Get Complete Project Material File(s) Now! »
Introduction
With the advent of agile programming, lightweight software processes are being favoured over the highly formalised approaches of the 80s and 90s, where the emphasis is on people, not processes (Boehm, 2002). Likewise, access control may benefit from a less prescriptive approach with an increasing reliance on users to behave ethically. These ideals correlate with optimistic access controls. However, such controls alone may not be enough to ensure that users behave in a trustworthy manner. This research presents a model for enhancing optimistic access controls with usage control to ensure that users conduct themselves in a trustworthy manner. Usage control enables finer-grained control over the usage of digital objects than do traditional access control policies and models, as trust management concerns are also considered. It has become evident that the means by which software is designed and implemented can have a significant impact on software security (Devanbu and Stubblebine, 2000). The aspect-oriented paradigm can facilitate the implementation of additional security features to legacy systems without modifying existing code. This study therefore evaluates the aspect-oriented approach in terms of implementing security concerns such as usage control.
It is evidently difficult to implement access control and often in dynamic environments preconfigured access control policies may change dramatically depending on the context. Often in unpredicted circumstances users that are denied access could have prevented a catastrophe had they been allowed access. Consider as an example, a nurse – at a hospital that has been isolated during a tornado – who needs access to a patient’s records but cannot access them as nurses are not authorised to access this information (Povey, 1999).
In this extreme case, it is possible that the patient’s health and safety may be unnecessarily comprised due to the restrictions imposed by the access control system. The costs of implementing and maintaining complex preconfigured access control policies sometimes far outweigh the benefits. Optimistic access controls are retrospective and allow users to exceed their normal privileges. However, if a user accesses information unethically, the consequences could be disastrous. Hence this research proposes that optimistic access control be enhanced with some form of usage control that may prevent the user from engaging in risky behaviour.
Sandhu and Park (2003) who recognised the inadequacy of traditional access control models, proposed a new approach to access control called Usage Control (UCON). This model encompasses emerging applications such as trust management, in a unified framework. They claim that the missing components of traditional access control are the concepts of obligations and conditions. Obligations require some action by the subject so as to gain or sustain access, e.g. by clicking the ACCEPT button on a licence agreement. Conditions represent system-oriented factors such as time-of-day, where subjects are allowed access only within a specific time period. A family of models for usage control exists, involving pre-authorisation and ongoing authorisations.
CHAPTER 1: INTRODUCTION
1.1 Introduction
1.2 Motivation for this study
1.3 Problem Statement
1.4 Terminology used in this thesis
1.5 Research Methodology
1.6 Delimitations
1.8 Summary
CHAPTER 2: ACCESS CONTROL
2.1 Introduction
2.2 Discretionary Access Control
2.3 Mandatory Access Control
2.4 Role-based Access Control.
2.5 Conclusion
CHAPTER 3: OPTIMISTIC ACCESS CONTROL
3.1 Introduction
3.2 Optimistic Access Control
3.3 Requirements for Optimistic Security
3.4 Applicability of optimistic security
3.5 The extensibility of the Optimistic Access Control Model
3.6 Conclusion
CHAPTER 4: USAGE CONTROL
4.1 Introduction
4.2 The continuity and mutability of the UCON model
4.3 The ABC Model for Usage Control (UCON model)
4.4 The Usage Control Model architecture
4.5 The Applicability and Extensibility of the UCON model
4.6 Conclusion
CHAPTER 5: ASPECT-ORIENTED PROGRAMMING
5.1 Introduction
5.2 Evolution to Aspect-Oriented Programming
5.3 Aspect-Oriented Programming Terminology.
5.4 AOP Frameworks
5.5 Evaluating Aspect-Oriented Programming
5.6 Conclusion
CHAPTER 6: ASPECT-ORIENTED SECURITY
CHAPTER 7: THE OAC(UCON) MODEL
CHAPTER 8: PROTOTYPING AND MODEL EVALUATION
CHAPTER 9: CONCLUSION
REFERENCES
INDEX ………
APPENDICES
Appendix A: List of Publications
Appendix B: OOP Documentation
Appendix C: AOP Documentation
Appendix D: Prototype Evaluation
Appendix E: Data Collection.
Appendix F: AspectJ Semantics
Appendix G: Running the Demo Project