Richard Hayton

Access control in an open distributed environment

We describe an architecture for secure, independent, interworking services (Oasis). Each service is made responsible for the classification of its clients into named roles, using a formal logic to specify precise conditions for entering each role. A client becomes authenticated by presenting credentials to a service that enable the service to prove that the client conforms to its policy for entry to a particular role. During authentication a data structure is created that embodies the proof. An authenticated client is issued a role membership certificate (RMC) for its subsequent use with that service. An RMC is an encryption-protected capability which includes the role name, the identity of the principal to which it was issued and a reference to the issuing service. A proof rule of one service may refer to an authenticated user of another; that is, an RMC issued by one service may be required as a credential during authentication by another. A dynamic proof tree may thus be built which exhibits amongst other things the trust relationships between the services which the client has entered. The paper shows how a service may define a set of proof rules (Horn clauses) that specify who may use it and in what way. Delegation of rights may be expressed naturally within these rules. It goes on to present the design details of the system. The system is inherently decentralised and has a tuneable reaction to network or server failure which allows services to make appropriate decisions when authorization or revocation information is unavailable. A prototype system has been implemented and tested.

FlexiNet—a flexible component oriented middleware system

The FlexiNet Platform is a Java middleware platform that features a component based internal structure with strong emphasis placed on reflection and introspection at all levels. This allows programmers to tailor the platform for a particular application domain or deployment scenario by assembling strongly typed components. In this paper we give an overview of the FlexiNet architecture, highlighting how its approach differs from other middleware architectures, and illustrate the benefits that result from the new approach.

Using events to build distributed applications

We have extended an Interface Definition Language to handle event registration and notification. Clients register interest in specified classes of events and servers then notify them of any occurrence asynchronously. Event occurrences are identified by parameters which conform to IDL typing constraints and can therefore be used in synchronous method invocations. Methods to handle registration and notification are generic and can be inherited by objects of any class: as a by-product of IDL processing the stubs to handle event creation and decoding are generated automatically. We have implemented a prototype composite event recogniser based on non-deterministic finite state machines. Initial experience with this prototype is encouraging.<<ETX>>

Using events to build large scale distributed applications

We have extended an Interface Definition Language to handle event registration and notification. Clients register interest in specified classes of events, and servers then notify them of any occurrence asynchronously. Event occurrences are identified by parameters which conform to IDL typing constraints and can therefore be used in synchronous method invocations. Methods to handle registration and notification are generic and can be inherited by objects of any class: as a by-product of IDL processing the stubs to handle event creation and decoding are generated automatically. We have implemented a prototype composite event recogniser based on nested finite state machines and have defined an event algebra and language to specify composite events.The approach is inherently scalable in that only events in which an interest has been registered are notified. Alternative approaches lead to polling, mining for event data or being flooded with superfluous events.

An open architecture for secure interworking services

There is a developing need for applications and distributed services to cooperate or inter-operate. Current mechanisms can hide the heterogeneity of host operating systems and abstract the issues of distribution and object location. However, in order for systems to inter-operate securelythere must also be ways to hide differences in security policies, or at least to support negotiation between them.Other proposals for the interworking of security mechanisms have focussed on the enforcement of access policy at the expense of flexibility of expression of policy. This work describes a new architectural approach to security. The key idea is that a processis the universal client entity; a process may act on behalf of an identified individual as in traditional security schemes. More generally, a process may adopt an application-specific name or role, and this is used as the basis for authentication in Oasis. A service may then be written in terms of service-specific categories of clients, decoupled from the mechanisms used to specify and enforce access control policy.This approach allows great flexibility when integrating a number of services, and reduces the mismatch of policies that is common in heterogeneous systems. In addition, Oasis services may be integrated with alternative authentication and access control schemes, providing a truly open architecture.A flexible security definition is meaningless if not backed by a robust and efficient implementation. Oasis has been fully implemented, and is inherently distributed and scalable. In this paper we describe the general approach then concentrate on revocation, where security designs are most often criticised. Oasis is unique in supporting the rapid and selective revocation of privileges which can cascade between services and organisations.

Extensible access control for a hierarchy of servers

We discuss the protection requirements of a distributed storage service comprising a two-level hierarchy of storage servers with value-adding service layers above them. A flexible and extensible access control mechanism is required. Our scheme uses Access Control Lists (ACLs) to allow fine grained expression of policy together with capabilities for efficient runtime access after a once-off ACL check. Our capabilities are principal- specific and transient and their design ensures that access to objects is via the correct service hierarchy; for example, a directory object may only be manipulated via a directory service. The implementation of this protection is stateless at the servers above the storage service. The scheme also provides a convenient means to delegate rights for an object, temporarily, to an unprivileged server, for example a print-server. The fact that our capabilities are short-lived alleviates the requirement for selective revocation and crash recovery.

Mobile Java objects

In this paper we discuss the engineering requirements for adding object mobility to the Java programming language, and give an overview of the design and implementation of our mobile object system. We show that it is helpful to cluster objects for mobility, and that if these clusters represent untrusted pieces of code (for example, agents) then they must be encapsulated both to control their access and to control access to them. We show that managing large numbers of mobile objects in an open environment is a difficult problem, but has its roots in the management of large distributed name spaces. We propose an architecture for relocating moved objects that is both scaleable and tuneable. The mobile object system we describe has been implemented, and is currently in use as part of an ESPRIT agent project. We are currently evolving the design and implementation to provide additional security and distribution facilities.

Access control for a modular, extensible storage service

We have designed and built a modular and extensible multi service storage architecture (MSSA) which allows evolution from, and compatibility with, traditional applications. The MSSA comprises a two-level hierarchy of storage servers with value-adding service layers above them. We present the access control mechanism of the MSSA. Access control lists (ACLs) are used to allow fine grained expression of policy together with capabilities for efficient runtime access after a once-off ACL check. Our capabilities are principal-specific and transient and their design ensures that access to objects is via the correct service hierarchy; for example, a directory object may only be manipulated via a directory service. The implementation of this protection is stateless at the servers above the storage service. The scheme also provides a convenient means to delegate rights for an object, temporarily, to an unprivileged server, for example a print-server. The fact that our capabilities are short-lived alleviates the requirement for selective revocation and crash recovery. We report on experiences with a prototype implementation of the scheme and suggest some optimisations.<<ETX>>