Client-side access control enforcement using trusted computing and PEI models

被引:7
作者
Sandhu, Ravi
Zhang, Xinwen
Ranganathan, Kumar
Covington, Michael J.
机构
[1] George Mason Univ, Dept Informat & Software Engn, Fairfax, VA 22030 USA
[2] Intel Syst Res Ctr, Bangalore, Karnataka, India
[3] Intel Corp, Hillsboro, OR 97124 USA
关键词
access control; trusted computing; PEI models; security framework; client-side security enforcement;
D O I
暂无
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 [计算机科学与技术];
摘要
It has been recognized for some time that software alone does not provide an adequate foundation for building a high-assurance trusted platform. The emergence of industry-standard trusted computing technologies promises a revolution in this respect by providing roots of trust upon which secure applications can be developed. These technologies offer a particularly attractive platform for security policy enforcement in general distributed systems. In this paper we propose a security framework to enforce access control policies with trusted computing, by following the recently proposed policy-enforcement-implementation (PEI) models. Our architecture is based on an abstract layer of trusted hardware which can be constructed with emerging trusted computing technologies. A trusted reference monitor (TRM) is introduced beyond the trusted hardware. By monitoring and verifying the integrity and properties of running applications in a platform using the functions of trusted computing, the TRM can enforce various policies on behalf of object owners. We further extend this platform-based architecture to support general user-based access control policies, cooperating with existing services for user identity and attributes, thus potentially supporting general access control models such as lattice-based, role-based, and usage-based access control policies.
引用
收藏
页码:229 / 245
页数:17
相关论文
共 25 条
[1]
[Anonymous], 2001, P FREENIX TRACK USEN, P15
[2]
BALACHEFF B, 2003, TRUSTED COMPUTING PL
[3]
BELL D, 1975, ESDTR75306 MITR CORP
[4]
Brickell E., 2004, P 11 ACM C COMPUTER, P132
[5]
*DEP DEF NAT COMP, 1991, TRUST DAT INT TRUST
[6]
*DEP DEF NAT COMP, 1985, 520028STD DEP DEF NA
[7]
HALDAR V, P 3 VIRT MACH RES TE, P29
[8]
*IBM WATS RES, 2003, TCPA RES
[9]
LAMPSON B, 2004, IEEE COMPUT, P37
[10]
LEVIN R, 1975, 5 ACM S OP SYST PRIN, P132