1 / 22

Context-based Access Control

Context-based Access Control. A. Corradi, R. Montanari & D. Tibaldi, “Context-Based Access Control Management in Ubiquitous Environments”, Network Computing and Applications, Third IEEE International Symposium on (NCA'04), August 30 - September 01, 2004, Boston, MA.

gloria
Download Presentation

Context-based Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Context-based Access Control A. Corradi, R. Montanari & D. Tibaldi,“Context-Based Access Control Management in Ubiquitous Environments”,Network Computing and Applications, Third IEEE International Symposium on (NCA'04), August 30 - September 01, 2004, Boston, MA. A review by A. Escobar & Dr. Maria Petrie Department of Computer Science Florida Atlantic University March 31st , 2005

  2. Context-based Access Control • Traditional RBAC not applicable. • Service providers do NOT know in advance the identities/roles of all subjects. • Users could be unknown entities. - RBAC model taken from [Fer04]

  3. Context-based Access Control • Context-based AC (CBAC). • As with role, context provides a level of indirection between users and permissions.

  4. Sys. Allowed View Desired View Resource Allowed View Resource Allowed View Desired View Active-Context View Active-Context View Security Framework: • Corradi’s Contribution: • Allows flexible solutions for CBAC. • Defines 3 views: • Desired View : Resources that a user is willing to access. • Allowed View : Accessible Resources depending on context-dependent AC Policies. • Active-Context View : Desired View ∩ Allowed View. • Supports Privacy of user context information. Sys. Allowed View Allowed View Desired View Active-Context View

  5. Context Model • Corradi’s Contribution: • Physical Context: • Identify physical spaces. • There is only one per user. • Holds references to the protected resources. • Logical Context: • Identify logical states of users and resources. • Many per user/resource. Not UML and taken From [Cor04]

  6. Context Model • Our Contribution: • UML representation of Corradi’s Context Model. in User * * Logical_Context Location_Context {User may only be in 1 Location_Context at a time}

  7. Context name: type: {Physical | Logical}activation_cond.:Set of Predicates activate( ); deactivate ( ); Corradi’s Framework for Physical Context: Physical Context Our UML interpretation: Physical_Context name = “Cinema” type = Physical activation_cond=GeoCoordinate.IsEqual(Area.GetInfo) activate( ); deactivate ( );

  8. Logical_Context name: “Tourist” type: Logicalactivation_cond.:MonitoringSystem.GetVisitNumber.IsLess(N) activate( ); deactivate ( ); Logical Context Corradi’s Framework for Logical Context: Our UML interpretation:

  9. Resource name: description: Resource Corradi’s Framework for Resource: Our UML interpretation:

  10. User * * protects Logical_Context Location_Context Resource name: description: Context name: type:activation_cond.: Context Model • Our Contribution: • UML representation of Corradi’s Context Model.

  11. Security Model • Corradi’s Contribution : • Allow System Administrators and Users specify their own policies. • Introduces Metadata: • User/Device/Resource Profiles (Security logic). • Access Control Policies (Security control). • Allowing separation between security logic and security control. Not UML and taken From [Cor04]

  12. User_Profile properties desired_view Profiles • User Profile • Properties • Desired View • Desired Objects. • Desired Actions to be performed on Desired Objects. • Context Conditions to perform the Desired Actions. • Device Profile : Don’t know the substructure. • Resource Profile: Don’t know the substructure.

  13. User_Profile properties desired_view A User Profile

  14. Property * Profile Desired_View Objects Actions Context_Cond. 1 User_Profile Device_Profile Resource_Profile Profiles • Our Contribution: • UML representation of Corradi’s Profile.

  15. Property User * Profile Desired_View Objects Actions Context_Cond. * * 1 protects Logical_Context Location_Context Resource name: description: User_Profile Device_Profile Resource_Profile Context name: type:activation_cond.: Security Model • Our Contribution: • UML representation of Corradi’s Security Model. 1 * Devi ce

  16. Access Control Policies • Association rules between set of permissions and set of contexts. • Simple Association ( One permission to One Context) • And, Or & Dependence Associations (One permission to many Contexts) • System Level. • Administrator defines permissions. • Protect system resources • User Level. • User defines permissions. • Protect user privacy.

  17. Resource name: description: Permission name: action: kind: < s, o, t, p > target o t Corradi’s Permission: Permission Our UML interpretation:

  18. Resource name: description: CBAC Policy assoc_type:{Simple|Or|And|Dependence} allowed_view() 1..* Context Permission name: action: kind: target 1 System_Policy User_policy Context-Based Access Control Policies

  19. Property User * Profile protects Desired_View Objects Actions Context_Cond. * * Context name: type:activation_cond.: 1 Logical_Context Location_Context Resource name: description: User_Profile Device_Profile Resource_Profile CBAC Policy assoc_type:{Simple|Or|And|Dependence} allowed_view() 1..* Context Permission name: action: kind: target 1 System_Policy User_policy * * 1 * Device

  20. MBAC Pattern MBAC pattern taken from [Fer04]

  21. Right accessType Not mapped yet Device Device Profile MBAC Pattern CBAC Policy 1..* protects <<resource>> 1..* <<user>> Context Subject Object physical target * * 1 AttributeValue PropertyValue <<permission>> value value * * 1 1 <<user_profile >> <<property>> <<resource_profile >> <<property>> * * Subject Descriptor Attribute Property Object Descriptor isAuthorized For 1 1 * * <<desired_view >> <<desired_view >> Property Qualifier Attribute Qualifier * * operator operator value value MBAC pattern taken from [Fer04]

  22. References • [Boo98] G. Booch, J. Rumbaugh, I. Jacobson “The Unified Modeling Language User Guide”, Addison-Wesley Pub Co; 1st edition (September 30, 1998). • [Cor04] A. Corradi, R. Montanari, D. Tibaldi, “Context-Based Access Control Management in Ubiquitous Environments”, Network Computing and Applications, Third IEEE International Symposium on (NCA'04), August 30 - September 01, 2004, Boston, MA. • [DeC03] S. DeCapitani di Vimercati, S. Paraboschi, P. Samarati “Access control: principles and solutions”, ACM Software—Practice & Experience, John Wiley & Sons,33 (5):397-421, April 2003. • [Fer04] T. Priebe, E.B.Fernandez, J.I.Mehlau, and G. Pernul, “A Pattern System for Access Control” Procs. of  the 18th. Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Sitges, Spain, July 2004, 235-249. • [San96] R. Sandhu, E. Coyne, H. Feinstein, C. Youman "Role-Based Access Control models", IEEEComputer , 29(2):38-47, February 1996. • [San94] R. Sandhu, P. Samarati, “Access Control: Principles and Practice”,IEEE Communications Magazine (1994, 40-48).

More Related