcement for access control Preservation - longevity of digital objects
12
Fedora Digital Object Model Disseminations Generic interface Data Stream Data Stream Data Stream Extensible Mechanism Encapsulated service request Primitive Disseminator Typed Disseminator Internal stream
13
Extensible Behaviors - “Lecture” Content Disseminations Lecture Mechanism Dublin Core GetVideo(quality) GetSlide(seqNum) GetSyncData GetDCRecord GetDCField(name) Lecture Data Archive Video-H Policy-L (PSlang) Video-L Policy-D (PSlang) slide-2 (gif) slide-1 (gif) metadata (xml)
14
Security Automata Theoretical basis for specifying policies that are enforceable, flexible, and fine-grained Policies are modeled as state transitions Execution Monitoring (EM) –Class of enforcement mechanisms that enforce policies by simulating a security automaton –Monitors executions upon a target (system, application, object) and prevents executions that violate policy –“Reference Monitors” are EM Source: Schneider, 1999
15
Example: Simple Security Automaton Un-authenicated user Authenticated user Present Cornell ID “Only authenticated Cornell users can view the lecture.” View metadata View lecture
16
In-Line Reference Monitoring (IRM) Security automata simulations are merged into program object code (checks inserted before each execution) The application program, itself, becomes the reference monitor, ensuring that policy is not violated when it runs. Source: Erlingsson and Schneider, 1999, 2000 Traditional (kernel as Reference Monitor) kernel program executable OS RM Language-based security (IRM) In-lined program
17
Policy Enforcement Toolkit (PoET) Trusted program rewriter - modifies Java bytecode Secure class loader Event-oriented policy language (PSLang) Source: Erlingsson and Schneider, 1999, 2000 Policy in PSlang Policy in PSlang Program rewriter Secure Class loader Modified Bytecode (target with policy embedded) JVM Java Bytecode (class file) Program runs (obeys policy) PoET
18
FEDORA and PoET IRM Policy Enforcement Content Disseminations Video-H Lecture Mechanism Video-L Dublin Core Java bytecode in-lined with policies at runtime slide-2 (gif) slide-1 (gif) metadata (xml) access request Policy-L (PSlang) Policy-D (PSlang)
19
Object structure view via client Digital Object Policy
20
End-User View … policies enforced transparently
21
Challenges and Future Work Ramp up - enforcement of more complex policies, more object types Examine tension between object-centric vs. repository centric policy enforcement Mobile computing - trust schemes to support policy enforcement as objects move “Intentional” policies and dynamic policy binding Preservation application of security automata - detect unacceptable transitions
22
References: Fedora Payette, Sandra and Carl Lagoze, “Flexible and Extensible Digital Object and Repository Architecture,” ECDL98, Heraklion, Crete, September 21-23, 1998, Springer, 1998, (Lecture notes in computer science; Vol. 1513). http://www.cs.cornell.edu/payette/papers/ecdl98/fedora.html Payette, Sandra, Christophe Blanchi, Carl Lagoze, and Edward Overly, “Interoperability for Digital Objects and Repositories: The Cornell/CNRI Experiments,” D-Lib Magazine, May 1999. http://www.dlib.org/dlib/may99/payette/05payette.html Payette, Sandra and Carl Lagoze, Policy-Carrying, Policy-Enforcing Digital Objects, accepted by Fourth European Conference on Research andAdvanced Technology for Digital Libraries, Portugal, Springer, 2000, (Lecture notes in computer science), draft available at http://www.cs.cornell.edu/payette/papers/ecdl2000/pcpe-draft.ps Payette, Sandra and Carl Lagoze, Value Added Surrogates for Distributed Content: Establishing a Virtual Control Zone, D-Lib Magazine, June 2000, http://www.dlib.org/dlib/june00/payette/06payette.html
23
References: Security Automata and PoET Schneider, Fred B., “Enforceable Security Policies,” Computer Science Technical Report #TR98-1664, Department of Computer Science, Cornell University, July 24, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR98-1664 Erlingsson, Ulfar and Fred B. Schneider, “SASI Enforcement of Security Policies: A Retrospective,” Computer Science Technical Report #TR99-1758, Department of Computer Science, Cornell University, July 19, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR99-1758 Erlingsson, Ulfar and Fred B. Schneider, “IRM Enforcement of Java Stack Inspection,” Computer Science Technical Report #TR2000-1786, Department of Computer Science, Cornell University, February 19, 2000, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR2000-1786
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.