PROVENANCE-BASEDACCESSCONTROLMODELS APPROVEDBYSUPERVISINGCOMMITTEE: RaviSandhu,Ph.D.,Co-Chair JaehongPark,Ph.D.,Co-Chair WeiningZhang,Ph.D. GregoryWhite,Ph.D. KayRobbins,Ph.D. Accepted: Dean,GraduateSchool Copyright2014DangNguyen Allrightsreserved. DEDICATION Tomymother whoseboundlessdevotion inspiresmeinlife and tomyfamilymembers whosupportedandencouragedme throughouteverymoment ofthisendeavor. PROVENANCE-BASEDACCESSCONTROLMODELS by DANGNGUYEN,M.Sc. DISSERTATION PresentedtotheGraduateFacultyof TheUniversityofTexasatSanAntonio InPartialFulfillment OftheRequirements FortheDegreeof DOCTOROFPHILOSOPHYINCOMPUTERSCIENCE THEUNIVERSITYOFTEXASATSANANTONIO CollegeofSciences DepartmentofComputerScience August 2014 ACKNOWLEDGEMENTS No words can express my most sincere gratitude and appreciation for my advisors, Dr. Ravi Sandhu and Dr. Jaehong Park, without whom this dissertation would not be accomplished. Their preciousguidanceandprofoundadvicehelpedmeadvancewhiletheirimmensepatienceandcon- stant encouragement kept me motivated during my doctoral studies. Learning from their wisdom, dedication and exemplary leadership has enlightened me significantly beyond the scope of this dissertation. I would like to thank the other members of my committee, Dr. Gregory White, Dr. Kay Rob- bins,andDr. WeiningZhang,fortheirvaluabletimeandinsightfulcomments. Iwouldalsoliketo thank Dr. Rajendra Boppana and Dr. Shouhuai Xu for their constructive feedback in the proposal ofthisdissertation. Finally, I would like to thank my best friends and colleagues, Yuan Cheng, Khalid Bijon, Bo TangandXinJin,fortheircompanionshipinthisacademicjourney. Iamalsoverygratefulforthe helpandsupportofmanyotherfriendsandcolleaguesattheUniversityofTexasatSanAntonio. This work has been graciously supported by the National Science Foundation grant by CNS- 1111925,AFOSRMURIandtheStateofTexasEmergingTechnologyFund. iv This Masters Thesis/Recital Document or Doctoral Dissertation was produced in accordance withguidelineswhichpermittheinclusionaspartoftheMastersThesis/RecitalDocumentorDoc- toral Dissertation the text of an original paper, or papers, submitted for publication. The Masters Thesis/Recital Document or Doctoral Dissertation must still conform to all other requirements explainedintheGuideforthePreparationofaMastersThesis/RecitalDocumentorDoctoralDis- sertation at The University of Texas at San Antonio. It must include a comprehensive abstract, a full introduction and literature review, and a final overall conclusion. Additional material (proce- duralanddesigndataaswellasdescriptionsofequipment)mustbeprovidedinsufficientdetailto allow a clear and precise judgment to be made of the importance and originality of the research reported. It is acceptable for this Masters Thesis/Recital Document or Doctoral Dissertation to include as chapters authentic copies of papers already published, provided these meet type size, margin, andlegibilityrequirements. Insuchcases,connectingtexts,whichprovidelogicalbridgesbetween differentmanuscripts,aremandatory. Wherethestudentisnotthesoleauthorofamanuscript,the student is required to make an explicit statement in the introductory material to that manuscript describing the students contribution to the work and acknowledging the contribution of the other author(s). The signatures of the Supervising Committee which precede all other material in the MastersThesis/RecitalDocumentorDoctoralDissertationattesttotheaccuracyofthisstatement. August 2014 v PROVENANCE-BASEDACCESSCONTROLMODELS DangNguyen,Ph.D. TheUniversityofTexasatSanAntonio, 2014 SupervisingProfessors: RaviSandhu,Ph.D.andJaehongPark,Ph.D. Provenance data of a system resource provides historical information including the pedigree of and past activities on the resource. This information is useful and has been demonstrated to be effectively usable in various computing systems in different scientific as well as business ap- plication domains. Incorporating provenance-awareness into systems has garnered considerable recent attention and been the focus of academic and industrial communities. One of the concerns isthequestionofhowcybersecuritycanbeachievedandenhancedinsystemsthatareprovenance aware. Security tasks include how to utilize information and knowledge of provenance data to enhance existing issues of insider threat detection, malicious data dissemination, et cetera. In sce- narioswhereprovenancedataismorecriticalthantheassociatedsystemdata,itisalsoessentialto securetheprovenancedata. This dissertation primarily investigates the security of provenance-aware systems from access control point of view. In provenance-aware systems, the information can be utilized for secure access control of the regular system resources as well as the associated provenance data of such resources. Thetwoapproachescanbetermedprovenance-basedaccesscontrol(PBAC)andprove- nanceaccesscontrol(PAC).Aprovenancedatamodel,whichisbuiltoncausalitydependenciesof provenance entities capturing system events, provides a foundation for achieving desirable access controlgoals. Builtonthedatamodel,thefocusofthisdissertationisonprovenance-basedaccess controlmodelsthatenableefficientandexpressiveaccesscontrolfeatures. PBAC models can be applied in single, distributed, and multi-tenant cloud systems. This dis- sertation demonstrates the application of PBAC in a single system through extending the standard XACML framework and evaluate a proof-of-concept implementation in the context of an online vi homework grading system. The dissertation also demonstrates the possibility of incorporating PBAC mechanisms into cloud computing systems through developing and evaluating a proof- of-concept PBAC extension to several service components of the open-source OpenStack cloud management software. The study on a variety of deployment architecture approaches further con- solidates the insights and knowledge of the process. Experimental results from these case studies demonstrate the feasibility of the approach and promise enhanced and secure access control foun- dationforfuturecomputingsystems. vii TABLEOFCONTENTS Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi ListofTables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii ListofFigures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Chapter1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 ResearchChallenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.1 EnhancingFeaturesofAccessControlApproaches . . . . . . . . . . . . . 4 1.2.2 SecurityAspectsofProvenanceinCloudInfrastructure-as-a-Service . . . . 5 1.3 Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.4 SummaryofContributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.5 OrganizationoftheDissertation . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Chapter2: BackgroundandRelatedWork . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1 OverviewofTraditionalandExistingAccessControlModels . . . . . . . . . . . . 9 2.2 DynamicSeparationofDutiesVariations . . . . . . . . . . . . . . . . . . . . . . . 11 2.3 OpenProvenanceModel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.3.1 TheProvenanceDataModel(Prov-DM) . . . . . . . . . . . . . . . . . . . 17 2.4 StandardsandTools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.4.1 ResourceDescriptionFramework . . . . . . . . . . . . . . . . . . . . . . 17 2.4.2 ExtensibleAccessControlMarkupLanguage . . . . . . . . . . . . . . . . 21 2.5 OverviewofOpenStackArchitecture . . . . . . . . . . . . . . . . . . . . . . . . . 24 viii Chapter3: FoundationofAccessControlinProvenance-awareSystems . . . . . . . . . 26 3.1 CharacteristicsofProvenanceData . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.2 BaseProvenanceDataModel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.2.1 ModelComponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3.2.2 ModelSpecifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.2.3 UseCaseScenariosandSampleUsages . . . . . . . . . . . . . . . . . . . 33 3.3 UsingProvenanceforAccessControl . . . . . . . . . . . . . . . . . . . . . . . . 36 Chapter4: Provenance-basedAccessControl . . . . . . . . . . . . . . . . . . . . . . . . 39 4.1 BasePBAC(PBAC )Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 B 4.1.1 ModelComponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.1.2 PolicySpecifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.1.3 AccessEvaluationProcedure . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.1.4 ModelSpecifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 4.1.5 ACaseStudy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.2 ContextualPBAC(PBAC )Model . . . . . . . . . . . . . . . . . . . . . . . . . 48 C 4.2.1 ModelComponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 4.2.2 ContextualProvenanceDataModel . . . . . . . . . . . . . . . . . . . . . 52 4.2.3 ModelSpecifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 4.2.4 PoliciesandAccessEvaluation . . . . . . . . . . . . . . . . . . . . . . . 58 4.2.5 DSODinPBAC Model . . . . . . . . . . . . . . . . . . . . . . . . . . 59 C 4.2.6 Pre-EnforcementAccessEvaluation . . . . . . . . . . . . . . . . . . . . . 63 4.3 AnXACML-basedPBAC Prototype . . . . . . . . . . . . . . . . . . . . . . . . 65 4.3.1 AnExtendedXACMLArchitecture . . . . . . . . . . . . . . . . . . . . . 66 4.3.2 PrototypeImplementation . . . . . . . . . . . . . . . . . . . . . . . . . . 67 4.3.3 ExperimentsandEvaluation . . . . . . . . . . . . . . . . . . . . . . . . . 68 ix
Description: