| Interoperation among multiple domains enables domains to effectively share resources. However, it also opens ways for several security breaches. For one thing, security policies of interoperating domains may be well-specified prior to any interoperation requirements. Supporting effective interoperation without compromise of domains'security is a challeng-ing task. For another, authorizations in interoperating environments are no longer merely determined by the domain which controls the requested resources; instead, multiple agents may play a role in the authorization decision-making process. As a result, interoperating do-mains may be put in a potentially more risky position. The problem becomes severe along with the increasing complexity and dynamics of interoperating environments. As such, this dissertation presents a flexible secure interoperation framework, named RAR. RAR fea-tures flexible and scalable interoperation establishment mechanism, effective and efficient inter-domain role mapping solution, and novel risk management process. Due to the the-oretical importance and wide usage of Role-based Access Control (RBAC) models, RAR only concerns with interoperating environments where each member domain adopts RBAC policies. RAR follows the trend to use inter-domain role mappings (IDRM) as the basis of interoperation. However, several problems remain open.Domains may join and leave in an ad hoc manner. Once new domains join and new interoperation demands arise, it is expected that interoperation relationships could be estab-lished efficiently. On the other hand, when domains leave or domains abolish collaborating alliance, they should be able to recover their RBAC policies and work as before. To address this requirement, RAR employs a flexible mechanism to setup interoperation in a pair-wise manner, eliminating the need of a trusted third-party. The removal of the central mediator is key to the flexibility and scalability. Not surprisingly, potential interoperation poses new threats to domains'security; careless specification and enforcement of interoperation can easily result in unintended authorization and leak of sensitive information, with respect to both foreign users and insiders. In RAR, care is taken to generate inter-domain role map-pings. This dissertation studies the complexity of IDRM while taking the separation of duty policies into account. It turns out to be intractable for most cases. RAR addresses IDRM re-lated problems by reducing them to well-known problems (e.g., the satisfiability problem), which have been studied for decades and various mature solvers exist in literature.Considering the variety of interoperating requirements, security administrators in do- mains may resort to adjusting RBAC policies in the hope of supporting interoperation. Al-though RBAC has significantly simplified the management of authorizations, it is not trivial to implement desired adjustments. As motivated by the interoperating demands, as well as other applications (e.g., task assignments and and error correction in RBAC), RBAC policies need updating in response to high-level objectives. However, such updating process is gen-erally complicated as the resulting system state is expected to meet necessary constraints. This dissertation presents an automated tool, Route, for assisting administrators with the update task:using Route, it is possible to check, in an automatic way, whether a required update is achievable or not, and if so, a reference model will be produced. In light of this model, administrators could fulfill the changes to RBAC systems. We propose a formaliza-tion of the update approach, investigate its properties, and develop an updating algorithm based on model checking techniques. Extensive experimental results demonstrate Route's effectiveness and efficiency. RAR leverages Route to facilitate RBAC policies management in face of interoperation demands.To deal with the dynamics and uncertainty of interoperating environments, RAR employs the notion of risk to monitor and manage domains'security. However, qualified risk assessment not only depends on the algorithm but also on the input data. As far as authorizations are concerned, the data is the authorization log maintained by domains. Unfortunately, simply recording the conclusions of authorizations is far from enough. We first observe that the representation of authorization provenance is key to the quality of authorization log. We generalize the problem into the distributed authorization and logic-based policy bases. In brief, statements from a number of agents, besides the trusted central party, may have an influence on authorization decisions. However, existing authorization logics put few emphasis on this set of agents-authorization provenance. This dissertation presents a logic, called DBT, which explicitly expresses provenance. Reasoning about authorization provenance enables to (1) understand and analyze authorizations and the status of policy bases, (2) defend against a class of attacks, and (3) obtain potentially efficient auditing guided by provenance information. In particular, a sound and complete axiomatic system is given. We define a notion of authorization provenance based on DBT. By studying a collection of properties, we show this definition captures the intuitions of authorization provenance. Finally, we present an example application of our notion of authorization provenance, that is, to specify and enforce a new type of security requirements.
|
PDF Full Text Request