Policy-Carrying, Policy-EnforcingDigital Objects

Sandra PayetteProject Prism - Cornell University

DLI2 All-Projects MeetingJune 14, 2000

Access Control Challenge

Enforcement of highly expressive access control policies to support context-specific requirements of digital libraries.

General-Purpose Policy Enforcement

Context-SpecificPolicy Enforcement

Limitations of traditional access control mechanisms

• Fixed set of abstractions– objects are files, directories, etc.– actions are read, write, execute, etc.

• Limited expressiveness for policies

• Not easily extended for complex or fine-grained policies

Requirements for new contexts

• Architecture that supports behavior-centric policy enforcement

• Policy definition languages that are flexible

• Highly secure enforcement mechanism

• Support for mobile code and mobile computing environments

Policy Enforcement Continuum

repository-centric object-centric

Digital Objects

Generalization

• Digital objects can be treated as generic entities, even if they are very specialized in some ways

• Generic policies can address the non-specific nature of a digital object or a collection of digital objects

“Only repository managers can delete objects fromthe collection.”

Specialization

• Digital objects can have object-specific policies associated with them

• Policies may be fine-grained or idiosyncratic

• General-purpose enforcement mechanisms will not easily accommodate these policies, if at all

Example: Object-specific policy

Users can access Lecture Object “A” according to the following rules:

  Access High Resolution VideoAccess Low Resolution VideoAccess Slides 1-20 Access Slides 21-25Access Descriptive Metadata

Cornell student credential Cornell student credential or pay feeNo restrictionCornell student credentialNo restriction

Policy-Carrying, Policy-Enforcing Digital Objects - motivation

• Semantics of policies should parallel the behavioral semantics of real-world entities

• Decentralized policy management

• Extensibility for policies and mechanisms

• Portability and Mobile computing (policies move with the objects)

Experiments: Building on existing work

• Fedora - digital object and repository architecture (Payette and Lagoze, 1998, 2000)

• Security Automata (Schneider, 1999)

• PoET - Policy Enforcement Toolkit (Erlingsson and Schneider, 1999, 2000)

Fedora Digital Object Model

Disseminations

Generic interface

DataStream

DataStream

DataStream

ExtensibleMechanism

Encapsulated service request

PrimitiveDisseminator

TypedDisseminator

Internalstream

Fedora - Behaviors

LectureArchive

Content Disseminations

Video-H(mpeg)

metadata(xml)

LectureMechanism

slide-2(gif)slide-1(gif)

Video-L(mpeg)

DublinCore

GetVideo(quality)GetSlide(seqNum)

GetSyncData

GetDCRecordGetDCField(name)

Security Automata

• Theoretical basis for specifying policies that are enforceable, flexible, and fine-grained

• Policies are modeled as finite-state machines

• Enforcement mechanism simulates automaton, preventing executions that violate policy

Source: Schneider, 1999

Example: Simple Security Automata

DescriptiveMetadataAccessed

Lesson 1Video

AccessedPresent Cornell ID

“After viewing descriptive metadata, ONLY Cornellianscan access the Lesson 1 video.”

Policy Enforcement Toolkit (PoET)

• Implements In-line Reference Monitors (IRMs) that simulate security automata

• Mediates all executions upon a system, application, or object

• Modifies bytecode to embed policies (trusted program rewriter)

• Converts java applications to secured applications

Source: Erlingsson and Schneider, 1999, 2000

PoET - how it works

POLICYin

PSLang

POLICYin

PSLang PoETRewriter

PoETClass Loader

Modified Bytecode

(policy embedded)

JVM

Program runs (obeys policy)

Java Bytecode

Source: Erlingsson and Schneider, 1999, 2000

Fedora and PoET

Content Disseminations

Video-H Policy-L(psl)

GuardedLecture

Mechanism

LectureArchive

Video-L

DefaultPolicy

DublinCore

Java bytecode in-lined with policies

slide-2(gif)slide-1

(gif)metadata(xml)

The Overall Result

* High resolution video (students only) ** Low Resolution video (students; others with fee) *

* Slides (#1-20 all users; #21-25 students only) *

Content Disseminations

GuardedLecture

Mechanism

LectureArchive

DublinCore

Challenges and Future Work

• Ramp up - enforcement of more complex policies, more object types

• Examine tension between object-centric vs. repository centric policy enforcement

• Mobile computing - trust schemes to support policy enforcement as objects move

• “Intentional” policies and dynamic binding

• Preservation application of security automata - detect unacceptable transitions

References - Fedora

Payette, Sandra and Carl Lagoze, “Flexible and Extensible Digital Object and Repository Architecture,” ECDL98, Heraklion, Crete, September 21-23, 1998, Springer, 1998, (Lecture notes in computer science; Vol. 1513). http://www.cs.cornell.edu/payette/papers/ecdl98/fedora.html

Payette, Sandra, Christophe Blanchi, Carl Lagoze, and Edward Overly, “Interoperability for Digital Objects and Repositories: The Cornell/CNRI Experiments,” D-Lib Magazine, May 1999. http://www.dlib.org/dlib/may99/payette/05payette.html

Payette, Sandra and Carl Lagoze, Policy-Carrying, Policy-Enforcing Digital Objects, accepted by Fourth European Conference on Research andAdvanced Technology for Digital Libraries, Portugal, Springer, 2000, (Lecture notes in computer science), draft available at http://www.cs.cornell.edu/payette/papers/ecdl2000/pcpe-draft.ps

Payette, Sandra and Carl Lagoze, Value Added Surrogates for Distributed Content: Establishing a Virtual Control Zone, D-Lib Magazine, June 2000,http://www.dlib.org/dlib/june00/payette/06payette.html

References:Security Automata and PoET

Schneider, Fred B., “Enforceable Security Policies,” Computer Science Technical Report #TR98-1664, Department of Computer Science, Cornell University, July 24, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR98-1664

Erlingsson, Ulfar and Fred B. Schneider, “SASI Enforcement of Security Policies: A Retrospective,” Computer Science Technical Report #TR99-1758, Department of Computer Science, Cornell University, July 19, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR99-1758 Erlingsson, Ulfar and Fred B. Schneider, “IRM Enforcement of Java Stack Inspection,” Computer Science Technical Report #TR2000-1786, Department of Computer Science, Cornell University, February 19, 2000, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR2000-1786