A Framework for Role-Based Access Control in Group Communica

1、a framework for role-based access control in group communica in this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access control in client-server group communication systems. our fram

2、ework combines ro aframeworkforrole-basedaccesscontrolingroup communicationsystems cristinanita-rotaruandninghuilidepartmentofcomputersciences purdueuniversitywestlafayette,in47907 abstract inthispaperweanalyzetherequirementsaccesscontrolmechanismsmustful llinthecontextofgroupcommunicationandde neaf

3、rameworkforsupporting ne-grainedaccesscontrolinclient-servergroupcom-municationsystems.ourframeworkcombinesrole-basedaccesscontrolmechanismswithenvironmentpa-rameters(time,ipaddress,etc.)toprovidesupportforawiderangeofapplicationswithverydi erentre-quirements.whiletheaccesscontrolpolicyisde nedbythe

4、application,itse cientenforcementisprovidedbythegroupcommunicationsystem. 1introduction manycollaborativeapplicationssuchasphoneandvideoconferencing,white-boards,distance-learningapplications,games,sharedinstrumentcontrol,aswellascommand-and-controlsystems,haveincommontheneedforacommunicationinfrast

5、ructurethatpro-videse cientmessagedisseminationtomultiplepar-ties(oftenorganizedingroupsbasedonacommonin-terest),e cientsynchronizationmechanismsthatal-lowforcoordinationandlast,butnotleast,securityservices.groupcommunicationsystems(gcs)pro-videsuchservices.examplesofgroupcommunica-tionsystemsinclud

6、e:isis9,horus21,transis4,totem6,rmp28,rampart20,securering13,ensemble24andspread8,3. animportantaspectforsecurecollaborativegroupsisde ningandenforcingasecuritypolicy.asetofdef-initionsandrequirementsofsecuritypoliciesingroupsispresentedin12.theminimalsetofsecurityser-vicesthatshouldbeprovidedbyanys

7、ecuregcsandshouldbespeci edinagrouppolicyinclude:clientau-thentication,accesscontrol,groupkeymanagement,dataintegrityandcon dentiality. whileconsiderableresearchhasbeenconductedto designscalableandfault-tolerantgroupkeymanage-mentprotocols29,23,5,andtoprovidedatacon -dentialityandintegrity17,2,25,7f

8、orgroups,lessworkfocusedontheaccesscontrolservices.whengcsareusedasacommonplatformbyseveralap-plicationswithdi erentsecurityrequirements,thereisanobviousneedtocontrolwhocanjoinagroup,whocansend/receivemessages,etc.majorchallengeswhenprovidingaccesscontrolservicestogcsarerec-onciling exibilitywithsca

9、lability,ande cientlyen-forcingaccesscontrolinthecontextofdynamicanddistributedgroupswhilesupportingprocessfailuresandnetworkpartitions. mostexistingworkinprovidingaccesscontrolforgroupsemploystraditionalaccesscontrolschemessuchasaccesscontrollists(acls).suchschemesmakeauthorizationdecisionsbasedont

10、heidentityoftherequester.however,indecentralizedormulti-centricenvironments,theresourceownerandtherequesterareoftenunknowntooneanother,makingaccesscon-trolbasedonidentityine ectiveorveryexpensivetomaintain. weadoptanapproachinwhichtheoperationsaclientisallowedtoperformdependsontheroletheclientisplay

11、inginthegroup,andauthenticatedat-tributesoftheclientareusedtodeterminewhichrolestheclientcanplayinagroup.wefocusonagcsus-ingaclient-serverarchitecturewherethedistributedprotocolsarerunbetweenasetofserversprovidingservicestonumerousclients.morespeci cally,ourcontributionsare: weinvestigatetherequirem

12、entsforaccesscontrolmechanismsingcsandshowwhyidentity-basedschemesdonotprovideenough exibilitytosup-portalargeclassofcollaborativeapplications. wedesigna ne-grainedaccesscontrolframeworkforgcs,basedonideasinrole-basedaccesscontrol26,10andrt15,arole-basedtrust-managementlanguage.ourframeworkallowsan

13、in this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access control in client-server group communication systems. our framework combines ro applicationtode neitsspeci cpolicieswhileth

14、eenforcementisperformedinane cientmannerbythegcs.thisisachievedbyde ningasetofbasicgroupoperationsandrolesthatcanbecon-trolledandenforcedbythegcs.anyapplicationspeci cpolicycanbedecomposedintotheseba-sicoperationsandapplicationspeci crolescanbemappedtosystemroles. weanalyzewhataretheimplicationsofpr

15、ocess(serversandclients)failuresandnetworkconnec-tivitychangesonthelifecycleofagrouppol-icyingeneral,andofanaccesscontrolpolicyinparticular,andsuggesthowtheseissuescanbeaddressed.roadmapwediscussthefailureandtrustmodelsweuseinsection2.insection3wepresentindetailsthecomponentsforagrouppolicy,whileins

16、ection4wediscussthee ectsofprocessfailuresandnetworkpartitionsonthelifecycleofthepolicy.weoverviewrelatedworkinsection5.finally,wesummarizeourworkandsuggestfutureworkdirectionsinsection6. 2trustandfailuremodels inthissection,wediscussthetrustandfailuremod-elsweareusinginthispaper. 2.1trustmodel incl

17、ient-servergcs,atrustmodelhastode nethetrustrelationshipswithineachlayer(trustrelationshipbetweenclientsandtrustrelationshipbetweenservers)aswellasbetweenlayers(i.e.doclientstrustserversornot).giventhisenvironment,severaltrustmodelsarepossible,rangingfromamodelwherenoentitytrustsanyotherentityforany

18、operation,bothwithinalayerandbetweenlayers,toanoptimisticmodelwhereserversandclientstrusteachothercompletely.inthispaper,weadoptthefollowingtrustmodel: serverstrusteachother:inorderforthesystemtobebootstrappedcorrectly,alistoflegitimateserversshouldbeprovidedtoallservers,intheformofanacl.settingupth

19、islistisasystemadministratorstaskandnotanapplicationtask.weassumethatthereisawaytoauthenticateaserverwhenitcomesupandverifywhetheritisontheauthorizedcon gurationlist.onceauthenti-catedandauthorizedallserverstrusteachother.wenotethatingeneralthenumberofserversissmallandthatthewaythesesystemsareusedis

20、 rstde neaserverscon gurationthatprovidesbestperformanceforaspeci cnetworkenviron-mentandapplicationdeployment.therefore,inthiscase,anaclisanacceptablesolution. clientstrustserverstoenforcetheaccesscontrolpolicy.thisassumptionisacceptablebecause,intheclient-servergcsarchitecture,clientsal-readytrust

21、theserverstomaintaingroupmem-bershipandtotransport,orderanddelivergroupmessages,soitseemsnaturaltotrustthemalsoforenforcingtheaccesscontrolpolicy.further-more,thiswillallowforamoree cientenforce-mentsinceinnumerouscasesthedecisioncanbemadebyeachserverlocally,diminishingthecom-municationoverhead. cli

22、entsarenottrusted(eitherbytheotherclientsorbyservers).therefore,compromisingoneclientdoesnotcompromisethesecurityofthewholesystem. 2.2failuremodel ourmodelconsidersadistributedsystemthatiscomposedofagroupofserversexecutingonseveralcomputersandcoordinatingtheiractionsbyexchang-ingmessages.themessagee

23、xchangeisconductedviaasynchronousmulticastandunicast.messagescanbelostorcorrupted.weassumethatmessagecorrup-tionismaskedbyalowerlayer.aclientobtainsthegroupcommunicationservicesbyconnectingtooneoftheservers.aclientcanconnectlocallyorremotely.bothclientsandserversmayfail.whenaserverfails,alltheclient

24、sthatareconnectedtothatserverwillstopreceivinggroupcommunicationservices;theyarenotredirectedtootherservers. duetonetworkevents(e.g.,congestionoroutrightfailures)thenetworkcanbesplitintodisconnectedsubnetworkfragments.atthegroupcommunicationlayer,thisisreferredtoasapartition.anetworkpar-titionsplits

25、theserversandcanpotentiallysplitsev-eralclientgroupsindi erentcomponents.whilepro-cesses(serversorclients)areinseparatedisconnectedcomponentstheycannotexchangemessages.whenanetworkpartitionisrepaired,thedisconnectedcompo-nentsmergeintoalargerconnectedcomponent,thisisreferredatthegroupcommunicationla

26、yerasamerge.firstserversaremerged,whichinturncantriggerseveralclientgroupstobemerged. byzantine(arbitrary)processfailuresarenotcon-sideredinthiswork. in this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supp

27、orting fine-grained access control in client-server group communication systems. our framework combines ro 3 apolicymodelforaccesscontrolingroupcommunicationsystems inthissection,westudytherequirementsforspec-ifyingaccesscontrolpoliciesingcsandproposeapolicymodelfordoingso.ourgoalistodesignapol-icym

28、odelthatis exibleenoughsuchthatitsupportsadiversi edsetofapplicationpolicies,inaddition,thepolicymodelcanbee cientlyimplementedbythegcs.thebasicapproachweuseisasfollows.foranygroupthereisasetofbasicoperationsthatcanbeper-formedbyprincipals(entities)basedontheirrole,inagivencontext.themappingbetweeng

29、roupoperationsandroles,inagivencontext,de nestheaccesscon-trolpolicyforthatgroup.thisway,insteadofhavingeveryindividualapplicationtoimplementandenforceitsownaccesscontrolmechanisms,wehaveapplica-tionsde ningspeci cpoliciesthataretranslatedtothesetofbasicoperationsthatthegcsisawareofandcanenforceacce

30、sscontrolon. therestofthissectionisorganizedasfollows.webeginbydescribinganexamplescenarioanddis-cussingthevariouspossibleaccesscontrolpoliciesinsection3.1.insection3.2,wedescribethegroupop-erationsthataresubjectedtoaccesscontrol.wean-alyzetheuseofrolesingrouppoliciesinsection3.3.wepresentthepolicym

31、odelinsection3.4.insec-tion3.5wedescribehowapolicyspeci edinthemodelisenforced.wediscussthechallengesinmaintainingthepolicy,whiledealingwithdynamicmembership,failuresandnetworkpartitionsinsection4. 3.1anexamplescenario consideravirtual-classroomapplicationimple-mentedusingagcs.multiplecoursesexistin

32、theapplication.eachcoursehasmultiplesessions,eachofwhichisrepresentedbyavirtualclassroom,im-plementedasagroup.foreachcourse,therearein-structors(somecoursesmayhavemorethanonein-structors),tas,andstudents.aclassroomshouldbecreatedonlybyanauthorizeduser;thusapolicycon-trollingthecreationofgroupsmustex

33、istbeforethecreationofagroup.wecallsuchapolicy,atemplatepolicy.eachcoursehasatemplatepolicy.sincetem-platepoliciesexistoutsidethecontextofanygroupandcanbeviewedasresourcesnotspeci ctogcs,standardaccesscontroltechniquesareusedtocontrolthecreationandmodi cationoftemplatepolicies.inthesimplestcase,only

34、thegcsadministratorisal-lowedtocreateormodifytemplatepolicies. atemplatepolicydetermines,amongotherthings,whocancreateagroupbasedonthepolicy.onepos- siblegroupcreationruleisthatonlytheinstructorsofacourseareallowedtocreateaclassroomforthecourse.analternativeruleisthatatamayalsocreateaclassroom.onema

35、yalsoallowthecourseinstructortodelegatetoanotheruser,e.g.,aguestlecturer,theauthoritytocreateaclassroom. aftertheclassroom/groupiscreated,agrouppolicyneedstobecreated.agrouppolicycanbecreatedbycopyingthetemplatepolicy.thisgrouppolicymaythenbetailoredtosuittheneedofthecurrentclass-roomsession.onlyaut

36、horizedusersshouldbeallowedtochangethegrouppolicy. varioususersmayjointheclassroomindi erentroles,e.g.,instructor,ta,student.onlyauthorizedusersshouldbeallowedtojointheseroles.forjoiningasastudent,di erentrulesaredesirablefordi erentcases.examplesincludes:onlystudentswhoareen-rolledintheclassmayjoin

37、,theinstructororthetascanadmitadditionalstudentsinspecialcases,oronlystudentswhoareconnectingfromcertainipaddressesmayjoin(e.g.,whentakinganexam). severalkindsofcommunicationmaybegoingonsimultaneouslyintheclassroom,andtheyshouldbesubjectedtodi erentaccesscontrolrules.forexam-ple,communicationcanbepu

38、blic:lecturesdeliveredbytheinstructor,publicquestionsaskedbyastudentandtheanswerstothosequestionsbytheinstructororanothermemberoftheclassroom.someclassroomsmayallowanystudenttofreelyaskquestions,muni-cationcanalsobeprivate,forexamplestudentsmaybeallowedtoaskquestionsprivatelytothetas,orsubmittheiran

39、swerstoaquizgiveninclass.thein-structormaybealsoallowedtoejectastudentfromtheclassroom. wenotethatmostoftheaboveservicesarepro-videdbyagcs,withoutanyaccesscontrolenforce-ment.forexample,thespread8groupcommuni-cationsystemallowsformulticast(public)anduni-cast(private)communicationwithinagroup,italsoa

40、llowsforanymembertobebothasenderandare-ceiverandcandistinguishbetweendi erenttypeofmessages,whileprovidingdi erentreliabilityandor-deringcommunicationservices.inaddition,con den-tialityandintegrityofthedataisprovided. 3.2operationsingroups fromtheabovescenariodescription,wecanextractthesensitiveoper

41、ationsthatneedaccesscontrol.thefollowingoperationsarenotperformedwithinthecon-textofagroup,theyprecedethegroupcreationand in this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access c

42、ontrol in client-server group communication systems. our framework combines ro arenotsubjectedtoagrouppolicyoratemplatepol-icy:1)createagrouptemplatepolicyand2)modifyagrouptemplatepolicy. acomprehensivelistofbasicoperationthatapplytoagroupandaretheobjectofaccesscontrolispre-sentedbelow:1.createagrou

43、p. 2.modifyagrouppolicy.3.joinagroup. 4.sendamessageofagiventype.5.receiveamessageofagiventype.6.ejectauserfromagroup.7. destroyagroup. theabovelistdoesnotincludetheoperationofleavingagroupbecausethisisanoperationthatcannotbecontrolled.itisimpossibletopreventaclientfromleavingagroup1. weallowseparat

44、econtrolforjoiningagroup,send-ingamessage,andreceivingamessagetoprovidesupportforawiderangeofapplications.forsomeapplicationsseveralgroupmembersmaybeallowedtosend,butnottoreceivemessages.anexampleofsuchanapplicationisainformationreportingmilitaryapplicationwhereclientsusewirelesscommunication;itisde

45、sirabletolimittheinformationclientsreceiveandstoretominimizethedamagecausedincaseofcompromise.forotherapplications,somegroupmem-bersmaybeallowedtoreceivebutnottosendmes-sages.forexample,inaconferencewithalargenum-berofparticipantsonlyrepresentativesmayanswerquestions,whiletherestoftheparticipantsare

46、justlistening. 3.3rolesingroups oneapproachtospecifyandenforceaccesscontrolistouseaccesscontrollists(acls).underthisap-proach,agrouphasanacl,whichincludesasetofusersandtheoperationstheyareallowedtocarryout.suchanapproachisappropriatewhenthenumberofprincipalsandoperationsissmallandstatic.ingen-eral,a

47、clshavethefollowingdisadvantages.first,aclscangetverylarge.forexample,ifeveryregis-teredstudentinauniversityisallowedtojoinaclass-room,thentheaclwouldbesimplytoolong.sec-ond,theacloftenduplicatesinformationmaintainedinotherplacesanditsuseinadynamicdistributedsystemwillrequiremaintainingitsconsistenc

48、yacross 1any clientcane ectivelyleaveagroupbyclosingthecon-nectionwiththeserver. severalsiteswhichcanbeverydi cultandpronetointroduceinconsistencyinthesystem. fromthescenariodescribedinsection3.1,itisclearthatthesetofoperationsauserisallowedtocarryoutdependsupontherolethattheuserisplay-inginagroup.f

49、orexample,althoughausermaybetheinstructorofacourse,inaguestlecturesessionshemaybeplayingataorastudentrole. wedistinguishbetweentwokindsofroles:systemrolesandapplicationroles.systemrolesareprede- nedbythegcs;theyexistineverygroupandhaveprede nedmeaningsintermsofoperationstheyareallowedtocarryout.thef

50、ollowingaresystemrolesourframeworksupports: (group)creator:thisrolehasatmostonemem-ber,identifyingtheuserthatistheoriginalcre-atorofthegroup,i.e.,the rstmemberofthegroup.becauseoffailures,agroupscreatorrolemaybeempty. (group)controller:thisrolehasexactlyonemem-ber,whohasfullcontroloveragroup,includi

51、ngchangingthepolicyforthegroupanddestroy-ingagroup.whenausercreatesagroup,itisautomaticallymadethecreatorandthecon-trollerofthegroup.wedi erentiatethegroupcreatorfromthegroupcontrollerforseveralrea-sons.first,thecreatorofagroupmaywanttotransferthecontrollerresponsibilitiestoanothermemberofthegroup;f

52、orexample,atamaycre-ateaclassroombeforetheinstructorcomesandthen,aftertheinstructorjoins,transfertheroletotheinstructor.second,evenwhenthegroupcreatoristheoriginalcontroller,itmaycrashorleavethegroup,inwhichcaseanothermemberneedstoassumethegroupcontrollerrole. (group)member:anyuserwhojoinsagroupisau

53、tomaticallyamemberofthisrole.eachsystemrolecomeswithasetofallowedoper-ationsandhasasetofoperationsthatcanbemore negrainedde ned.forexample,foraclientwiththerolegroupmemberrestrictionsonsendandreceivecanbede nedbasedonthemessagetype. eachgroupmayalsohaveasetofapplication-speci croles,forexample,inthe

54、virtualclassroomsce-nario,thefollowingapplicationrolesmaybeneeded:instructor,ta,student,auditor. onceauserjoinsagroup,theusermayalsoperformthefollowingoperationsrelatedtoroles:1.assumearole.2.droparole. in this paper we analyze the requirements access control mechanisms must fulfill in the context o

55、f group communication and define a framework for supporting fine-grained access control in client-server group communication systems. our framework combines ro 3.appointanotherusertoarole.4.removeanotheruserfromarole. weallowaclienttodroparoleatitswill;however,theotherthreeoperationsaresubjectedtoac

56、cesscon-trol. theaccesscontrolpolicyofthegroupde nestheoperationseachroleisallowedtocarryout.inotherwords,agroupaccesscontrolpolicymapseachroletoasetofoperations.atanytime,auserinagroupplaysasetofroles.whenauserisabouttoperformanaction,therolesthattheuserisplayingareusedtodeterminewhethertheactionsh

57、ouldbeauthorizedornot.therolesandpermissionsthattheapplicationde nesaremappedtosystemrolesandoperationsagcsisawareofandcanenforce. 3.4 amodelforaccesscontrolpoliciesingcs clientsmustbeauthenticatedbeforeanaccesscon-trolpolicyisenforced.severalauthenticationmech-anismsarecommonlyused.agcsmayprovideau

58、sername/passwordbasedauthenticationmechanismormayuseanexternalauthenticationsystemsuchaskerberos14,18.theclientmayconnectwiththeserverthroughtls/ssl1withclientauthenti-cation,inwhichcasetheclientspublickeyandx.50922distinguishednameareavailable.anothersolu-tionishavingtheclienttousecerti catesthatdocu-mentattributesoftheclients,e.g.,certi catesintrustmanagementsystemssuchasrt. thesetofoperationsaclientisallowedtocarryoutmaydependonmorethanjusttherolesoftheclient;environmentalfactorsmayalsohaveane ect.forexample,astudentmaybeallowedtoattendalectureifhe/sheisregisteredf