Aliaksandr Lazouski

Survey: Usage control in computer security: A survey

Protecting access to digital resources is one of the fundamental problems recognized in computer security. As yet it remains a challenging problem to work out, starting from the design of a system until its implementation. Access control is defined as the ability to permit or deny access to a particular resource (object) by a particular entity (subject). Three most widely used traditional access control models are: Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role Based Access Control (RBAC). Traditional access control solutions do not respond adequately to new challenges addressed by modern computer systems. Today highly distributed, network-connected, heterogeneous and open computing environment requires a fine-grained, flexible, persistent and continuous model for protecting the access and usage of digital resources. This paper surveys the literature on Usage Control (UCON) model proposed by Park and Sandhu (2002) [1], Park (2003) [2] and Zhang (2006) [3]. Usage control is a novel and promising approach for access control in open, distributed, heterogeneous and network-connected computer environments. It encompasses and enhances traditional access control models, Trust Management (TM) and Digital Rights Management (DRM), and its main novelties are mutability of attributes and continuity of access decision evaluation.

Extending Security-by-Contract with Quantitative Trust on Mobile Devices

Security-by-Contract (SxC) is a paradigm providing security assurances for mobile applications. In this work, we present an extension of SxC enriched with an authomatic trust management infrastructure. Indeed, we enhance the already existing architecture by adding new modules and configurations for contracts managing. At deploy-time, our system decides the run-time configuration depending on the credentials of contract provider. Roughly, the run-time environment can both enforce a security policy and monitor the declared contract. According to the actual behaviour of the running program our architecture updates the trust level associated with the contract provider. The main advantage of this method is an authomatic management of the level of trust of software and contract releasers.

Risk-Aware Usage Decision Making in Highly Dynamic Systems

Usage control model (UCON) is based on the idea that attributes required for decision-making can be changed over a period of usage. Since it is not always possible to get a fresh and trustworthy value of attributes, a decision has to be done with some uncertainties in mind. Moreover, modern systems become more distributed and dynamic and this evolution aggravates the problem. Such trend demands for the solutions capable of working with imprecise values. Our study concerns analysis of risks to make access decision of usage control more credible. We consider the risks associated with imperfect mechanisms collecting information about an authorization context. To cope with these risks we introduce our approach based on Markov chains, which aims to help in making a decision to allow further access or to deny it. The proposed approach could be useful for designers of the policy enforcement engines based on the UCON model.

Enhancing grid security by fine-grained behavioral control and negotiation-based authorization

Nowadays, Grid has become a leading technology in distributed computing. Grid poses a seamless sharing of heterogeneous computational resources belonging to different domains and conducts efficient collaborations between Grid users. The core Grid functionality defines computational services which allocate computational resources and execute applications submitted by Grid users. The vast models of collaborations and openness of Grid system require a secure, scalable, flexible and expressive authorization model to protect these computational services and Grid resources. Most of the existing authorization models for Grid have granularity to manage access to service invocations while behavioral monitoring of applications executed by these services remains a responsibility of a resource provider. The resource provider executes an application under a local account, and acknowledges all permissions granted to this account to the application. Such approach poses serious security threats to breach system functionality since applications submitted by users could be malicious. We propose a flexible and expressive policy-driven credential-based authorization system to protect Grid computational services against a malicious behavior of applications submitted for the execution. We split an authorization process into two levels: a coarse-grained level that manages access to a computational service; and a fine-grained level that monitors the behavior of applications executed by the computational service. Our framework guarantees that users authorized on a coarse-grained level behave as expected on the fine-grained level. Credentials obtained on the coarse-grained level reflect on fine-grained access decisions. The framework defines trust negotiations on coarse-grained level to overcome scalability problem, and preserves privacy of credentials and security policies of, both, Grid users and providers. Our authorization system was implemented to control access to the Globus Computational GRAM service. A comprehensive performance evaluation shows the practical scope of the proposed system.

Usage Control on Cloud systems

Cloud system peculiarities, such as enormous resources and long-lasting accesses, introduce new security and management challenges. This paper presents an advanced authorization framework based on the Usage Control (UCON) model and the OASIS XACML standard to regulate the usage of Cloud resources. Our framework addresses the issue of long lasting accesses and it is able to interrupt accesses that are in progress when the corresponding access rights do not hold any more. We provide the implementation of our framework and its integration with the OpenNebula toolkit.

Risk-Based Usage Control for Service Oriented Architecture

In Service Oriented Architecture (SOA) data belonging to a client (data provider) is often processed by a provider (data consumer). During this processing the data can be compromised. A client wants to be sure that its data is used in the least risky way while is under provider’s control. The risk level should be low when access to the data is granted and should remain low during the whole interaction and, maybe, some time after. Therefore, a client has to consider closely various providers and decide which one provides the service with the smallest risk. More importantly, the risk has to be constantly recomputed after granting the access to the data, i.e., usage of data must be controlled. In this work we propose a method to empower usage control with a risk-based decision making process for more efficient and flexible control of access to data. Employing this idea we show how to select a service provider using risk, re-evaluate the risk level when some changes have happened and how to improve an infrastructure in order to reduce the risk level.

A Prototype for Enforcing Usage Control Policies Based on XACML

The OASIS XACML standard emerged as a pure declarative language allowing to express access control. Later, it was enriched with the concept of obligations which must be carried out when the access is granted or denied. In our previous work, we presented U-XACML, an extension of XACML that allows to express Usage Control (UCON). In this paper we propose an architecture for the enforcement of U-XACML, a model for retrieving mutable attributes, and a proof-of-concept implementation of the authorization framework based on web-services.

Usage control, risk and trust

In this paper we describe our general framework for usage control (UCON) enforcement on GRID systems. It allows both GRID services level enforcement of UCON as well as fine-grained one at the level of local GRID node resources. In addition, next to the classical checks for usage control: checks of conditions, authorizations, and obligations, the framework also includes trust and risk management functionalities. Indeed, we show how trust and risk issues naturally arise when considering usage control in GRID systems and services and how our architecture is flexible enough to accommodate both notions in a pretty uniform way.

On Usage Control for GRID Services

In recent years, usage control has been proposed as a novel authorization solution for open, heterogeneous, distributed computer environments. Grid is a such environment providing services for seamless sharing and usage of heterogeneous computational resources. Researches have shown that usage control is a viable solution for authorization in Grid. Unfortunately, the implementation of continues usage control for Grid services is not widely presented. In this paper, we present a usage control model and focus on continuous control over Grid services. If a security policy is violated during a service execution, the service should be blocked or terminated. Our approach presents different levels of granularity and enforces coarse and finegrained usage control on generic and computational Grid services. Furthermore, we present an implementation of our prototype based on POLPA policy language and its reasoning authorization engine integrated into Grid services runtime component of Globus Toolkit. Our prototype is facilitated through implementation of service interfaces compliant with OGSA standard and can be easily plugged-in to existing Globus authorization infrastructure.

Architecture, Workflows, and Prototype for Stateful Data Usage Control in Cloud

This paper deals with the problem of continuous usage control of multiple copies of data objects in distributed systems. This work defines an architecture, a set of workflows, a set of policies and an implementation for the distributed enforcement. The policies, besides including access and usage rules, also specify the parties that will be involved in the decision process. Indeed, the enforcement requires collaboration of several entities because the access decision might be evaluated on one site, enforced on another, and the attributes needed for the policy evaluation might be stored in many distributed locations.