Roshan K. Thomas

Conceptual foundations for a model of task-based authorizations

We describe conceptual foundations to address integrity issues in computerized information systems from the enterprise perspective. The motivation for this effort stems from the recognition that existing models are formulated at too low a level of abstraction, to be useful for modeling organizational requirements, policy aspects, and internal controls, pertaining to maintenance of integrity in information systems. In particular, these models are primarily concerned with the integrity of internal data components within computer systems, and thus lack the constructs necessary to model enterprise level integrity principles. The starting point in the investigation is the notion of authorization functions and tasks associated with business activities carried out in the enterprise. These functions identify the authorization requirements while the authorization tasks embody the concepts required to carry out such authorizations. We believe a model of task-based authorizations will bridge the existing gap between low-level models and very high level ones looking at integrity from a purely organizational and sociological perspective devoid of any direct links to computerized systems. The work described is preliminary and conceptual in nature, but is a necessary prerequisite for the eventual development of a formal model.<<ETX>>

Towards a task-based paradigm for flexible and adaptable access control in distributed applications

Historically, the access control problem has been couched within the framework of subjects, object, and rights. In this paper we argue for a newer paradigm for distributed and multi-system applications, that transcends the subject-object view of access control. This new paradigm views access control and authorization not in terms of individual subjects and object, but rather in terms of long-lived tasks that need to be authorized and managed in information systems.

Models, protocols, and architectures for secure pervasive computing: challenges and research directions

We explore the challenges and research directions in building models, protocols and architectures to support security in pervasive computing environments. We argue that to be successful, efforts to build these would have to recognize from the onset that pervasive computing settings are complex socio-technical system and would thus have to go beyond traditional system-centric approaches to analyzing and designing security.

A secure kernelized architecture for multilevel object-oriented databases

The authors present a secure kernelized architecture for multilevel object-oriented database management systems. The architecture is based on the notion of a message filter. It builds upon the typical architecture of current object-oriented database management systems. Since the operations mediated by the message filter are arbitrarily complex operations (as opposed to primitive reads and writes), a secure message filter requires careful attention to potential timing covert channels. Although the overall computation is logically a sequential one, to be secure one must actually execute pieces of the computation concurrently. This raises a synchronization problem for which they give a secure multiversion protocol. The fundamental problem solved is how to securely and correctly write up in terms of abstract operations.<<ETX>>

A Kernelized Architecture for Multilevel Secure Object-Oriented Databases Supporting Write-Up

This paper presents a kernelized architecture (i.e., an architecture in which no subject is exempted from the simple-security and *-properties) for multilevel secure (mls) object-oriented database management systems (DBMSs) which support write-up. Relational mls DBMSs typically do not allow write-up, due to integrity problems arising from the blind nature of write-up operations in these systems. In object-oriented DBMSs, on the other hand, sending messages upwards in the security lattice does not present an integrity problem because such messages will be processed by appropriate methods in the destination object. However, supporting write-up operations in object-oriented systems is complicated by the fact that such operations are no longer primitive; but can be arbitrarily complex and therefore can take arbitrary amounts of processing time. We focus on support for remote procedure call (RPC) based write-up operations. Dealing with the timing of such write-up operations consequently has broad implications on confidentiality (due to the possibility of signaling channels), integrity, and performance.We present an asynchronous computational model for mls object-oriented databases, which achieves the conflicting goals of confidentiality, integrity, and efficiency (performance). This requires concurrent computations to be generated within a user session, and for them to be scheduled so the net effect is logically that of a sequential (RPC-based) computation. Our work utilizes an underlying message filter security model to enforce mandatory confidentiality. We demonstrate how our computational model can be implemented within the framework of a kernelized architecture. In doing so, we present various intra-session and inter-session concurrency schemes. The intra-session schemes are concerned with the scheduling and management of concurrent computations generated within a user session, and we present conservative as well as aggressive scheduling algorithms. The inter-session schemes provide the traditional concurrency control functions of managing shared access to database objects, across user sessions.

Supporting Object-Based High-Assurance Write-up in Multilevel Databases for the Replicated Architecture

We discuss the support of high-assurance write-up actions in multilevel secure object-oriented databases under the replicated architecture. In this architecture, there exists a separate untrusted singlelevel database for each security level. Data is replicated across these databases (or containers), as each database stores a copy of all the data whose class is dominated by that of the database. Our work utilizes an underlying message filter based object-oriented security model. Supporting message-based write-up actions with synchronous semantics directly impacts condidentiality, integrity, and performance issues. Also, an important concern in the replicated architecture is the maintenance of the mutual consistency of the replicated data. In this paper we offer solutions to support write-up actions while preserving the conflicting goals of confidentiality, integrity, and efficiency and at the same time demonstrate how the effects of updates arising from write-up actions are replicated correctly to guarantee such mutual consistency. Finally, we wish to emphasize that our elaboration of the message filter model demands minimum functionality from the TCB that is hosted within the trusted front end (TFE), and further requires no trusted subjects (i.e. subjects who are exempted, perhaps partially, from the usual mandatory controls). Collectively, these make verification of our solutions easier, since we have the assurance that covert channels cannot be introduced through the TFE.

Panel Discussion: Role-based Access Control and Next-Generation Security Models

This purpose in organizing this panel was to promote discussion and to bring to the forefront the many issues related to next generation security models. Each of the sections below discuss the individual contributions of the various panelists.

Concurrency, Synchronization, and Scheduling to Support High-assurance Write-up in Multilevel Object-based Computing

We discuss concurrency, synchronization, and scheduling issues that arise with the support of high-assurance RPC-based (synchronous) write-up actions in multilevel object-based environments. Such environments are characterized by objects classified at varying security levels (called classifications) and accessed by subjects with varying security clearances. A write-up action occurs when a low level object sends a message to a higher one, triggering an update in the latter. While such actions do not directly violate the security policy, their abstract nature in object-based systems poses confidentiality leaks by opening up signaling channels. We present an approach to closing such channels by executing the methods in the sender and receiver objects concurrently, whenever a write-up action is issued. However, these concurrent computations have to be synchronized and scheduled so that they preserve the semantics of the original and synchronous (sequential) execution. We utilize a multi-version synchronization scheme and various scheduling strategies to achieve this.