Behavioural access control in distributed environments

Applications and services in distributed environments are an increasingly important topic. Hence approaches to security issues in such applications are also becoming essential. Crucial information is needed to be protected properly and mechanisms must be developed for this protection. Access control...

Full description

Bibliographic Details
Main Author: Zhao, Yining
Other Authors: Wood, Alan
Published: University of York 2013
Subjects:
Online Access:http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.581733
id ndltd-bl.uk-oai-ethos.bl.uk-581733
record_format oai_dc
spelling ndltd-bl.uk-oai-ethos.bl.uk-5817332017-10-04T03:18:50ZBehavioural access control in distributed environmentsZhao, YiningWood, Alan2013Applications and services in distributed environments are an increasingly important topic. Hence approaches to security issues in such applications are also becoming essential. Crucial information is needed to be protected properly and mechanisms must be developed for this protection. Access control is one of the topics that underline security problems. It concerns assuring that data or resources are accessed by the correct entities. A commonly used access control approach is called access control lists, which is widely applied in most operating systems. However, this approach has some weaknesses with regard to scalability, and so it is not very suitable for distributed environments that usually have variable populations. Capabilities on the other hand offer scalability and adaptability advantages over access control lists. Capabilities are unforgeable tickets that can be propagated between entities, and fit well in distributed environments. But capabilities also have limits due to their simple structure. They grant infinite number of accesses for given types of actions, but are not able to capture sequences and branches of actions, which may be called aspects of behaviours. In this thesis, behaviour control approaches are introduced, through Vistas to Treaties. Vistas can provide explicit access control for each component of objects, and provide primitive control over action sequences. Treaties develop behaviour control further by containing behaviour descriptors which can specify those sequencing, branching and terminating aspects, and hence can provide much finer control over behaviours. Because treaties inherit the scalable attributes of capabilities, they also fit well in distributed environments. An interesting feature in treaty systems is that they allow users to refine the specifications of behaviours and generate new treaties from existing ones. A number of treaty combinator operations are proposed to realize this functionality, and they are shown to be safe with respect to the security of access control. A novel issue created by the treaty approach is identified in the thesis. The new problem is called the duplication problem, which could cause users being able to gain more permissions than they should have by making copies of unprotected treaties. Any treaty systems must provide solutions to this problem. Three models which solve the duplication problem are proposed, with an analysis of their differences, and advantages and disadvantages. Treaties are a general concept and in real cases they can be represented in various ways. There are components in treaties that have given a variety of implementation options, and the developers of services and applications can choose to combine these options to fit their special requirements. This makes treaties more flexible and adaptable. The implementations of concreted treaties and treaty systems are introduced, and these implemented treaties are used to test their behaviour control abilities. Evaluations for different treaty representations are provided to compare their performance. Scalability of treaty systems is also evaluated, showing that treaties are good to be deployed in distributed environments.005.8University of Yorkhttp://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.581733http://etheses.whiterose.ac.uk/4640/Electronic Thesis or Dissertation
collection NDLTD
sources NDLTD
topic 005.8
spellingShingle 005.8
Zhao, Yining
Behavioural access control in distributed environments
description Applications and services in distributed environments are an increasingly important topic. Hence approaches to security issues in such applications are also becoming essential. Crucial information is needed to be protected properly and mechanisms must be developed for this protection. Access control is one of the topics that underline security problems. It concerns assuring that data or resources are accessed by the correct entities. A commonly used access control approach is called access control lists, which is widely applied in most operating systems. However, this approach has some weaknesses with regard to scalability, and so it is not very suitable for distributed environments that usually have variable populations. Capabilities on the other hand offer scalability and adaptability advantages over access control lists. Capabilities are unforgeable tickets that can be propagated between entities, and fit well in distributed environments. But capabilities also have limits due to their simple structure. They grant infinite number of accesses for given types of actions, but are not able to capture sequences and branches of actions, which may be called aspects of behaviours. In this thesis, behaviour control approaches are introduced, through Vistas to Treaties. Vistas can provide explicit access control for each component of objects, and provide primitive control over action sequences. Treaties develop behaviour control further by containing behaviour descriptors which can specify those sequencing, branching and terminating aspects, and hence can provide much finer control over behaviours. Because treaties inherit the scalable attributes of capabilities, they also fit well in distributed environments. An interesting feature in treaty systems is that they allow users to refine the specifications of behaviours and generate new treaties from existing ones. A number of treaty combinator operations are proposed to realize this functionality, and they are shown to be safe with respect to the security of access control. A novel issue created by the treaty approach is identified in the thesis. The new problem is called the duplication problem, which could cause users being able to gain more permissions than they should have by making copies of unprotected treaties. Any treaty systems must provide solutions to this problem. Three models which solve the duplication problem are proposed, with an analysis of their differences, and advantages and disadvantages. Treaties are a general concept and in real cases they can be represented in various ways. There are components in treaties that have given a variety of implementation options, and the developers of services and applications can choose to combine these options to fit their special requirements. This makes treaties more flexible and adaptable. The implementations of concreted treaties and treaty systems are introduced, and these implemented treaties are used to test their behaviour control abilities. Evaluations for different treaty representations are provided to compare their performance. Scalability of treaty systems is also evaluated, showing that treaties are good to be deployed in distributed environments.
author2 Wood, Alan
author_facet Wood, Alan
Zhao, Yining
author Zhao, Yining
author_sort Zhao, Yining
title Behavioural access control in distributed environments
title_short Behavioural access control in distributed environments
title_full Behavioural access control in distributed environments
title_fullStr Behavioural access control in distributed environments
title_full_unstemmed Behavioural access control in distributed environments
title_sort behavioural access control in distributed environments
publisher University of York
publishDate 2013
url http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.581733
work_keys_str_mv AT zhaoyining behaviouralaccesscontrolindistributedenvironments
_version_ 1718543171666837504