Title: Context-based Access Control
1Context-based Access Control
- A. Corradi, R. Montanari D. Tibaldi,
Context-Based Access Control Management in
Ubiquitous Environments, Network Computing and
Applications, Third IEEE International Symposium
on (NCA'04), August 30 - September 01, 2004,
Boston, MA.
A review by A. Escobar Dr. Maria
Petrie Department of Computer Science Florida
Atlantic University March 31st , 2005
2Context-based Access Control
- Traditional RBAC not applicable.
- Service providers do NOT know in advance the
identities/roles of all subjects. - Users could be unknown entities.
- RBAC model taken from Fer04
3Context-based Access Control
- Context-based AC (CBAC).
- As with role, context provides a level of
indirection between users and permissions.
4Security Framework
- Corradis Contribution
- Allows flexible solutions for CBAC.
- Defines 3 views
- Desired View Resources that a user is willing
to access. - Allowed View Accessible Resources depending on
context-dependent AC Policies. - Active-Context View Desired View n Allowed
View. - Supports Privacy of user context information.
Sys. Allowed View
Allowed View
Desired View
Active-Context View
5Context Model
- Corradis Contribution
- Physical Context
- Identify physical spaces.
- There is only one per user.
- Holds references to the protected resources.
- Logical Context
- Identify logical states of users and resources.
- Many per user/resource.
Not UML and taken From Cor04
6Context Model
- Our Contribution
- UML representation of Corradis Context Model.
in
User
Logical_Context
Location_Context
User may only be in 1 Location_Context at a
time
7Physical Context
Corradis Framework for Physical Context
Our UML interpretation
Physical_Context name Cinema type Physical
activation_condGeoCoordinate.IsEqual(Area.GetInf
o) activate( ) deactivate ( )
8Logical Context
Corradis Framework for Logical Context
Our UML interpretation
9Resource
Corradis Framework for Resource
Our UML interpretation
10Context Model
- Our Contribution
- UML representation of Corradis Context Model.
11Security Model
- Corradis Contribution
- Allow System Administrators and Users specify
their own policies. - Introduces Metadata
- User/Device/Resource Profiles (Security logic).
- Access Control Policies (Security control).
- Allowing separation between security logic and
security control.
Not UML and taken From Cor04
12Profiles
- User Profile
- Properties
- Desired View
- Desired Objects.
- Desired Actions to be performed on Desired
Objects. - Context Conditions to perform the Desired
Actions. - Device Profile Dont know the substructure.
- Resource Profile Dont know the substructure.
13A User Profile
14Profiles
- Our Contribution
- UML representation of Corradis Profile.
15Security Model
- Our Contribution
- UML representation of Corradis Security Model.
1
Devi ce
16Access Control Policies
- Association rules between set of permissions and
set of contexts. - Simple Association ( One permission to One
Context) - And, Or Dependence Associations (One permission
to many Contexts) - System Level.
- Administrator defines permissions.
- Protect system resources
- User Level.
- User defines permissions.
- Protect user privacy.
17Permission
Corradis Permission
Our UML interpretation
18Context-Based Access Control Policies
191
Device
20MBAC Pattern
MBAC pattern taken from Fer04
21MBAC Pattern
Not mapped yet Device Device Profile
CBAC Policy
1..
protects
ltltresourcegtgt
1..
ltltusergtgt
Context
Subject
Object
physical
target
1
AttributeValue
PropertyValue
ltltpermissiongtgt
value
value
1
1
ltltuser_profile gtgt
ltltpropertygtgt
ltltresource_profile gtgt
ltltpropertygtgt
Subject
Descriptor
Attribute
Property
Object
Descriptor
isAuthorized
For
1
1
ltltdesired_view gtgt
ltltdesired_view gtgt
Property
Qualifier
Attribute
Qualifier
operator
operator
value
value
MBAC pattern taken from Fer04
22References
- Boo98 G. Booch, J. Rumbaugh, I. Jacobson The
Unified Modeling Language User Guide,
Addison-Wesley Pub Co 1st edition (September 30,
1998). - Cor04 A. Corradi, R. Montanari, D. Tibaldi,
Context-Based Access Control Management in
Ubiquitous Environments, Network Computing and
Applications, Third IEEE International Symposium
on (NCA'04), August 30 - September 01, 2004,
Boston, MA. - DeC03 S. DeCapitani di Vimercati, S.
Paraboschi, P. Samarati Access
control principles and solutions, ACM
SoftwarePractice Experience, John Wiley
Sons, 33 (5)397-421, April 2003. - Fer04 T. Priebe, E.B.Fernandez, J.I.Mehlau, and
G. Pernul, A Pattern System for Access Control
Procs. of the 18th. Annual IFIP WG 11.3 Working
Conference on Data and Applications Security,
Sitges, Spain, July 2004, 235-249. - San96 R. Sandhu, E. Coyne, H. Feinstein, C.
Youman "Role-Based Access Control models", IEEE
Computer , 29(2)38-47, February 1996. - San94 R. Sandhu, P. Samarati, Access Control
Principles and Practice, IEEE Communications
Magazine (1994, 40-48).