Presentation is loading. Please wait.

Presentation is loading. Please wait.

Controlling Collaborative Systems -Srinivas Krishnan Dept of Computer Science UNC-Chapel Hill.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Controlling Collaborative Systems -Srinivas Krishnan Dept of Computer Science UNC-Chapel Hill."— Presentation transcript:

1 Controlling Collaborative Systems -Srinivas Krishnan Dept of Computer Science UNC-Chapel Hill

2 Collaborative Systems Shared Resource Access Control

3 Requirements for Access Control Systems The access control operations must be idempotent Scalability: Need to support N-users, as well as distributed resources Preferred Goals Transparency Ease of Administration

4 Requirements for Access Control Systems Access Control Systems are built in layers Permissions Notifications AUDITAUDIT

5 Access Matrix. Access specified on a per object basis Each user is given certain permissions To scale this further Access Control Lists are used Systems that use AMs: Grove, RTCAL (central admin provides the permissions to all objects)

6 ACL and CCL Access Control Matrices are linked together to form ACLs for each object Capability Lists are the opposite of ACLS, where users maintain which objects they have access to. ACL CCL

7 Pros and Cons of ACLs Easy to implement and maintain Dynamic changing of rights hard Needs knowledge of each users needs before hand. Not always possible in a collaborative environment Also each user/object needs to be explicitly given permissions

8 Role Based Access Control (Sandhu et al) Permissions are assigned to roles User authenticates in a 2 step process Users Roles Request Role Permissions Resources

9 RBAC (cont) Notion of a session Bound to a single user accessing the resource and the roles he needs Needs a policy in place generic enough to accommodate all accesses Did not allow for migration of roles within a single session

10 Spatial Access Control Divides collaborative environment into spaces Collaborative Environment Collaborative Environment Space Collaborative Environment Space Collaborative Environment Space

11 Spatial Access Control Uses an access graph to allow for traversal between the various spaces Further we can provide constraints in movement from space to space Space A Space B Space C User1 User2

12 Test Setting Taking the Test CorrectionResults Professor Student Professor

13 Implementation Issues Order of updates and notification matter Cannot depend on a global clock to be synchronized Permissions Give Access to Bob (Op1) Remove Access to Bob (Op2)

14 Solution for Order of Updates Most fine-grained locking operations require “Total-Ordering” Perform Operation Check Update Counter Remote Counter > Local < Local Adopt Remote Counter X =

15 Fine-Grained Access Control Traditional Modes do not scale too well for N- users needing dynamic rights Fast provision of permissions Optimistic Locks and Access Control can provide native performance

16 Optimistic Control “Make the user ask forgiveness not permission” A similar system exists in UNIX with sudo. However, changes are permanent Resource John Everyday access John Move Resource Fire in Building Access Denied

17 Optimistic Access Control Needs different points of entry Resource Access Control AUDITAUDIT Normal Entry Elevated Entry

18 Optimistic Control Guaranteed Protection No Protection Transaction New State Compensating

19 Auditing Optimism Verification Classes Integrity Rules must be verified at all times Resource TransactionCompensation Verify Users

20 Logger Simple Optimistic Access Control File Auth Modules Transaction Checker Write to File PTPLOG Verify Log

21 Case-Study: P2P Collaborative Systems MOTION: Provides Access Control in a P2P environment No Centralized Access Control Scalability: N-Users N-Auth Modules Dynamic Entry & Exit of Users Role Based Access Control L1 peer & L2 peer L1 peers protect resources

22 Architecture

23 Improving Motion

24 Summary Access Control essential for maintaining a secure Collaborative Environment Access Control can introduce lag and degrade a user’s experience Optimistic Access Control algorithms can be used to allow user’s to experience native performance

25 References: Tolone, W., Ahn, G., Pai, T., and Hong, S. 2005. Access control in collaborative systems. ACM Comput. Surv. 37, 1 (Mar. 2005), 29-41. Povey, D. 2000. Optimistic security: a new access control paradigm. In Proceedings of the 1999 Workshop on New Security Paradigms (Caledon Hills, Ontario, Canada, September 22 - 24, 1999). NSPW '99. ACM Press, New York, NY, 40-45. Chengzheng Sun, "Optional and Responsive Fine-Grain Locking in Internet- Based Collaborative Systems," IEEE Transactions on Parallel and Distributed Systems,vol. 13, no. 9, pp. 994-1008, September, 2002. Fenkam, P.; Dustdar, S.; Kirda, E.; Reif, G.; Gall, H., "Towards an access control system for mobile peer-to-peer collaborative environments," Enabling Technologies: Infrastructure for Collaborative Enterprises, 2002. WET ICE 2002. Proceedings. Eleventh IEEE International Workshops on, vol., no.pp. 95- 100, 2002 Strom, R.; Banavar, G.; Miller, K.; Prakash, A.; Ward, M., "Concurrency control and view notification algorithms for collaborative replicated objects," Computers, IEEE Transactions on, vol.47, no.4pp.458-471, Apr 1998

26 Questions ?

Download ppt "Controlling Collaborative Systems -Srinivas Krishnan Dept of Computer Science UNC-Chapel Hill."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Agent agent 2002 6 4. Outline of Presentation Introduction: Inter-Agent Message Passing ARP: Design and Analysis Generalization: A Generic Framework Conclusion.

Agent agent Outline of Presentation Introduction: Inter-Agent Message Passing ARP: Design and Analysis Generalization: A Generic Framework Conclusion.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Chapter 7 LAN Operating Systems LAN Software Software Compatibility Network Operating System (NOP) Architecture NOP Functions NOP Trends.

Chapter 7 LAN Operating Systems LAN Software Software Compatibility Network Operating System (NOP) Architecture NOP Functions NOP Trends.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science

Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
RBAC and JXTA 1 Role Based Access Control and the JXTA P2P Framework Mark Stamp Dept. of Computer Science San Jose State University

RBAC and JXTA 1 Role Based Access Control and the JXTA P2P Framework Mark Stamp Dept. of Computer Science San Jose State University
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.

19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.

Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

Similar presentations

Ads by Google