Presentation is loading. Please wait.

Presentation is loading. Please wait.

A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,

Published bySierra Daly Modified over 10 years ago

Similar presentations

Presentation on theme: "A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,"— Presentation transcript:

1 A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation, USA George Mason University, USA University of Texas, San Antonio, USA

2 Copyright © Intel Corporation, 2007 2 Outline Introduction Usage Scenario Characteristics of Multi-Domain Interactions Concept of Dynamic Attributes UCON Background EUCON Model & Components Summary

3 Copyright © Intel Corporation, 2007 3 Introduction Emergence of mobile devices & ubiquitous n/w –Anytime, Anywhere connectivity Mobility causes users to transcend domains Traditional ABAC unsuitable for dynamic env –Attributes pre-defined –Extensive a-priori agreement of attribute semantics New paradigm for modeling access control –Dynamic & Multi-domain interactions

4 Copyright © Intel Corporation, 2007 4 Usage Scenario Alice makes a purchase of $100 at Coffee Shop Coffee Shop provides a $10 credit to Alice Credit usable at multiple stores Later, Alice uses credit to purchase a book at Book Store Coffee Shop (CS) Book Shop (BS) Purchase Credit Alice

5 Copyright © Intel Corporation, 2007 5 Characteristics of Multi-Domain Interactions Subjects/Objects interact with multiple systems –E.g., Alice interacts with Coffee Shop & Book Store Information is dynamic & transcends systems –E.g., Alice acquired a credit at Coffee Shop & used it to buy a book at the Book Store Prior agreement of semantics not desirable –E.g., Coffee Shop issues credit to Alice that has to be interpreted by Book Store at authorization time; next day, Coffee Shop may issue coupon Multi-Domain Attributes Dynamic Attributes

6 Copyright © Intel Corporation, 2007 6 Concept of Dynamic Attributes Not pre-defined attributes Not attributes whose value is dynamic New-born attributes with new name-value pairs E.g., Credit was dynamically created by Coffee Shop; Book Store needs to interpret the semantics when Alice uses it to buy a book

7 Copyright © Intel Corporation, 2007 7 Usage Control Model (UCON) Background Proposed extensions to UCON -> EUCON

8 Copyright © Intel Corporation, 2007 8 Classification of EUCON Attributes Classification based on two factors –Time of attribute definition Pre-defined Attributes Dynamic Attributes –Scope of attribute definition Local Attributes Multi-Domain Attributes

9 Copyright © Intel Corporation, 2007 9 EUCON Attributes: PLA, PMA, DLA Pre-Defined Local Attributes (PLA) –Same as current notion of attributes in attribute- based access control models such as UCON Pre-Defined Multi-Domain Attributes (PMA) –A-priori agreement of attribute semantics across multiple domains Dynamic Local Attributes (DLA) –Dynamically created but interpretable within same domain –E.g., Coffee Shop could create an attribute discount that is usable at a later date at the same store

10 Copyright © Intel Corporation, 2007 10 EUCON Attributes: DMA Dynamic Multi-Domain Attributes (DMA) –New approach to model emerging usage scenarios –Attributes created on the fly and interpretable in multiple domains at authorization time –Subject & Object Attributes can be DMA E.g., Credit is a new-born subject (Alice) attribute created by the Coffee Shop. Book Store interacts with CS at run time when Alice uses it to purchase a book E.g., Alice checks in with airport security and the objects she carries gets a DMA cleared=true. Alice uses this DMA at the airline system to board

11 Copyright © Intel Corporation, 2007 11 EUCON Authorizations Rules based on subject and object attributes Pre-defined Local Authorization –Current UCON authorization Pre-defined Multi-Domain Authorization –Current authorization methods for multi-domain Dynamic Local Authorization –Construction of rules based on DLA Dynamic Multi-Domain Authorization –Construction of dynamic authorization rules by interpreting DMA –E.g., Book Store interprets credit at runtime and constructs dynamic authorization rules

12 Copyright © Intel Corporation, 2007 12 EUCON Obligations Subject pre-req before access can be granted –E.g., Alice agrees to a license before she can access whitepaper Pre-defined Local & Dynamic Obligations –Obligations on local & dynamic attributes Pre-defined Multi-Domain Obligations –Obligations interpretable across multiple domains Dynamic Multi-Domain Obligations –Obligations on DMA –Defined dynamically and interpreted at multiple domains –E.g., Before Alice can use credit at Book Store, she is obligated to engage in a transaction with another Coffee Shop within the Book Store

13 Copyright © Intel Corporation, 2007 13 EUCON Conditions System factors held before access granted Dynamic Multi-Domain Conditions –Conditions on DMA interpretable at multiple domains –E.g., Book Store could dynamically discover a condition on using credit such that current credit usage on all Coffee Shop systems is not > $1000

14 Copyright © Intel Corporation, 2007 14 Extended UCON (EUCON)

15 Copyright © Intel Corporation, 2007 15 Summary Emergence of mobile & dynamic apps Users transcend domains in mobile env. Current access control models unsuitable New paradigm for dynamic, multi-domain Proposed extensions to UCON - EUCON

16 Copyright © Intel Corporation, 2007 16 Thank You!

17 BACKUP

18 Copyright © Intel Corporation, 2007 18 Related Work Damiani, Vimercati & Samarati identify reqs –Similar to our requirements for a mobile env. –Survey extensions proposed for other models; however, our concept of DMA is different Covington & Sastry have proposed CABAC –Authorization policies based entirely on attributes –Transaction attributes defined in this work is similar to our pre-defined multi-domain attributes

19 Copyright © Intel Corporation, 2007 19 Background: Continuity & Mutability

Download ppt "A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,"

Similar presentations

Cyber-Identity, Authority and Trust in an Uncertain World

Cyber-Identity, Authority and Trust in an Uncertain World
1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.

1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
© 2004 Ravi Sandhu www.list.gmu.edu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University.

© 2004 Ravi Sandhu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University.
1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.

1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.
Attribute Mutability in Usage Control July 26, 2004, IFIP WG11.3 Jaehong Park, University of Maryland University College Xinwen Zhang, George Mason University.

Attribute Mutability in Usage Control July 26, 2004, IFIP WG11.3 Jaehong Park, University of Maryland University College Xinwen Zhang, George Mason University.
Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.

Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.
1 Safety Analysis of Usage Control (UCON) Authorization Model Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce George Mason University AsiaCCS.

1 Safety Analysis of Usage Control (UCON) Authorization Model Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce George Mason University AsiaCCS.
Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.

Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.
11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu.

11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu.
Institute for Cyber Security

Institute for Cyber Security
1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.

1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.

Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
Institute for Cyber Security

Institute for Cyber Security
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.

A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
SSL Trust Pitfalls Prof. Ravi Sandhu.

SSL Trust Pitfalls Prof. Ravi Sandhu.
Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.

Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.
A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.

A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.

Similar presentations

Ads by Google