Craß, S. (2020). Secure coordination through fine-grained access control for space-based computing middleware [Dissertation, Technische Universität Wien]. reposiTUm. https://doi.org/10.34726/hss.2020.81200
E194 - Institut für Information Systems Engineering
-
Date (published):
2020
-
Number of Pages:
266
-
Keywords:
access control model; coordination middleware; space-based computing; patterns; XVSM; Peer Model
en
Abstract:
Developing distributed systems with multiple stakeholders and evolving requirements is a highly complex task, which can be simplified by the usage of middleware with suitable coordination abstractions. However, in open environments like the Internet, also security and trust among the participants have to be considered. Each participant must be able to protect access to its own data and services in a flexible way. This also applies to space-based middleware, which enables data-driven coordination among autonomous processes using decoupled communication via shared spaces. This thesis therefore aims at integrating space-based coordination with security by creating a novel authorization concept that adapts well-established access control principles to the characteristic properties of space-based middleware. The concept relies on simple yet expressive authorization rules that restrict operations on specific space partitions, thus allowing for fine-grained access control. Permissions may depend on authenticated subject attributes, properties of the accessed content, and additional context information. This approach enables administrators to grant each participant only permissions that are actually necessary for planned interactions. It is presentedby means of access control models for two related middleware technologies that cover different aspects of space-based coordination. XVSM provides configurable sub-spaces with extensible query features, while the Peer Model supports a hierarchical space structure with customizable coordination logic for conditional message routing and service invocations. Using the intrinsic coordination mechanisms of the respective middleware, authorization policies can be configured independently for each distributed space, whereas administrator privileges for dynamic policy modifications are specified in the same way as regular permissions. Security is further increased by the usage of multiple protection layers, so that permissions need to be acquired at different levels. Due to an integrated delegation and trust concept, the approach is suitable for open environments without fixed trust assumptions. To enable their practical application, the conceptualized access control models are integrated into the respective middleware architectures and their prototypical runtime implementations. Reusability is promoted via the specification of patterns for secure coordination, which provide generic solutions for common coordination tasks by combining the required coordination logic with suitable authorization policies for protecting all involved spaces. The feasibility of the approach is demonstrated via a series of case studies that cover different security constraints and application domains.