Context-based Access Control

1
Context-based Access Control

• A. Corradi, R. Montanari D. Tibaldi,
  Context-Based Access Control Management in
  Ubiquitous Environments, Network Computing and
  Applications, Third IEEE International Symposium
  on (NCA'04), August 30 - September 01, 2004,
  Boston, MA.

A review by A. Escobar Dr. Maria
Petrie Department of Computer Science Florida
Atlantic University March 31st , 2005
2
Context-based Access Control

• Traditional RBAC not applicable.
• Service providers do NOT know in advance the
  identities/roles of all subjects.
• Users could be unknown entities.

- RBAC model taken from Fer04
3
Context-based Access Control

• Context-based AC (CBAC).
• As with role, context provides a level of
  indirection between users and permissions.

4
Security Framework

• Corradis Contribution
• Allows flexible solutions for CBAC.
• Defines 3 views
• Desired View Resources that a user is willing
  to access.
• Allowed View Accessible Resources depending on
  context-dependent AC Policies.
• Active-Context View Desired View n Allowed
  View.
• Supports Privacy of user context information.

Sys. Allowed View
Allowed View
Desired View
Active-Context View
5
Context Model

• Corradis Contribution
• Physical Context
• Identify physical spaces.
• There is only one per user.
• Holds references to the protected resources.
• Logical Context
• Identify logical states of users and resources.
• Many per user/resource.

Not UML and taken From Cor04
6
Context Model

• Our Contribution
• UML representation of Corradis Context Model.

in
User


Logical_Context
Location_Context
User may only be in 1 Location_Context at a
time
7
Physical Context
Corradis Framework for Physical Context
Our UML interpretation
Physical_Context name Cinema type Physical
activation_condGeoCoordinate.IsEqual(Area.GetInf
o) activate( ) deactivate ( )
8
Logical Context
Corradis Framework for Logical Context
Our UML interpretation
9
Resource
Corradis Framework for Resource
Our UML interpretation
10
Context Model

• Our Contribution
• UML representation of Corradis Context Model.

11
Security Model

• Corradis Contribution
• Allow System Administrators and Users specify
  their own policies.
• Introduces Metadata
• User/Device/Resource Profiles (Security logic).
• Access Control Policies (Security control).
• Allowing separation between security logic and
  security control.

Not UML and taken From Cor04
12
Profiles

• User Profile
• Properties
• Desired View
• Desired Objects.
• Desired Actions to be performed on Desired
  Objects.
• Context Conditions to perform the Desired
  Actions.
• Device Profile Dont know the substructure.
• Resource Profile Dont know the substructure.

13
A User Profile
14
Profiles

• Our Contribution
• UML representation of Corradis Profile.

15
Security Model

• Our Contribution
• UML representation of Corradis Security Model.

1

Devi ce
16
Access Control Policies

• Association rules between set of permissions and
  set of contexts.
• Simple Association ( One permission to One
  Context)
• And, Or Dependence Associations (One permission
  to many Contexts)
• System Level.
• Administrator defines permissions.
• Protect system resources
• User Level.
• User defines permissions.
• Protect user privacy.

17
Permission
Corradis Permission
Our UML interpretation
18
Context-Based Access Control Policies
19


1

Device
20
MBAC Pattern
MBAC pattern taken from Fer04
21
MBAC Pattern
Not mapped yet Device Device Profile
CBAC Policy
1..
protects
ltltresourcegtgt
1..
ltltusergtgt
Context
Subject
Object
physical
target


1
AttributeValue
PropertyValue
ltltpermissiongtgt
value
value


1
1
ltltuser_profile gtgt
ltltpropertygtgt
ltltresource_profile gtgt
ltltpropertygtgt


Subject
Descriptor
Attribute
Property
Object
Descriptor
isAuthorized
For
1
1


ltltdesired_view gtgt
ltltdesired_view gtgt
Property
Qualifier
Attribute
Qualifier


operator
operator
value
value
MBAC pattern taken from Fer04
22
References

• Boo98 G. Booch, J. Rumbaugh, I. Jacobson The
  Unified Modeling Language User Guide,
  Addison-Wesley Pub Co 1st edition (September 30,
  1998).
• Cor04 A. Corradi, R. Montanari, D. Tibaldi,
  Context-Based Access Control Management in
  Ubiquitous Environments, Network Computing and
  Applications, Third IEEE International Symposium
  on (NCA'04), August 30 - September 01, 2004,
  Boston, MA.
• DeC03 S. DeCapitani di Vimercati, S.
  Paraboschi, P. Samarati Access
  control principles and solutions, ACM
  SoftwarePractice Experience, John Wiley
  Sons, 33 (5)397-421, April 2003.
• Fer04 T. Priebe, E.B.Fernandez, J.I.Mehlau, and
  G. Pernul, A Pattern System for Access Control
  Procs. of  the 18th. Annual IFIP WG 11.3 Working
  Conference on Data and Applications Security,
  Sitges, Spain, July 2004, 235-249.
• San96 R. Sandhu, E. Coyne, H. Feinstein, C.
  Youman "Role-Based Access Control models", IEEE
  Computer , 29(2)38-47, February 1996.
• San94 R. Sandhu, P. Samarati, Access Control
  Principles and Practice, IEEE Communications
  Magazine (1994, 40-48).