B. Clifford Neuman

NetCash: a design for practical electronic currency on the Internet

Licensing is a topic of increasing importance for software publishers and users. More and more, the magnitude of financial transfers between these two partners are determined by some electronic licensing service being part of the system on which the licensed software is running. In order to ease the use and management of such licensing schemes and to enable economic software usage in enterprise-wide computer systems through flexible and fair billing structures, various organizations are working on formulating requirements, defining architectures, and building standard interfaces for so called license brokerage systems. The trustworthiness of these services is essential because large amounts of money can depend on them. Most of these licensing services are currently operating independently of access control and rely on proprietary and unpublished security algorithms. This paper proposes an extension of access control to integrate licensing called Stateful Access Control and it addresses some aspects of virus protection.

Adaptive trust negotiation and access control

Electronic transactions regularly occur between business partners in separate security domains. Trust negotiation is an approach that provides an open authentication and access-control environment for such transactions, but it is vulnerable to malicious attacks leading to denial of service or leakage of sensitive information. This paper introduces an Adaptive Trust Negotiation and Access Control (ATNAC) framework to solve these problems. The framework combines two existing systems, TrustBuilder and GAA-API, to create a system with more flexibility and responsiveness to attack than either system currently provides.

Endorsements, licensing, and insurance for distributed system services

Clients in a distributed system place their confidence in many servers, and servers themselves rely on other servers for file storage, authentication, authorization, and payment. When a system spans administrative boundaries it becomes harder to assess the security and competence of potential service providers. This paper examines the issue of confidence in large distributed systems. When confidence is lacking in the “real world,” one relies on endorsements, licensing, insurance, and surety bonds to compensate. We show that by incorporating such assurances into a distributed system, users are better able to evaluate the risks incurred when using a particular server. This paper describes a method to electronically represent endorsements, licenses, and insurance policies, and discusses the means by which clients use such items when selecting service providers.

The specification and enforcement of advanced security policies

In a distributed multi-user environment, the security policy must not only specify legitimate user privileges but also aid in the detection of the abuse of the privileges and adapt to perceived system threat conditions. This paper advocates extending authorization policy evaluation mechanisms with a means for generating audit data allowing immediate notification of suspicious application level activity. It additionally suggests that the evaluation of the policies themselves adapt to perceived network threat conditions, possibly affected by the receipt of such audit data by other processes. Such advanced policies assist in detecting and responding to intrusion and misuse and they allow more efficient utilization of security services, such as authentication, audit, and notification. We present an authorization framework, which enables the representation and enforcement of advanced security policies. Our approach is based on expanding the policy evaluation mechanism with the ability to generate real time actions, such as checking the current system threat level and sending a notification.

Prospero: a tool for organizing Internet resources

Recent growth of the Internet has greatly increased the amount of information that is accessible and the number of resources that are available to users. To exploit this growth, it must be possible for users to find the information and resources they need. Existing techniques for organizing systems have evolved from those used on centralized systems, but these techniques are inadequate for organizing information on a global scale. This article describes Prospero, a distributed file system based on the Virtual System Model. Prospero provides tools to help users organize Internet resources. These tools allow users to construct customized views of available resources, while taking advantage of the structure imposed by others. Prospero provides a framework that can tie together various indexing services producing the fabric on which resource discovery techniques can be applied.

Adaptive trust negotiation and access control for grids

Access control in computational grids is typically provided by a combination of identity certificates and local accounts. This approach does not scale as the number of users and resources increase. Moreover, identity-based access control is not sufficient because users and resources may reside in different security domains and may not have pre-existing knowledge about one another. Trust negotiation is well-suited for grid computing because it allows participants to establish mutual trust based on attributes other than identity. The adaptive trust negotiation and access control (ATNAC) framework addresses the problem of access control in open systems by protecting itself from adversaries who may want to misuse, exhaust or deny service to resources. ATNAC is based on the GAA-API, which provides adaptive access control capturing dynamically changing system security requirements. The GAA-API utilizes TrustBuilder to establish a sufficient level of trust between the negotiating participants, based on the sensitivity of the access request and a suspicion level associated with the requester. A federated security context allows Grid participants to communicate their security appraisal and make judgments based on collective wisdom and the level of trust among them. We plan to apply ATNAC techniques to negotiation agreements in virtual organizations and P2P environments.

Integrated access control and intrusion detection for Web Servers

Current intrusion detection systems work in isolation front access control for the application the systems aim to protect. The lack of coordination and inter-operation between these components prevents detecting and responding to ongoing attacks in real time, before they cause damage. To address this, we apply dynamic authorization techniques to support fine-grained access control and application level intrusion detection and response capabilities. This paper describes our experience with integration of the Generic Authorization and Access Control API (GAA-API) to provide dynamic intrusion detection and response for the Apache Web Server The GAA-API is a generic interface which may be used to enable such dynamic authorization and intrusion response capabilities for many applications.

Dynamic authorization and intrusion response in distributed systems

This paper presents an authorization framework for supporting fine-grained access control policies enhanced with light-weight intrusion/misuse detectors and response capabilities. The framework intercepts and analyzes access requests and dynamically adjusts security policies to prevent attackers from exploiting application level vulnerabilities. We present a practical, flexible implementation of the framework based on the Generic Authorization and Access Control API (GAA-API) that provides dynamic authorization and intrusion response capabilities for many applications. To evaluate our approach, we integrated the API with several applications, including the Apache Web server, sshd and FreeS/WAN IPsec for Linux. This paper demonstrates the integration of the GAA-API into ssh daemon. By integrating the GAA-API into the sshd, the ssh server can support fine-grained authorization policies, dynamic policy update, and application level intrusion detection and response. The server can also enforce policies with additional functionality, e.g., time- and location-based controls. Our experiments showed that the required integration effort was moderate, and that the performance impact on the ssh server was reasonable.

The Set and Function Approach to Modeling Authorization in Distributed Systems

We present a new model that provides clear and precise semantics for authorization. The semantics is independent from underling security mechanisms and is separate from implementation. The model is capable of representing existing access control mechanisms. Our approach is based on set and function formalism. We focus our attention on identifying issues and use our model as a general basis to investigate the issues.

Multilateral decisions for collaborative defense against unsolicited bulk e-mail

Current anti-spam tools focus on filtering incoming e-mails. The scope of these tools is limited to local administrative domains. With such limited information, it is difficult to make accurate spam control decisions. We observe that sending servers process more information on their outgoing e-mail traffic than receiving servers do on their incoming traffic. Better spam control can be achieved if e-mail servers collaborate with one another by checking both outgoing and incoming traffic. However, the control of outgoing traffic provides little direct benefit to the sending server. Servers in different administrative domains presently have little incentive to improve spam control on other receiving servers, which hampers a move toward cross-domain collaboration. We propose a collaborative framework in which spam control decisions are drawn from the data aggregated within a group of e-mail servers across different administrative domains. The collaboration provides incentive for outgoing spam control. The servers that contribute to the control of outgoing spam are rewarded, while traffic restriction is imposed on the irresponsible servers. A Federated Security Context (FSC) is established to enable transparent negotiation of multilateral decisions among the group of collaborators without common trust. Information from trusted collaborators counts more for ones final decision compared to information from untrustworthy servers. The FSC mitigates potential threats of fake information from malicious servers. The collaborative approach to spam control is more efficient than a decision in isolation, providing dynamic identification and adaptive restriction to spam generators.