Abstract
Our society is increasingly moving towards richer forms of information exchange where mobility of processes and devices plays a prominent role. This tendency has prompted the academic community to study the security problems arising from such mobile environments, and in particular, the security policies regulating who can access the information in question.
In this paper we propose a a mechanisms for specifying access privileges based on a combination of the identity of the user seeking access, its credentials, and the location from which he seeks it, within a reconfigurable nested structure.
We define BACIR, a boxed ambient calculus extended with a Distributed Role-Based Access Control mechanism where each ambient controls its own access policy. A process in BACIR is associated with an owner and a set of activated roles that grant permissions for mobility and communication. The calculus includes primitives to activate and deactivate roles. The behavior of these primitives is determined by the process’s owner, its current location and its currently activated roles. We consider two forms of security violations that our type system prevents: 1) attempting to move into an ambient without having the authorizing roles granting entry activated and 2) trying to use a communication port without having the roles required for access activated. We accomplish 1) and 2) by giving a static type system, an untyped transition semantics, and a typed transition semantics. We then show that a well-typed program never violates the dynamic security checks.
This research was partially supported by the NSF Grant No. CCR-0220286 ITR:Secure Electronic Transactions and by US Army Research Office Grant number DAAAD19-01-1-0473.
An erratum to this chapter can be found at http://dx.doi.org/10.1007/11580850_20 .
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed system. ACM Transactions on Programming Languages and Systems 15(4), 706–734 (1993)
Ahn, G.-J., Sandhu, R.: The RSL99 language for role-based separation of duty constraints. In: Proceedings of the 4th Workshop on Role-Based Access Control, pp. 43–54 (1999)
Ahn, G.J., Sandhu, R.: Role-based authorization constraints specification. ACM Transactions on Information and System Security 3(4), 207–226 (2000)
Ahn, G.-J., Sandhu, R.: Role-based authorization constraints specification. ACM Trans. Inf. Syst. Secur. 3(4), 207–226 (2000)
Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. In: Proc. of 6th SACMAT, pp. 41–52. ACM Press, New York (2001)
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 17th Symposium on Security and Privacy, pp. 164–173. IEEE Computer Society, Los Alamitos (1996)
Bonelli, E., Compagnoni, A., Dezani-Ciancaglini, M., Garralda, P.: Boxed Ambients with Communication Interfaces (BACI). In: Fiala, J., Koubek, V., Kratochvíl, J. (eds.) MFCS 2004. LNCS, vol. 3153, pp. 119–148. Springer, Heidelberg (2004)
Braghin, C., Gorla, D., Sassone, V.: A distributed calculus for role-based access control. In: Proceedings of 17th Computer Security Foundations Workshop (CSFW 2004), pp. 48–60. IEEE Computer Society Press, Los Alamitos (2004)
Bugliesi, M., Castagna, G., Crafa, S.: Reasoning about security in mobile ambients. In: Larsen, K.G., Nielsen, M. (eds.) CONCUR 2001. LNCS, vol. 2154, pp. 102–120. Springer, Heidelberg (2001)
Bugliesi, M., Castagna, G., Crafa, S.: Access Control for Mobile Agents: The Calculus of Boxed Ambients. ACM Transactions on Programming Languages and Systems 26(1), 57–124 (2004)
Bugliesi, M., Crafa, S., Merro, M., Sassone, V.: Communication and Mobility Control in Boxed Ambients. In: Agrawal, M., Seth, A.K. (eds.) FSTTCS 2002. LNCS, vol. 2556, pp. 71–84. Springer, Heidelberg (2002)
Bugliesi, M., Crafa, S., Merro, M., Sassone, V.: Communication interference in mobile boxed ambients. In: Agrawal, M., Seth, A.K. (eds.) FSTTCS 2002. LNCS, vol. 2556, pp. 71–84. Springer, Heidelberg (2002)
Cardelli, L., Ghelli, G., Gordon, A.D.: Ambient Groups and Mobility Types. In: Watanabe, O., Hagiya, M., Ito, T., van Leeuwen, J., Mosses, P.D. (eds.) TCS 2000. LNCS, vol. 1872, pp. 333–347. Springer, Heidelberg (2000); Extended version to appear in Information and Computation, special issue on TCS (2000)
Cardelli, L., Gordon, A.D.: Mobile ambients. In: Nivat, M. (ed.) FOSSACS 1998. LNCS, vol. 1378, p. 140. Springer, Heidelberg (1998)
Cardelli, L., Gordon, A.D.: Mobile Ambients. Theoretical Computer Science 240(1), 177–213 (2000); Le Métayer, D. (ed.): Special Issue on Coordination
Coppo, M., Dezani-Ciancaglini, M., Giovannetti, E., Salvo, I.: SalvoM3: Mobility Types for Mobile Processes in Mobile Ambients. In: Harland, J. (ed.) CATS 2003. ENTCS, vol. 78. Elsevier, Amsterdam (2003)
Crook, R., Ince, D., Nuseibeh, B.: Towards an analytical role modelling framework for security requirements. In: Proc. of the 8th International Workshop on Requirements Engineering: Foundation for Software Quality, Essen, Germany, pp. 123–138 (2002)
Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST- NCSC National Computer Security Conference, pp. 554–563 (1992)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
Garralda, P., Compagnoni, A.: Splitting Mobility and Communication in Boxed Ambients. In: Fernandez, M., Mackie, I. (eds.) International Workshop on Developements in Computational Models (DCM 2005). ENTCS. Elsevier, Amsterdam (2005)
Giuri, L., Iglio, P.: A formal model for role-based access control with constraints. In: CSFW 1996: Proceedings of the Ninth IEEE Computer Security Foundations Workshop, p. 136. IEEE Computer Society Press, Los Alamitos (1996)
Gorla, D., Hennessy, M., Sassone, V.: Security policies as membranes in systems for global computing. In: Foundations of Global Ubiquitous Computing, FGUC 2004. ENTCS (2004)
Hennessy, M., Merro, M., Rathke, J.: Towards a behavioural theory of access and mobility control in distributed system (extended abstract). In: Gordon, A.D. (ed.) FOSSACS 2003. LNCS, vol. 2620, pp. 282–298. Springer, Heidelberg (2003)
Hennessy, M., Riely, J.: Resource access control in systems of mobile agents. Inf. Comput. 173(1), 82–120 (2002)
Levi, F., Sangiorgi, D.: Controlling Interference in Ambients. Transactions on Programming Languages and Systems 25(1), 1–69 (2003)
Levi, F., Sangiorgi, D.: Mobile safe ambients. Transactions on Programming Languages and Systems 25(1), 1–69 (2003)
Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002, pp. 114–130. IEEE Computer Society Press, Los Alamitos (2002)
Li, N., Tripunitara, M.V.: Security analysis in role-based access control. In: SACMAT 2004: Proceedings of the ninth ACM symposium on Access control models and technologies, pp. 126–135. ACM Press, New York (2004)
Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management: extended abstract. In: CCS 2001: Proceedings of the 8th ACM conference on Computer and Communications Security, pp. 156–165. ACM Press, New York (2001)
Li, N., Winsborough, W.H., Mitchell, J.C.: Beyond proof-of-compliance: Safety and availability analysis in trust management. In: SP 2003: Proceedings of the 2003 IEEE Symposium on Security and Privacy, p. 123. IEEE Computer Society Press, Los Alamitos (2003)
Mohammed, I., Dilts, D.M.: Design for dynamic user-role-based security. Comput. Secur. 13(9), 661–671 (1994)
Nyanchama, M., Osborn, S.L.: Access rights administration in role-based security systems. In: Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, pp. 37–56. North-Holland, Amsterdam (1994)
Sandhu, R.S.: The typed access control model. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 122–136 (1992)
Sandhu, R.S.: The typed access matrix model. In: SP 1992: Proceedings of the 1992 IEEE Symposium on Security and Privacy, p. 122. IEEE Computer Society Press, Los Alamitos (1992)
Sandhu, R.S.: Lattice-based access control models. IEEE Computer 26(11), 9–19 (1993)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Schaad, A., Moffett, J.D.: A lightweight approach to specification and analysis of role-based access control extensions. In: SACMAT 2002: Proceedings of the seventh ACM symposium on Access control models and technologies, pp. 13–22. ACM Press, New York (2002)
Thomas, R.K.: Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments. In: Proceedings of the second ACM workshop on Role-based access control, pp. 13–19 (1997)
Thomas, R.K., Sandhu, R.S.: Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented authorization management. In: Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI: Status and Prospects, pp. 166–181 (1997)
Vitek, J., Castagna, G.: Seal: A framework for secure mobile computations. In: Bal, H.E., Belkhouche, B., Cardelli, L. (eds.) ICCL-WS 1998. LNCS, vol. 1686, pp. 47–77. Springer, Heidelberg (1999)
von Solms, S.H., van der Merwe, I.: The management of computer security profiles using a role-oriented approach. Comput. Secur. 13(9), 673–680 (1994)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Compagnoni, A.B., Gunter, E.L. (2005). Types for Security in a Mobile World. In: De Nicola, R., Sangiorgi, D. (eds) Trustworthy Global Computing. TGC 2005. Lecture Notes in Computer Science, vol 3705. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11580850_6
Download citation
DOI: https://doi.org/10.1007/11580850_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30007-6
Online ISBN: 978-3-540-31483-7
eBook Packages: Computer ScienceComputer Science (R0)