Constraints for attribute based access control with application in cloud IaaS
Recently, attribute based access control (ABAC) has received considerable attention from the security community for its policy flexibility and dynamic decisionmaking capabilities. The general idea of ABAC is to determine the authorization decisions of an access request based on various attributes of the entities involved in the access (e.g., users, subjects, objects, context, etc.). Hence, in an ABAC system, proper assignment of attribute values to different entities is necessary to protect against unauthorized access. There has been considerable prior research for ABAC in various aspects such as formal models, enforcement models, policy composition languages and so on. However, mechanisms for ensuring proper attribute value assignments to entities have not been well studied. In this dissertation, we propose a mechanism to specify and enforce constraints in ABAC that partially ensures proper assignment of attribute values to entities. We do so by specifying constraints on attribute values of a particular entity, so as to preserve various kind of conflicting relations between these values. We develop a declarative language called attribute-based constraint specification language (ABCL) for such constraints specification. During assignment of attribute values to entities, the mechanism enforces these specified constraints by prohibiting assignments that would violate one or more constraints. We validate expressiveness of ABCL by configuring several well-known constraint policies that include separation of duty and cardinality policies of the role based access control system. We also demonstrate the practical usefulness of ABCL by configuring various security policies for banking organizations. We discuss enforcement algorithms for ABCL and analyze their complexity. We further devise a similar constraints specificationmechanismin the concrete domain of cloud infrastructure-as-a-service (IaaS). In cloud IaaS, both physical resources and virtual resources need to be mapped to each other in order to build a particular computing environment. Any misconfigurations in these mappings may result in potential security and performance losses. Unlike for attribute value assignment in ABAC, here, we generate constraints for ensuring proper mappings among cloud resources. Different properties of IaaS resources can be captured as attribute values where these values can have several conflicting relations that restrict how these resources can be mapped to each other. We identify customized versions of ABCL to specify such conflicting relations in cloud IaaS. In particular, we specify constraints for the following two mappings in cloud IaaS. (i) In cloud IaaS, a major problem for enterprise-scale tenants concerns orchestrating their virtual resources in a secure manner where they restrict any unwanted mapping between two virtual resources. We develop a constraints specification mechanism in order to restrict possible misconfiguration for such mappings, and demonstrate its implementation in the open source OpenStack cloud platform. We verify the expressiveness of the mechanism by configuring the mappings for 3-tier business applications and hadoop clusters setup. Also, we develop a constraint mining process in order to construct constraints automatically for the tenants according to their virtual resources mapping requirements. (ii) Another major concern arises from the tenants' lack of control on mapping of their virtual machines to physical servers operated by a cloud service provider. This limitation leads to many security and performance issues. We develop a virtual machine scheduler where the enterprises gain some controls by specifying constraints for this mapping. Our scheduler also optimizes the number of physical servers while satisfying the specified constraints. We analyze various performance and usability issues of the scheduler in OpenStack. Together, these two constraint mechanisms enable cloud tenants to maintain a level of control over their virtual assets in the cloud that is somewhat comparable to the level of control that was possible to maintain via their own premises.