Provenance-based access control models
Provenance data of a system resource provides historical information including the pedigree of and past activities on the resource. This information is useful and has been demonstrated to be effectively usable in various computing systems in different scientific as well as business application domains. Incorporating provenance-awareness into systems has garnered considerable recent attention and been the focus of academic and industrial communities. One of the concerns is the question of how cyber security can be achieved and enhanced in systems that are provenance aware. Security tasks include how to utilize information and knowledge of provenance data to enhance existing issues of insider threat detection, malicious data dissemination, et cetera. In scenarios where provenance data is more critical than the associated system data, it is also essential to secure the provenance data. This dissertation primarily investigates the security of provenance-aware systems from access control point of view. In provenance-aware systems, the information can be utilized for secure access control of the regular system resources as well as the associated provenance data of such resources. The two approaches can be termed provenance-based access control (PBAC) and provenance access control (PAC). A provenance data model, which is built on causality dependencies of provenance entities capturing system events, provides a foundation for achieving desirable access control goals. Built on the data model, the focus of this dissertation is on provenance-based access control models that enable efficient and expressive access control features. PBAC models can be applied in single, distributed, and multi-tenant cloud systems. This dissertation demonstrates the application of PBAC in a single system through extending the standard XACML framework and evaluate a proof-of-concept implementation in the context of an online homework grading system. The dissertation also demonstrates the possibility of incorporating PBAC mechanisms into cloud computing systems through developing and evaluating a proof-of-concept PBAC extension to several service components of the open-source OpenStack cloud management software. The study on a variety of deployment architecture approaches further consolidates the insights and knowledge of the process. Experimental results from these case studies demonstrate the feasibility of the approach and promise enhanced and secure access control foundation for future computing systems.