context-aware dynamic access control for pervasive applications
TRANSCRIPT
Context-aware Dynamic Access Control for Pervasive Applications∗
Guangsen Zhang, Manish ParasharThe Applied Software Systems Laboratory
Department of Electrical and Computer Engineering,Rutgers University,
{gszhang,parashar}@caip.rutgers.edu
Abstract
As computing technology becomes more pervasive andmobile services are deployed, applications will need flexibleaccess control mechanisms. Unlike traditional approachesfor access control, access decisions for these applicationswill depend on the combination of the required credentialsof users and the context and state of the system. In thispaper, we extend the role-based access control model toprovide dynamic context-aware access control for pervasiveapplications. The operation of the presented model is illus-trated.
Keywords: security, access control, context-aware, per-vasive computing, role based.
1 Introduction
Pervasive computing and communication technologiesare rapidly weaving themselves into the fabrics of every-day life and have the potential for fundamentally redefiningthe way we interact with information, each other, and theworld around us. The proliferation of smart gadgets, mo-bile devices, PDAs and sensors has enabled the constructionof pervasive computing environments, transforming regularphysical spaces into intelligent spaces [4]. Such intelligentspaces provide services and resources that users can accessand interact with via personal portable devices such as aPDA using short-range wireless communications such asBluetooth or IEEE 802.11. The resulting anytime-anywhereaccess infrastructures is enabling a new generation of appli-cations that can leverage this pervasive information Grid tocontinuously manage, adapt and optimize. One example ofsuch an application is the Aware Home project at Georgia
∗The research presented in this paper is supported in part by NSF viagrants numbers ACI 9984357 (CAREERS), EIA 0103674 (NGS) and EIA-0120934 (ITR), and by DOE ASCI/ASAP (Caltech) via grant numbersPC295251 and 1052856.
Institute of Technology [7]. Sensors in the home can cap-ture, process and store a variety of information about its res-idents and their activities, enabling the Aware Home appli-cation to detect and respond to events in the room. Anotherapplication is the Intelligent Room project at MIT. In thisapplication, computers are embedded in a room so that peo-ple can interact with computers the way they do with otherpeople, using speech, gesture, movement and context [9].Other applications are described in [2, 6]. Such pervasiveapplications are characterized by continuous pervasive ac-cess to information, resources and services and ad hoc, dy-namic interactions between participating entities, and leadto significant research challenges.
One key challenge in pervasive applications is manag-ing security and access control. Access Control List (ACL)is a very commonly used access control mechanism. Inthis approach, permission to access resources or services ismoderated by checking for membership in the access con-trol list associated with each object. However, this strat-egy is inadequate for pervasive applications as it does notconsider context information. In a pervasive environment,users are mobile and typically access resources (informa-tion, services, sensors, etc.) using mobile devices. As aresult the context of a user (i.e. location, time, system re-sources, network state, network security configuration, etc.)is highly dynamic, and granting a user access without tak-ing the user’s current context into account can compromisesecurity as the user’s access privileges not only depend on“who the user is” but also on “where the user is” and “whatis the user’s state and the state of the user’s environment”.As a result, even an authorized user can damage the sys-tem as the system may have different security requirementwithin different contexts. Traditional access control mech-anisms such as access control list break down in such anenvironments and a fine-grained access control mechanismthat changes the privilege of a user dynamically based oncontext information is required.
Although a lot of work has been done in the area of ac-cess control, most of this work is user-centric, where only
credentials of the user are considered when granting accesspermission. Relatively little research has been done to com-bine context information with credentials while making ac-cess control decisions. The existing research however doesnot address pervasive applications where context is dynamicand a user’s privileges must continuously adapt based on thecontext.
This paper presents a dynamic context-aware access con-trol mechanism that dynamically grants and adapts permis-sions to users according to current context. The proposedmechanism extends the role based access control (RBAC)model [1], while retaining its advantages (i.e. ability todefine and manage complex security policies). The modeldynamically adjustsRole AssignmentsandPermission As-signmentsbased on context information. In our approach,each user is assigned a role subset (by the authority service)from the entire role set. Similarly the resource has permis-sion subsets for each role that will access the resource. Dur-ing a secure interaction, state machines are maintained bydelegated access control agents at the subject (Role StateMachine) to navigate the role subset, and the object (Per-mission State Machine) to navigate the permission subsetfor each active role. The state machine consists of state vari-ables (role, permission), which encode its state, and com-mands, which transform its state. These state machines de-fine the currently active role and its assigned permissionsand navigate the role/permission subsets to react to changesin the context.
The rest of this paper is organized as follows: Section 2presents background and related work. Section 3 outlinesa motivating application. Section 4 presents the proposeddynamic context-aware access control model. Section 5presents a short discussion about the model and its imple-mentation. Section 6 concludes the paper.
2 Background and Related Work
Role based access control (RBAC) [10, 1] is an alterna-tive to traditional discretionary (DAC) and mandatory ac-cess control (MAC). In RBAC, users are assigned roles androles are assigned permissions. A principle motivation be-hind RBAC is the ability to specify and enforce enterprisespecific security policies in a way that maps naturally to anorganization’s structure. As user/role associations changemore frequently then role/permission associations, in mostorganizations, RBAC results in reduced administrative costsas compared to associating users directly with permissions.It can be shown that the cost of administrating RBAC isproportional to U+P while the cost of associating users di-rectly with permissions is proportional to U*P, where U isthe number of individuals in a role and P is the number ofpermissions required by the role. Sandhu et al [10, 1] de-fine a comprehensive framework for RBAC models which
are characterized as follows:
• RBAC0 : the basic model with users associated withroles and roles associated with permissions.
• RBAC1 : RBAC0 with role hierarchies.
• RBAC2 : RBAC1 with constraints on user/role,role/role, and/or role/permission associations.
Recently RBAC was found to be the most attractive so-lution for providing security features in different distributedcomputing infrastructure [10]. Although the RBAC modelsvary from very simple to pretty complex, they all share thesame basic structure of subject, role and privilege. Otherfactors such as relationship, time and location, which maybe part of an access decision, are not considered in mak-ing access control decision in these models. In this paper,we extendRBAC0 to provide context-aware access controlmechanisms for pervasive applications.
Giuri and Iglio [3] have proposed a role-based accesscontrol model that provides special mechanisms for the def-inition of content-based access control policies. By extend-ing the notion of permission, they have allowed for the spec-ification of security policies in which the permission of anobject may depend on the content of the object itself. Forexample, in a health-care organization, the physician is onlyallowed to access and modify patient records related to hisor her patient.
Woo and Lam [11] designed a distributed authorizationservice using their Generalized Access Control Language(GACL). In their design, they use the notion of system loadas the determining factor in certain access control decisions,so that, for example, certain programs can only be executedwhen there is enough system capacity available.
Finally, Michael J. Covington et al [8, 7] have pro-posed the Generalized Role Based Access Control (GR-BAC) model. In this model, they extend the traditionalRBAC by applying the roles to all the entities in a sys-tem. (In RBAC, the role concept is only used for sub-jects). By defining three types of roles, i.e., Subject roles,Environment roles, and Object roles, GRBAC uses context-information as a factor in making access decisions.
All of the research efforts described above take addi-tional factors into consideration when make access controldecision. However, both Giuri, Iglio and Woo, Lam don’tconsider context information as a key factor in their accesscontrol mechanism. In GRBAC, the definition of environ-ment roles allows the model to partially address problem wedescribed, but it may not be feasible in practice because thepotential large amount of environment roles make the sys-tem hard to maintain. Also, by defining too many roles inthe system, it loses the advantage that RBAC provides.
3 Access Control Challenges for PervasiveApplications
To illustrate the motivation of our research, let us discussan example application that will be enabled by a pervasivecomputing infrastructure in a smart building of a university,as illustrated in Figure 1. The building has many roomsincluding faculty offices, administration offices, conferencerooms, classrooms and laboratories. Sensors in the build-ing can capture, process and store a variety of informationabout the building, the users and their activities. Perva-sive applications in such an environment allow faculty, staff,students and administrators to access resources/informationfrom any locations at anytime while inside this building us-ing mobile devices (PDAs) and wireless networks. Whileuser credentials are still the basis for all the access controldecisions, user’s context information and application stateshould also be considered. For example, a student can onlycontrol the audio/video equipment in a classroom if she/heis scheduled to present in that class at that time by the fac-ulty in charge. Similarly the payroll server should not beallowed to access if its load is above 80% or if the accessis over an insecure link. In such applications, privileges as-signed to the user will change as context changes. If the useris accessing the resource while the user’s context informa-tion is changing (say the moves from a secure network linkto an insecure link), specific access control mechanisms areneeded to ensure that system/application security and con-sistency are maintained without decreasing flexibility.
Figure 1. Smart Building Application
The examples above embody many of the key ideas ofthe research presented in this paper. To maintain system se-curity for such a pervasive application, we have to dynam-ically adapt access permissions granted to users as contextinformation for the session changes. Context informationhere includes environment of the user such as location, timethat the user access the resource and system informationsuch as CPU usage and network bandwidth. The traditional
RBAC models [1] do not directly address the requirementsof such an application. In the RBAC model, the user is as-signed a subset of roles when the user begins a session. Thissubset of roles are then used to access resources. During asession, although roles can be activated or deactivated basedon constraints such as role conflict or prerequisite roles, theuser’s access privilege is not changed based on context in-formation. Recently, Michael J. Covington et al have pro-posed the GRBAC model [8] that used context to provideaccess control for Aware Home applications. However, thedefinition of environment role is not feasible for pervasiveapplications as described in the previous section.
4 Dynamic Role Based Access Control Model
Dynamic Role Based Access Control model (DRBAC)addresses the dynamic access control requirement of appli-cations in pervasive environments. It extends the traditionalRole Base Access Control (RBAC) model to use dynamiccontext information while making access control decision.Specifically, DRBAC addresses two key requirements mo-tivated by the application in Section 3: (1) A user’s accessprivileges must change when the user’s context changes.(2) A resource must adjust its access permission when itssystem information (e.g., network bandwidth, CPU usage,memory usage) changes. In this section, we first formallydefine DRBAC and then describe its operation.
4.1 DRBAC Definition
The DRBAC definition is based on the RBAC formalismpresented in [5]. DRBAC has the following components:
• USERS. A user is an entity whose access is being con-trolled. USERS represents a set of users.
• ROLES. A role is a job function within the contextof an organization with some associated semantics re-garding the authority and responsibility conferred onthe user assigned to the role. ROLES represents a setof roles.
• PERMS. A permission is an approval to access one ormore RBAC protected resources. PERMS represents aset of permissions.
• ENVS. ENVS represent the set of context informationin the system. We use an authorized “Context Agent”to collect context information in our system.
• SESSIONS. A session is a set of interactions betweensubjects and objects. A user is assigned a set of rolesduring each session. The active role will be changeddynamically among the assigned roles for each inter-action. SESSIONS represents a set of sessions.
• UA. UA is the mapping that assigns a role to a user.In the session, each user is assigned a set of roles, thecontext information is used to decide which role is ac-tive. The user will access the resource with the activerole.
• PA. PA is the mapping that assign permissions to arole. Every role that has privilege to access the re-source is assigned a set of permissions, and the con-text information is used to decide which permission isactive for that role.
The model is illustrated in Figure 2. In the approach, aCentral Authority (CA) maintains the overall role hierarchy.When the user logs on the system, based on the user’s capa-bility, a subset of the role hierarchy is assigned to the userfor each session. Then the CA sets up an agent for that userand delegates the user’s right to that agent. The agent willmonitor the environment status of the user and dynamicallychange the active role of the user. Every resource maintainsa set of permission hierarchies for each potential role thatwill access the resource. The resource maintains its envi-ronment and dynamically adjusts the permissions for eachrole. We summarize the above discussions below:
Figure 2. Dynamic Access Control Model
DRBAC Definition:
- USERS, ROLES, PERMS, ENVS and SESSIONS(users, roles, permissions, environments and sessions,respectively).
- ACT ROLE and ACT PERMISSION (activerole and active permission respectively).
- UA⊆USERS×ROLES, a many-to-many mapping user-to-role assignment relation.
- PA⊆PERMS×ROLES , a many-to-many mappingpermission-to-role assignment relation.
- Assignedroles (u:USERS, e:ENVS)→ 2ROLES , themapping of user u onto a set of roles.
- Assignedpermissions (r:ROLES, e:ENVS)→2PERMS , the mapping of role r onto a set ofpermissions.
- User sessions (u:USERS)→ 2SESSIONS , the map-ping of user u onto a set of sessions.
- Sessionroles (s:SESSIONS)→ 2ROLESS , the map-ping of session s onto a set of roles. Formally:sessionroles (si) ⊆ {r∈ROLES| (sessionroles (si),r)∈UA}
- RH ⊆ ROLES×ROLES is a partial order on ROLEScalled the inheritance relation, written as≥ , wherer1 ≥ r2 only if all PERMS ofr2 are also PERMS ofr1, and all users ofr1 are also users ofr2.
- PH⊆ PERMS× PERMS is a partial order on PERMScalled the inheritance relation, written as≥ , wherep1 ≥ p2 only if all permissions ofp2 are also permis-sions ofp1, and all roles ofp1 are also roles ofp2.
4.2 DRBAC Explained
In DRBAC, each user is assigned a role subset from theentire role set. Similarly, each resource will assign a per-mission subset from the entire permission set to each rolewhich has a privilege to access the resource. Figure 3 il-lustrates the relationship between the role hierarchy main-tained at the Central Authority (CA) and the role hierarchyassigned to a particular user. It can be seen that the rolehierarchy a user is a subset of the overall role hierarchy.
Figure 3. Role Hierarchy State Machine
State machines maintain the role subset for each user andthe permission subset for each role. A state machine con-sists of state variables, which encode its state, and events,which transform its state. In DRBAC, there is a Role StateMachine for each user, and a Permission State Machine foreach role. The role and permission are used as state vari-ables respectively. The Context Agent collects context in-formation and generates pre-defined events to trigger tran-sitions in the state machines. A permission state machine isillustrated in Figure 4.
Figure 4. Permission Hierarchy State Machine
A null permission implies no permission. A transition isdefined as T(Initial State, Destination State). So T(P1, P2)represents the transition from P1 to P2 and T(P2, P1) repre-sents the transition from P2 to P1. The Role State Machineis similar to the Permission State Machine.
4.3 DRBAC Operation
The operation of DRBAC is illustrated using the exam-ple presented in Section 3. In this example, when ProfessorB logs on the system in her office with a PDA, the centralauthority assigns her a subset of roles, for example,Profes-sor, LecturerandFaculty, based on her credentials. Thenthe central authority also sets up an access control agent onher PDA, which maintains the role state machine. Eventsissued by the context agent will trigger transitions betweenthe roles in the role state machine. Now, consider a securitypolicy that definesB’s active role asProfessorwhen she isin the office (see Figure 5, where the dashed circle is theactive role), and defines the transition as:Change role fromProfessor to Faculty when professor B leaves her office.
Figure 5. Role Hierarchy for the Smart Build-ing
When professorB accesses the resource in her office,the active roleProfessoris used. The resource maintainsthe permission state machines as shown in Figure 6. Thefigure shows that each of the roles,Professor, Faculty andLecturer, have their own permission state machines. The
dashed circle represents the current active permission foreach role. Thenull means the role does not have permissionto access the resource. Similar to the role state machine, thecontext agent at the resource will trigger transitions in thepermission state machine. In this example, we assume thatthe active permission of the roleprofessoris P1 while thesystem load of the resource is low.P1 means both read andwrite privilege. The security policy for the resource maydefine a permission transition for roleprofessoras:Transitpermission fromP1 to P2 when the system load is high. ThepermissionP2 means only read privilege.
Figure 6. Permission Hierarchy for the Re-source
Based on the situations defined above, we can describesome scenarios to illustrate dynamic access control.
• When professorB moves out of her office, the contextagent will send an event to the access control agent onher PDA. This event will trigger a transition in the rolestate machine, changing her active role toFaculty. As aresult, professorB will not be able to write to resourceonce she leaves her office as roleFacultyonly has thepermissionP2 or null.
• When professorB accesses the resource in her office,her active role isprofessor, which has both read andwrite privilege on the resource as long as the systemload of the resource is low. If the system load becomescritically high, the resource permission state machinewill change the active permission for professorB’s roleprofessorto P2 and she will lose the privilege to writethe resource.
From the scenarios described above, we see that DRBACcan enhance the security of the pervasive applications. TheDRBAC mechanism implemented in this application guar-antees that professorB’s privilege to access the resourcewill be changed dynamically when the context changes. Us-ing context information to change the user’s privileges pre-vents resources from being incorrectly used.
5 Discussion
The major strength of DRBAC model is its ability tomake access control decisions dynamically based on thecontext information. This property is particularly useful forapplications in pervasive computing environments. How-ever, implementing DRBAC can increase the complexity ofan application. The overhead of DRBAC is experimentallyevaluated in [12]. To successfully implement DRBAC inthe real applications, the following issues should consid-ered:
• As we use the context information while granting ac-cess privilege, we must guarantee the security of thecontext information. Compromised context informa-tion can cause a system make incorrect access controldecisions and can comprise the security of the applica-tions.
• In the DRBAC model, the active role of the user andthe active permission of the role can change dynam-ically. It is possible that in some situations the ac-tive role of user changes but the user has already beengranted permissions to access the resource based on apreviously assigned role. Mechanisms are required tomaintain consistency in such a situation.
• Because the DRBAC role state machine will run on theuser’s device (PDA, mobile phone), the resource con-sumption of the mobile terminal will increase. How-ever, users will typically have fewer than ten roles as-signed to them. Given the increasing power of mobiledevices, maintaining a state machine with less than tenstates should have little if any affect on performance.
6 Conclusion
In this paper, we presented the Dynamic Role Based Ac-cess Control (DRBAC) model that provides context awareaccess control for pervasive applications. DRBAC extendsthe role based access control (RBAC) model and dynami-cally adjustsRole AssignmentsandPermission Assignmentsbased on context information. The operation of the modelwas illustrated using a sample application scenario. Com-pared to traditional access control mechanisms, the DRBACmodel can provide improved security for pervasive appli-cations. However, access control alone is not sufficientand DRBAC must be combined with feasible authentica-tion mechanisms to secure pervasive applications in the realworld.
References
[1] S. Gavrila D. R. Kuhn D. F. Ferraiolo, R. Sandhu andR. Chandramouli. Proposed nist standard for role-based access control.ACM Transactions on Informa-tion and System Security, 4(3):224–274, 2001.
[2] National Science Fundation. National Ecolog-ical Observatory Network Project Web Site.http://www.nsf.gov/bio/neon/start.htm.
[3] L. Giuri and P. Iglio. Role templates for content-basedaccess control. InProceedings of the Second ACMWorkshop on Role Based Access Control, Virginia,USA, 1997.
[4] R. Campbell J. Al-Muhtadi, A. Ranganathan andM. D. Mickunas. A flexible, privacy-presevering au-thentication framework for ubiquitous computing en-vironments. InInternational Workshop on Smart Ap-pliances and Wearable Computing, Vienna, Austria,2002.
[5] K. Beznosov J. Barkley and J. Uppal. Supporting re-lationships in access control using role based accesscontrol. 1999.
[6] J. Elson H. Wang D. Maniezzo R.E. Hudson K. YaoJ.C. Chen, L. Yip and D. Estrin. Coherent acousticarray processing and localization on wireless sensornetwork. IEEE Proceedings, 91(8), August 2003.
[7] M. J. Moyer M. J. Covington and M. Ahamad. Gen-eralized role-based access control for securing futureapplications. In23rd National Information SystemsSecurity Conference. (NISSC 2000), Baltimore, Md,USA, October 2000.
[8] S. Srinivasan A. Dey M. Ahamad M. J. Covington,W. Long and G. Abowd. Securing context-aware ap-plications using environment roles. May 2001.
[9] Massachusetts Institute of Technology. TheIntelligentRoom Research Project Web Site.http://www.ai.mit.edu/projects/iroom/index.shtml.
[10] H. Feinstein R. Sandhu, E. Coyne and C. Youman.Role-based access control models.IEEE Computer,29(2):38–47, 1996.
[11] T. Y. C. Woo and Simon S. Lam. Designing a dis-tributed authorization service. InProceedings of IEEEINFOCOM, 1998.
[12] G. Zhang and M. Parashar. Dynamic context-awareaccess control for grid applications. In IEEE Com-puter Society Press, editor,4th International Work-shop on Grid Computing (Grid 2003), pages 101 –108, Phoenix, AZ, USA, November 2003.