Abstract
As computing technology becomes more pervasive and mobile services are deployed, applications will need flexible access control mechanisms. Unlike traditional approaches for access control, access decisions for these applications will depend on the combination of the required credentials of users and the context and state of the system. In this paper, we extend the role-based access control model to provide dynamic context-aware access control for pervasive applications. The operation of the presented model is illustrated.
Keywords: security, access control, context-aware, pervasive computing, role based.
Introduction
Pervasive computing and communication technologies are rapidly weaving themselves into the fabrics of everyday life and have the potential for fundamentally redefining the way we interact with information, each other, and the world around us. The proliferation of smart gadgets, mobile devices, PDAs and sensors has enabled the construction of pervasive computing environments, transforming regular physical spaces into intelligent spaces [4]. Such intelligent spaces provide services and resources that users can access and interact with via personal portable devices such as a PDA using short-range wireless communications such as Bluetooth or IEEE 802.11. The resulting anytime-anywhere access infrastructures is enabling a new generation of applications that can leverage this pervasive information Grid to continuously manage, adapt and optimize. One example of such an application is the Aware Home project at Georgia Institute of Technology [7]. Sensors in the home can capture, process and store a variety of information about its residents and their activities, enabling the Aware Home application
to detect and respond to events in the room. Another application is the Intelligent Room project at MIT. In this application, computers are embedded in a room so that people can interact with computers the way they do with other people, using speech, gesture, movement and context [9].
Other applications are described in [2, 6]. Such pervasive applications are characterized by continuous pervasive access to information, resources and services and ad hoc, dynamic interactions between participating entities, and lead to significant research challenges.
One key challenge in pervasive applications is managing security and access control. Access Control List (ACL) is a very commonly used access control mechanism. In this approach, permission to access resources or services is moderated by checking for membership in the access control list associated with each object. However, this strategy is inadequate for pervasive applications as it does not consider context information. In a pervasive environment, users are mobile and typically access resources (information, services, sensors, etc.) using mobile devices. As a result the context of a user (i.e. location, time, system resources, network state, network security configuration, etc.) is highly dynamic, and granting a user access without taking the user’s current context into account can compromise security as the user’s access privileges not only depend on “who the user is” but also on “where the user is” and “what is the user’s state and the state of the user’s environment”.
As a result, even an authorized user can damage the system as the system may have different security requirement within different contexts. Traditional access control mechanisms such as access control list break down in such an environments and a fine-grained access control mechanism that changes the privilege of a user dynamically based on context information is required. Although a lot of work has been done in the area of access control, most of this work is user-centric, where only credentials of the user are considered when granting access permission. Relatively little research has been done to combine
context information with credentials while making access control decisions. The existing research however does not address pervasive applications where context is dynamic and a user’s privileges must continuously adapt based on the context.
This paper presents a dynamic context-aware access control mechanism that dynamically grants and adapts permissions to users according to current context. The proposed mechanism extends the role based access control (RBAC) model [1], while retaining its advantages (i.e. ability to define and manage complex security policies). The model dynamically adjusts Role Assignments and Permission Assignments based on context information. In our approach, each user is assigned a role subset (by the authority service) from the entire role set. Similarly the resource has permission subsets for each role that will access the resource. During a secure interaction, state machines are maintained by delegated access control agents at the subject (Role State Machine ) to navigate the role subset, and the object (Permission
State Machine ) to navigate the permission subset for each active role. The state machine consists of state variables (role, permission), which encode its state, and commands, which transform its state. These state machines define the currently active role and its assigned permissions and navigate the role/permission subsets to react to changes in the context.
The rest of this paper is organized as follows: Section 2 presents background and related work. Section 3 outlines a motivating application. Section 4 presents the proposed dynamic context-aware access control model. Section 5 presents a short discussion about the model and its implementation. Section 6 concludes the paper.
Guangsen Zhang, Manish Parashar
The Applied Software Systems Laboratory
Department of Electrical and Computer Engineering,
Rutgers University,
fgszhang,parasharg@caip.rutgers.edu
No comments:
Post a Comment