policy-carrying, policy-enforcing digital objects sandra payette project prism - cornell university...
Post on 22-Dec-2015
223 views
TRANSCRIPT
Policy-Carrying, Policy-EnforcingDigital Objects
Sandra PayetteProject Prism - Cornell University
DLI2 All-Projects MeetingJune 14, 2000
Access Control Challenge
Enforcement of highly expressive access control policies to support context-specific requirements of digital libraries.
Limitations of traditional access control mechanisms
• Fixed set of abstractions– objects are files, directories, etc.– actions are read, write, execute, etc.
• Limited expressiveness for policies
• Not easily extended for complex or fine-grained policies
Requirements for new contexts
• Architecture that supports behavior-centric policy enforcement
• Policy definition languages that are flexible
• Highly secure enforcement mechanism
• Support for mobile code and mobile computing environments
Generalization
• Digital objects can be treated as generic entities, even if they are very specialized in some ways
• Generic policies can address the non-specific nature of a digital object or a collection of digital objects
“Only repository managers can delete objects fromthe collection.”
Specialization
• Digital objects can have object-specific policies associated with them
• Policies may be fine-grained or idiosyncratic
• General-purpose enforcement mechanisms will not easily accommodate these policies, if at all
Example: Object-specific policy
Users can access Lecture Object “A” according to the following rules:
Access High Resolution VideoAccess Low Resolution VideoAccess Slides 1-20 Access Slides 21-25Access Descriptive Metadata
Cornell student credential Cornell student credential or pay feeNo restrictionCornell student credentialNo restriction
Policy-Carrying, Policy-Enforcing Digital Objects - motivation
• Semantics of policies should parallel the behavioral semantics of real-world entities
• Decentralized policy management
• Extensibility for policies and mechanisms
• Portability and Mobile computing (policies move with the objects)
Experiments: Building on existing work
• Fedora - digital object and repository architecture (Payette and Lagoze, 1998, 2000)
• Security Automata (Schneider, 1999)
• PoET - Policy Enforcement Toolkit (Erlingsson and Schneider, 1999, 2000)
Fedora Digital Object Model
Disseminations
Generic interface
DataStream
DataStream
DataStream
ExtensibleMechanism
Encapsulated service request
PrimitiveDisseminator
TypedDisseminator
Internalstream
Fedora - Behaviors
LectureArchive
Content Disseminations
Video-H(mpeg)
metadata(xml)
LectureMechanism
slide-2(gif)slide-1(gif)
Video-L(mpeg)
DublinCore
GetVideo(quality)GetSlide(seqNum)
GetSyncData
GetDCRecordGetDCField(name)
Security Automata
• Theoretical basis for specifying policies that are enforceable, flexible, and fine-grained
• Policies are modeled as finite-state machines
• Enforcement mechanism simulates automaton, preventing executions that violate policy
Source: Schneider, 1999
Example: Simple Security Automata
DescriptiveMetadataAccessed
Lesson 1Video
AccessedPresent Cornell ID
“After viewing descriptive metadata, ONLY Cornellianscan access the Lesson 1 video.”
Policy Enforcement Toolkit (PoET)
• Implements In-line Reference Monitors (IRMs) that simulate security automata
• Mediates all executions upon a system, application, or object
• Modifies bytecode to embed policies (trusted program rewriter)
• Converts java applications to secured applications
Source: Erlingsson and Schneider, 1999, 2000
PoET - how it works
POLICYin
PSLang
POLICYin
PSLang PoETRewriter
PoETClass Loader
Modified Bytecode
(policy embedded)
JVM
Program runs (obeys policy)
Java Bytecode
Source: Erlingsson and Schneider, 1999, 2000
Fedora and PoET
Content Disseminations
Video-H Policy-L(psl)
GuardedLecture
Mechanism
LectureArchive
Video-L
DefaultPolicy
DublinCore
Java bytecode in-lined with policies
slide-2(gif)slide-1
(gif)metadata(xml)
The Overall Result
* High resolution video (students only) ** Low Resolution video (students; others with fee) *
* Slides (#1-20 all users; #21-25 students only) *
Content Disseminations
GuardedLecture
Mechanism
LectureArchive
DublinCore
Challenges and Future Work
• Ramp up - enforcement of more complex policies, more object types
• Examine tension between object-centric vs. repository centric policy enforcement
• Mobile computing - trust schemes to support policy enforcement as objects move
• “Intentional” policies and dynamic binding
• Preservation application of security automata - detect unacceptable transitions
References - Fedora
Payette, Sandra and Carl Lagoze, “Flexible and Extensible Digital Object and Repository Architecture,” ECDL98, Heraklion, Crete, September 21-23, 1998, Springer, 1998, (Lecture notes in computer science; Vol. 1513). http://www.cs.cornell.edu/payette/papers/ecdl98/fedora.html
Payette, Sandra, Christophe Blanchi, Carl Lagoze, and Edward Overly, “Interoperability for Digital Objects and Repositories: The Cornell/CNRI Experiments,” D-Lib Magazine, May 1999. http://www.dlib.org/dlib/may99/payette/05payette.html
Payette, Sandra and Carl Lagoze, Policy-Carrying, Policy-Enforcing Digital Objects, accepted by Fourth European Conference on Research andAdvanced Technology for Digital Libraries, Portugal, Springer, 2000, (Lecture notes in computer science), draft available at http://www.cs.cornell.edu/payette/papers/ecdl2000/pcpe-draft.ps
Payette, Sandra and Carl Lagoze, Value Added Surrogates for Distributed Content: Establishing a Virtual Control Zone, D-Lib Magazine, June 2000,http://www.dlib.org/dlib/june00/payette/06payette.html
References:Security Automata and PoET
Schneider, Fred B., “Enforceable Security Policies,” Computer Science Technical Report #TR98-1664, Department of Computer Science, Cornell University, July 24, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR98-1664
Erlingsson, Ulfar and Fred B. Schneider, “SASI Enforcement of Security Policies: A Retrospective,” Computer Science Technical Report #TR99-1758, Department of Computer Science, Cornell University, July 19, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR99-1758 Erlingsson, Ulfar and Fred B. Schneider, “IRM Enforcement of Java Stack Inspection,” Computer Science Technical Report #TR2000-1786, Department of Computer Science, Cornell University, February 19, 2000, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR2000-1786