Document Sample
Percom_Presentation Powered By Docstoc
					                 Criticality Aware Access
                     Control Model for
                 Pervasive Applications
Sandeep K. S. Gupta, T. Mukherjee, K. Venkatasubramanian
Impact Lab (
Department of Computer Science & Engineering
Ira A. Fulton School of Engineering
Arizona State University
Tempe, Arizona, USA

Supported in part by Mediserve Inc and US National Science Foundation
   Motivation
   Critical Events, Criticality
   Criticality Aware Access Control (CAAC)
   Challenges
   Architecture
   Specification
   Verification
   Conclusions and Future Work
Access Control in Smart Spaces
   Smart spaces – e.g. homes, hospitals – allow inhabitants
    to physically interact with information-rich virtual entities.
   Access control necessary to prevent unauthorized
    access for malicious use.
   How to balance access Flexibility and Security?
       Stringent access control may prevent expedited mitigative
        actions in case of emergencies
       Relaxing access control may invite malicious use
   Traditional access control models (mechanisms +
    policies) are not suitable
       Mainly reactive and not designed to handle emergency (critical)
   Goal: To design a smart-space access control model
    that provides necessary flexibility for handling access
    control in case of emergencies while minimizing security
Critical events
   Events which cannot be responded to, using the routine
    set of capabilities of the subjects.

   Examples:
       Tornado is a critical event for a smart-home.
       Heart-attack is a critical event in a home environment.

Routine policy                                                  Emergency policy
                                Critical Events

             Normal Situation                     Emergency Situation

Characteristics of Critical Events
                                                     Normal actions

   Requires exceptional set of actions
    for controlling the emergency –
    avoiding catastrophic failure.

   Request based reactive context
    evaluation is inadequate.                 Critical event

   Proactive context monitoring is

   We define the term ‘Criticality’ as
       the measure of responsiveness
        required for an emergency situation
                                                     Exceptional actions
Temporal Requirement for Criticality
   Every critical event has a Window of opportunity (Wo) to respond.

   Value of Wo is criticality dependent.

                              Normal actions
                             Mitigative actions

                  Critical Event            Mitigation       Wo

 Examples of Criticality and Wo

                                  Heart attack - 1st one hour critical (golden hour).

                                  Tornado – evacuation within 5 minutes
                                            of first warning. *

                                  Data-center - 90 seconds after cooling failure.

                                  Disaster Recovery – 30 days time. **

*   **
    Goals of Criticality Aware Access
   Facilitate timely mitigation of criticality
       May require change in access privileges
       Proactive – automatic and continuous context evaluation
       Duration of change in access privileges should be finite.
       If critical emergency,
           choose users
           provide access

   Traditional access control is inadequate
       Reactive – explicit request-based context evaluation
       If ok, provides access
   Criticality Aware Access Control (CAAC)

Patient Emergency                        Patient (No
(Doctor not available)                   Emergency)

                                              Normal mode
                                                            In this mode, an alternate set
                                                            of access privileges are enforced
                                 CAAC                       for facilitating mitigative actions
                                             CAAP mode

       Allow another doctor to
       Access Patient Data              Treat Patient
    CAAC Challenges / Properties
   Responsiveness
     How   fast to react ?

   Correctness
     How   to evaluate context / detect criticality?

   Liveness
     How   long to impose CAAP-mode?

   Non-Repudiability
     How    to deter malicious behavior as a result of
      privilege changes in CAAP-mode?
   Measures the speed with which the alternate set of
    policies is enforced after the occurrence of a critical

   If,
         Ta is the time to take mitigative actions for a critical event
         D is the time to initiate the enforcement.

   Then,
         The Critical Event can be successfully handled iff

                              D + Ta ≤ Wo
   The duration of policy changes (TCAAP), in response to
    critical events, should be:
         Finite
         Lasts only as long as needed

   If,
         TEOC is the time instant when a criticality is controlled.
         TEU is the time instant when all the necessary mitigative steps for
          a criticality have been taken.

   Then, assuming criticality occurred at time 0,

                         TCAAP = min (TEOC, TEU, Wo)
Correctness and Non-Repudiability
   Correctness
     CAAP-mode    should only be initiated in response to a
      critical event.
     Highly system dependent.

   Non-Repudiability
      All system activities performed in the CAAP-mode,
      should be monitored for ensuring accountability.
     Deters malicious use of system during criticality,
      when alternate (possibly elevated) privileges are in
                CAAC Architecture
                         Access Control Policy Management

                                                              Management Unit
        Role Management Unit                                      (AMU)
                                              Criticality Management Unit

                                                            Dynamic Context
            Access Control Meta-Data (ACM)                  Management Unit
                                                            Context Gathering
    Roles              Subjects         Privileges           Platform (CGP)

• Extends Context Aware Role Based Access Control (CA-RBAC)
  by introducing CMU.

• CA-RBAC is an event with Wo = infinity

• Proactive context evaluation as opposed to reactive in CA-RBAC.
  Criticality Management Unit (CMU)
          Queries specific context information
          during normal mode (as in CA-RBAC)

Moves the system into CAAP-mode
                                                     Criticality Notification
and informs other components in the                        Unit (CNU)
architecture about this
                                                                  Criticality Level         Handler
                                                                 Determination Unit          (NCH)
Determines the level of criticality       Access Control               (CLD)
and the associated Wo based on              Meta-data
the input from CI                            Provider
                                                                     Context Interpreter

Provides the access control meta-data
to the CNU for determining the policies                    Proactively monitors for the context and
for the CAAP-mode                                          intelligently detects the occurrence of a
                                                           critical event
               CAAC – Big Picture
                   Normal mode
                                                CAAP is
                   CAAP-mode                 reverted when
                                             the criticality is
               Critical Event    TEOC   Wo      mitigated
Scenario 1

               Critical Event           Wo     CAAP is
                                             reverted after
                                              Wo expires
  Scenario 2

                      Domain of CAAC
Criticality Aware          Context Aware
Access Control         Access Control (Reactive)
                                                            Role Based
                                                            Access Control

                    Criticality Aware   CAAC   (Reactive)
                     Access Control
                    (non-role based)
CAAC Model
   Access to resources provided based on:
     Criticality
     Other contexts

   Privileges given to subjects implemented using
    Role Based Access Control (RBAC) model.

   Two types of roles:
      System Role (rsys): role assigned when subject
      joins the system, doctor in hospital.
     Space Role (rspace): role assigned based on
      subject’s domain of work, surgeon in ED.
CAAC Model (Contd..)
   Each resource maintains a list of roles
    and associated privileges called
    Access Control List (ACL).              Criticality
                                                              Space Role
   The function f maps the users’ space
    roles onto a corresponding role in the

   The presence of criticality leads to the
                                                          f            ACL
    mapping of the users’ space role to a                     Role     Privileges
    different one in the ACL.
                                                              Role 1   Privileges for
                                                                       Role 1
   Our sample specification, always                          Role 2   Privileges for
    promotes the users’ roles in the event                             Role 2
    of criticality.
      Promoted Role Table (PRT) is                           Role N   Privileges for
        maintained for accountability                                  Role N
CAAC- Policy Specifications
   Specify rules for accessing service provided by

   Two types of policies:
      Administrative
          Define the rules for administrative function within the
     Access     Control
          Define the rules based on which access is given to
           subjects for both critical and non-critical situations.
    Access Control Specification
   Promote Role – elevates subject’s privileges when criticality is
    detected (system goes into CAAP-mode)

   Demote Role – resets subject’s privileges when criticality is mitigated
    (or Wo is expired).

   Notify Critical
      proactively monitors for critical events
      determines the appropriate elevation/reset of subject’s privileges
       using promoterole function.

   Access Control Predicate (ACP)
        Boolean condition that determines the access to resources when explicit
         access requests are made.
Promote Role
   Step 1: Determine the occurrence of Criticality

   Step 2: If one found
     DetermineWo
     Compute new Space Role with elevated privileges.
     Update PRT.

   Step 3: Return the new space role
Demote Role
   Step 1: For each resource reset the role of
    users back to their original space role.

   Step 2: Update PRT accordingly.
Notify Critical
   Continuously monitor system for occurrence of criticality
       If no criticality found AND system is in CAAP-mode (TEOC)
            Demote role
            Revert system to normal state
       If criticality found AND system is in CAAP-mode, BUT
            Wo expired
                  Demote role
                  Revert system to normal state
            All mitigate steps have been taken (TEU)
                  Demote role
                  Revert system to normal state
       If criticality found AND system is not in CAAP-mode
            Set system to CAAP-mode
            Find and notify appropriate users
            Promote their roles.
Access Control Predicate
   Previous specifications catered for:
     Proactive context monitoring
     Automatic policy changes

   ACP is used for providing access on
    explicit request from users, based on
     Current context
     Validity of the request
     Availability of required services
Administrative Policies
   Adding and removing Space Roles.

   Adding and removing System Roles.

   Role Accountability
     examines activities during the period when
     subject’s privileges are elevated.
     checks the PRT.
  Putting it all together
                      Notify Critical

Promote Role

                                        Demote Role

Accountability                             ACP
Verification of the specification
   Correctness: The system can enter the CAAP-mode iff there is a
    critical event (ensured by Notify Critical).

   Liveness: For a single critical event, a subject’s role is promoted for
    a maximum of Wo time (ensured by Notify Critical).

   Responsiveness: When a critical event occurs:
      The subject is immediately notified (using Notify Critical)
      If required the subject’s access privileges are elevated (role promotion
       using Promote Role)
      Any role promotion is active until either the criticality is controlled or it
       cannot be controlled anymore (this is ensured by Notify Critical and
       Demote Role).

   Non-repudiation: Malicious use of elevated privileges after the
    occurrence of a critical event is non-repudiable (ensured by Role
Criticality Aware Access Control       Traditional Access Control

   Proactive context monitoring      Reactive context monitoring

   Ideal for emergency               Slower for emergency
    management                         management

   Automated and flexible            Manual and inflexible

   Push based access                 Pull based access
Future Work

   Studying the interdependencies among the
    different properties of CAAC
     e.g.  how does fast response affects mitigation
   Studying multiple simultaneous criticalities
     What policies to enforce in the CAAP mode?
     How to model the resulting emergency situation?
     What are the conditions for mitigation of all the
   F. Adelstein, S. K. S. Gupta, G. G. Richard and L. Schwiebert,
    “Fundamentals of Mobile and Pervasive Computing'‘, McGraw Hill,

   R. Sandhu, E. Coyne, H. Feinstein and C. Youman, ``Role Based
    Access Control Models'‘, In IEEE Computer, Feb, 1996.pp 38-47

   A. Kumar, N. Karnik and G. Chafle, ``Context Sensitivity in Role-
    based Access Control'‘, In ACM SIGOPS OS Review 36(3), July,

   Working Group on Natural Disaster Information Systems, ``Effective
    Disaster Warning'‘, November, 2000

   G. Sampemane, P. Naldurg and R. Campbell, ``Access control for
    Active Spaces'‘, In Proc. of ACSAC, 2002

Shared By: