1 / 37

Role-based Access Control in a Mobile Environment

Role-based Access Control in a Mobile Environment. Elsa L Gunter (UI-UC) Joint work with Adriana Compagnoni (Stevens) Pablo Garralda (Stevens). Security in Necessary for Correct Functionality. Embeded devices often need to receive data (and increasingly new code) from remote sources

bond
Download Presentation

Role-based Access Control in a Mobile Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Role-based Access Control in a Mobile Environment Elsa L Gunter (UI-UC) Joint work with Adriana Compagnoni (Stevens) Pablo Garralda (Stevens)

  2. Security in Necessary for Correct Functionality • Embeded devices often need to receive data (and increasingly new code) from remote sources • If data (or new code) is corrupt, the functionality of device is at risk • Need methods to verify security of communications

  3. CPAP Machines - Current Method • Doctor send you a Smart Card • You insert the smart card into your machine • When the machine is done intercating with the smart card, you take it out • You mail the card back to the doctor • The doctor places the smart card in his reader • Secuirity derives from the “belief” that the card is secure • Networking is the way of the future

  4. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  5. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  6. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  7. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  8. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  9. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  10. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  11. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  12. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  13. Network Boxed Ambients Doctor Patient1 CPAP Patient2 CPAP GetInfo

  14. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  15. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  16. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  17. Network Boxed Ambients Doctor Patient1 GetInfo CPAP Patient2 CPAP

  18. How do we guarantee that the only authorized agents access your CPAP?

  19. Network Boxed Ambients with Security Doctor Patient1 GetInfo CPAP Patient2 CPAP

  20. Network Boxed Ambients with Security Doctor Patient1 GetInfo CPAP Patient2 CPAP

  21. Network Boxed Ambients with Security Doctor Patient1 GetInfo CPAP Patient2 CPAP

  22. Network Boxed Ambients Doctor Patient1 GetInfo X CPAP Patient2 CPAP

  23. Role-Based Access Control • Separate control into roles for users and access privileges for roles • Give one relation of users (and possibly active roles) to roles (that can be activated) • Give separate relation of roles to privileges • Access privileges: P : Role set  Acc set • User roles: U: User  Role setRole set

  24. Local Role-Based Access Control • Have a notion of a location (boxed ambient) • Each ambient assigns privileges to the resources it controls: • Entry into itself • Read access to its channel • Write access to its channel • P : Amb  Role set  Role set  Role set enter read write

  25. Ambient • Assume set of (public) ambient names Amb • Ambients given by: A ::= mu[P1@1. . . Pn@n] • Where m  Amb • i  Roles (representing roles current for that process) • u  Users • Pi a Process

  26. Process (some what simplified) • Similar to -calculus • P ::= A | nil | (P1 | P2) | !P | (n:(in,r,w)) P (creates a new ambient) | c<M>.P (send message M on channel c) | c(x).P (receive message into x on c) | activate(r).P (activate role r for P) | deactivate( r ).P (deactivate role r for P) | C(c).P (execute capability C, creating local channel c) • Message is a capabilty or variable (containing a capabilty)

  27. Dynamic Semantics • Give Dynamic Semantics to describe when one ambient may enter, exit, or communicate with another. • Requires run-time access to role-based access policy

  28. Example • Previous example can now work: • Give members of doctor’s office the doctorrole • Patient allows GetInfo procedures with doctorrole to enter, but not GetInfo procedures from other patients • Patients can’t (in general) activate the doctorrole

  29. What can we do statically? • Give static types to channels and ambients • Ambient types:  ::= (in, ) • Channel types:  ::= (r,w, ) | ssh • Being in in guarantees you can enter the ambient • Being in r guarantees you can read from the channel • Being in w guarantees you can write to the channel • shh means you cannot read or write to the channel

  30. Static Semantics • Develop type system that checks if access to local resources is authorized • If process statically type checks, activate and deactivate may be ignored at runtime • Requires complete static knowledge of local role-based access control policy

  31. CPAP Example • No matter how we specifify types for the ambients, the Patient1 GetInfo process will not type check if it requests to enter Patient2 • We can find types that allow the Doctor GetInfo program to type check

  32. Future Work • Subtyping: Can a more (or less) restrictive type be used than the one given? • Covariant / contrvariant problem • Support for “open” (delivering running code) • Multiple channels between communicating ambients • Implement on top of the Tunnel Calculus (Carl Gunter and Alwyn Goodloe)

  33. Related Work • Braghin, Gorla, and Sassone (CSFW04) • They develop a type system for stactically (and dynamically) checking code in the -calculus • Their type system is similar finitary limitation • Hennessy (TGC05) • Type system for the D-calculus • Uses dependent types to allow privileges to vary by the message received • No nesting of different user code • No movement of laocations, only code • Has residual run-time type checks

  34. Ambients given by: A ::= mu[P1@1. . . Pn@n] • Where m  Amb • 1  Roles (representing roles current for that process) • u  Users • Pi a Process

  35. Assume set of (public) ambient names Amb • Ambients given by: A ::= mu[P1@1. . . Pn@n] • Where m  Amb • 1  Roles (representing roles current for that process) • u  Users • Pi a Process

More Related