FU Berlin Digitale Dissertation
Gerald Brose : Zugriffsschutzmanagement in verteilten Objektsystemen Access Control Management in Distributed Object Systems
|Abstract| |Table of Contents| |More Information|

Abstract The main question addressed in this work is how the specification, deployment and management of application-oriented access control policies in distributed object systems can be supported in a way that increases the overall security. The first chapters of this thesis examine the problems that need to be addressed and identify a number of requirements for manageable access control. The overall management task is analyzed and structured into subtasks that are performed by potentially separate managers: principals or credentials management, object and domain management, and policy management. Also, the tasks of policy deployment and development are examined. As a result, we identify the requirements for documentation, support for communication between the involved parties, and for suitable management abstractions. It is concluded that an integrated approach to secure software development and management is required and that it can best be supported by the definition of a declarative policy language. Looking at the current technology for CORBA security reveals conceptual scalability problems and lack of structured support for policy design. Therefore, this thesis proposes a new view-based access model and a declarative specification language called view policy language (VPL). The abstractions of this language are designed to support deployment and development as well as management of application policies. The central concepts of VPL are views as a first-class concept for the type-safe aggregation of access rights, roles as a task-oriented abstraction of callers, and schemas as a means of specifying triggered dynamic changes in the protection state. To prove the practical relevance of these concepts, a comprehensive case study is analyzed and implemented. The technical feasibility of view-based access control is shown through an implementation of the required security infrastructure, which includes an interceptor-based access control mechanism, a language compiler, view and role repositories, and graphical management tools.

Table of Contents Download the whole PhDthesis as a zip-tar file or as zip-File For download in PDF format click the chapter title Title page and contents 1. Introduction 11 2. Requirements for Manageable Access Control 19 3. Standard CORBA Security 35 4. View-Based Access Control 55 5. Model Formalization 87 6. An Application Case Study 101 7. An Infrastructure for View-Based Access Control 115 8. Related Work 139 9. Summary and Conclusions 149 Appendix A VPL Grammar and XML DTD 153 Appendix B IDL and VPL Definitions for the conference example 159 Appendix C Zusammenfassung in deutscher Sprache 167 Appendix E Erklärung 171 Bibliography 173 Index 182

More Information:
Online available:	http://www.diss.fu-berlin.de/2001/203/indexe.html
Language of PhDThesis:	english
Keywords:	Security, Access Control, Policy, Distributed Systems, CORBA
DNB-Sachgruppe:	28 Informatik, Datenverarbeitung
Classification CR:	K.6.5, D.4.6, C.2.0
Date of disputation:	17-Oct-2001
PhDThesis from:	Fachbereich Mathematik u. Informatik, Freie Universität Berlin
First Referee:	Prof. Dr. Klaus-Peter Löhr
Second Referee:	Prof. Dr. Dieter Gollmann
Contact (Author):	gerald.brose@acm.org
Contact (Advisor):	lohr@inf.fu-berlin.de
Date created:	23-Oct-2001
Date available:	23-Oct-2001

 

---

|| DARWIN|| Digitale Dissertationen || Dissertation|| German Version|| FU Berlin|| Seitenanfang ||

---

	Fragen und Kommentare an: darwin@inf.fu-berlin.de
© Freie Universität Berlin 1999