1 / 52

Mobile Access Control

Mobile Access Control. Adriana Compagnoni Stevens Institute of Technology Joint work with Elsa L Gunter (UI-UC). Rutgers, February 3, 2006. Network. Classroom. Instructor. Mail. Boxed Ambients. Destination. Mailer. Network. Classroom. Instructor. Mail. Boxed Ambients.

nhung
Download Presentation

Mobile Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Access Control Adriana Compagnoni Stevens Institute of Technology Joint work with Elsa L Gunter (UI-UC) Rutgers, February 3, 2006

  2. Network Classroom Instructor Mail Boxed Ambients Destination Mailer

  3. Network Classroom Instructor Mail Boxed Ambients Destination msg Mailer

  4. Network Classroom Instructor Mail Boxed Ambients Destination Mailer

  5. Network Classroom Instructor Mail Boxed Ambients Destination Mailer

  6. Network Classroom Instructor Mail Boxed Ambients Destination Mailer

  7. Network Classroom Instructor Mail Boxed Ambients Destination Mailer route

  8. Network Classroom Instructor Mail Boxed Ambients Destination Mailer

  9. Network Classroom Instructor Mail Boxed Ambients Destination Mailer

  10. Network Classroom Instructor Mail Boxed Ambients Destination msg Mailer

  11. Network Classroom Student Mail Boxed Ambients Destination Mailer

  12. Network Classroom Student Mail Boxed Ambients Destination msg Mailer

  13. Network Classroom Student Mail Boxed Ambients Destination Mailer

  14. Network Classroom Student Boxed Ambients Destination Class Resp Mailer

  15. Security is Necessary for Correct Functionality • Embedded devices often need to receive data (and increasingly new code) from remote sources • If data (or new code) is corrupt, the functionality of device is at risk • Need methods to verify security of communications

  16. CPAP Machines - Current Method • Doctor sends you a Smart Card • You insert the smart card into your machine • When the machine is done interacting with the smart card, you take it out • You mail the card back to the doctor • The doctor places the smart card in his reader • Security derives from the “belief” that the card is secure • Networking is the way of the future

  17. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  18. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  19. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  20. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  21. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  22. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  23. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  24. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  25. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  26. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  27. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  28. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  29. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  30. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  31. Privacy • How do we guarantee that only authorized agents access your CPAP?

  32. Network Boxed Ambients with Security Doctor Patient1 GetInfo CPAP Patient2 CPAP

  33. Network Boxed Ambients with Security Doctor Patient1 GetInfo CPAP Patient2 CPAP

  34. Network Boxed Ambients with Security Doctor Patient1 GetInfo CPAP Patient2 CPAP

  35. Network Boxed Ambients Doctor Patient1 GetInfo X CPAP Patient2 CPAP

  36. Role-Based Access Control • Separate control into roles for users and access privileges for roles • Give one relation of users (and possibly active roles) to roles (that can be activated) • Give separate relation of roles to privileges • Access privileges: P : Role set  Acc set • User roles: UserPolicy: User  Role setRole set

  37. Local Role-Based Access Control • Have a notion of a location (boxed ambient) • Each ambient assigns privileges to the resources it controls: • Entry into itself • Read access to its channel • Write access to its channel • Priv : Amb  Role set  Role set  Role set enter read write

  38. Ambient • Assume set of (public) ambient names Amb • Ambients given by: A ::= mu[P]@ • Where m  Amb •  Roles (active roles for that process) • u  Users • P is a Process

  39. Processes (simplified) • Similar to -calculus • | c | c (local | with parent | with child) • P :: = nil | (P1 | P2) | !P | (n:) P (creates a new ambient n) | <M>.P (send message M on ) | (x).P (receive message into x on ) | activate( r ).P (activate role r for P) | deactivate( r ).P (deactivate role r for P) | C(c).P (execute capability C, creating local channel c) • Message is a capabilty or variable (containing a capabilty)

  40. Dynamic Semantics • to activate or deactivate a role. • to describe when one ambient may enter or exit another. • to describe local communication, and communication across ambient boundaries.

  41. Dynamic Semantics: in • nu [in m (c1).P1 | R1] @n | mv [in (c2).P2| R2] @m  mu[nv[P1{c1: = c} | R1]@n | P2{c2:= c} | R2]@m -The capabilities in m (c1) and in (c2) are consumed. - m and n now share a new communication channel c.

  42. Type System • Our Type System prevents two forms of security violations: • Attempting to enter an ambient without proper authorization, and • Attempting to read from or write to channels without the corresponding permissions.

  43. What can we do statically? • Give static types to channels and ambients • Ambient types:  :: = amb (in, ) • Channel types:  :: = (r,w, ) | ssh • Being in in guarantees you can enter the ambient • Being in r guarantees you can read from the channel • Being in w guarantees you can write to the channel • shh means you cannot read or write to the channel

  44. Typing Judgements • ,here,deact ,m,u |- P: act Where • P is a process • m is the enclosing ambient • u is the user that owns m • here is the set of roles authorizing P to be in m • deact is the set of roles that P can deactivate • act is the set of currently active roles. •  typing environment for message identifiers and channel names

  45. Typing Judgements • Other typing judgements have similar forms. • The typing judgement for actions reflect how the different role sets are modified. • ,here,deact, act,m,u |- a : (,here,act)

  46. Example • Previous example can now work: • Give members of doctor’s office the doctorrole • Patient allows GetInfo procedures with doctorrole to enter, but not GetInfo procedures from other patients • Patients can’t (in general) activate the doctorrole

  47. CPAP Example • No matter how we specify types for the ambients, the Patient1 GetInfo process will not type check if it requests to enter Patient2 • We can find types that allow the Doctor GetInfo program to type check

  48. Results • We defined an un-typed and a typed (not shown) transitional semantics. • We show that on well-typed processes both transitional semantics coincide. • The typed transitional semantics is of independent interest, and it is relevant to situations where the access control policy is only known at runtime.

  49. Future Work • Trusted and untrusted locations • Role hierarchies • Subtyping: Can a more (or less) restrictive type be used than the one given? • Multiple channels between communicating ambients • Design a programming language based on this calculus

  50. Related Work • Bonelli,Compagnoni,Dezani,and Garralda (MFCS04) • The calculus splits communication and mobility by using ambient names and port names. • Braghin, Gorla, and Sassone (CSFW04) • They develop a type system for statically (and dynamically) checking code in the -calculus with roles. • Hennessy (TGC05) • Type system for the D-calculus • Uses dependent types to allow privileges to vary by the message received • No nesting of different user code or locations • No movement of locations, only code

More Related