- Email: [email protected]
A legal information flow (LIF) scheduler based on role-based access control model
Computer Standards & Interfaces 31 (2009) 906–912
Contents lists available at ScienceDirect
Computer Standards & Interfaces j o u r n a l h o m e p a g e : w w w. e l s ev i e r. c o m / l o c a t e / c s i
A legal information flow (LIF) scheduler based on role-based access control model Tomoya Enokido a,⁎, Valbona Barolli b, Makoto Takizawa b a b
Faculty of Business Administration, Rissho University, 4-2-16, Osaki, Shinagawa, Tokyo, 141-8602, Japan Department of Computers and Systems Engineering, Tokyo Denki University, Ishizaka, Hatoyama, Hiki, Saitama, 350-0394, Japan
A R T I C L E
I N F O
Available online 15 March 2008 Keywords: Information flow Role-based access control model Concurrency control Security Transaction
A B S T R A C T Information systems have to be consistent and secure in presence of multiple conflicting transactions. The role-based access control (RBAC) model is widely used to keep information systems consistent and secure. A role shows a job function in an enterprise and is a set of access rights (permissions). Here, a subject s is allowed to issue a method op to an object o only if an access right 〈o, op〉 is included in the roles granted to the subject s. A subject is granted one or more than one role and issues a transaction to multiple objects. The transaction is assigned with some roles of the subject which is referred to as purpose. Even if every access request issued by every subject is authorized in the roles, illegal information flow might occur as well known confinement problem. In this paper, we define a legal information flow (LIF) relation (R1 ⪯I R2) among a pair of role families R1 and R2 to prevent illegal information flow. Here, an LIF relation R1 ⪯I R2 shows that no illegal information flow occur if a transaction T1 with a role family R1 is performed prior to another transaction T2 with a role family R2. In addition, it is significant to discuss which transaction to be performed prior to another transaction if the both transactions manipulate the same object in a conflicting way. In this paper, we define a significantly precedent relation R1 ⪯s R2 among role families R1 and R2 which implies that the role family R2 is more significant than R1. Suppose a pair of transactions T1 and T2 with role families R1 and R2 issue conflicting methods op1 and op2, respectively, to an object o. If R1 ⪯s R2, op2 is performed on the object o prior to op1. The more significant a transaction is, the more prior it is performed. We discuss a legal information flow (LIF) scheduler to synchronize transactions so as to prevent illegal information flow and to serialize conflicting methods from multiple transactions in terms of significancy and information flow relation of roles families. We evaluate the LIF scheduler in terms of how much illegal information flow can be prevented compared with the other scheduler. © 2008 Published by Elsevier B.V.
1. Introduction Information systems have to be consistent and secure in presence of various kinds of security attacks and conflicting accesses to computation resources. Information systems adopt access control models to protect unauthorized access. In the access control models [1], only a subject s, i.e. user and program is allowed to issue a method to an object like a database system [2,3] only if an access right (or permission) 〈o, op〉 is granted to the subject s. A subject granted an access right is referred to as authorized. In the mandatory access control (MAC) model, only a centralized authorizer can grant access rights to a subject s. On the other hand, a subject granted an access right 〈o, op〉 can grant the access right 〈o, op〉 to another subject in the discretionary access control (DAC) model [2,3]. In the role-based access control (RBAC) models [4–7], a role is specified in a collection of access rights. A role shows a job function, i.e. what subjects can do on
⁎ Corresponding author. E-mail addresses: [email protected] (T. Enokido), [email protected] (V. Barolli), [email protected] (M. Takizawa). 0920-5489/$ – see front matter © 2008 Published by Elsevier B.V. doi:10.1016/j.csi.2008.03.013
resource objects in an enterprise. Each subject s is granted one or more than one role. Then, the subject s issues a transaction T. A transaction is a unit of work and is a sequence of methods on objects. Here, the transaction T is assigned a family, i.e. subcollection of the roles granted to the subject s. The family of the roles is referred to as purpose of the transaction T. While the access control models are widely used in information systems like database systems [2,3], illegal information flow among subjects through objects may occur even if each subject can safely manipulate objects according to the authorized access rights. This is a well-known confident problem [8,9]. The lattice-based access control (LBAC) model is discussed in papers [10,11] to prevent illegal information flow. Here, each entity, i.e. subject and object is classified into a security class. Information flow relation among security classes is defined. Access rules on read, write, and modify are defined according to the information flow relation. However, resource objects only can be manipulated in a limited way that every system cannot take. In this paper, we discuss a novel type of concurrency control mechanism to synchronize conflicting transactions to achieve two objectives. That is named legal information flow (LIF) scheduler. The LIF scheduler aims at achieving two objectives. First, a more significant
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
method should be performed prior to others from the application point of view. In traditional database systems, types of the two-phase locking (2PL) protocol [15,18] are widely used to synchronize conflicting transactions. Locking protocols [18] are based on a principle that only the first comer is a winner and the others are losers. If some transaction T holds an object, every transaction conflicting with the transaction T cannot use the object, i.e. waits until the object is released by the transaction T. If every transaction takes the 2PL protocol, a schedule of the transactions is serializable [15] but transactions might be deadlocked. On the other hand, each transaction T is assigned timestamp TS(T) showing when the transaction T is initiated in a client in the timestamp ordering (TO) scheduler [18]. If a pair of transactions T1 and T2 issue conflicting methods op1 and op2 to an object o, respectively, the method op1 is performed prior to the method op2 if TS(T1) b TS(T2). Objects are thus manipulated by conflicting transactions in the timestamp order and no deadlock occurs. In this paper, transactions are ordered in the significancy of roles assigned to the transactions. We also discuss which role family is more significant than another role family based on the significancy of methods [12–14]. The types of role-ordering (RO) schedulers to perform a method from a more significant transaction prior to a less significant one are also discussed [12–14]. In this paper, we discuss a simpler model where every object supports only read and write methods while more general, abstract types of methods are supported in the RO scheduler. In addition, we consider the MAC model in this paper while the DAC model is taken into account in the RO scheduler. Next, no illegal information flow should occur by performing multiple conflicting transactions on objects. First, we discuss how to prevent illegal information flow in the role-based access control model. A subject s issues a transaction T to manipulate objects. The transaction T is assigned a purpose, i.e. subfamily of the roles granted to the subject s. Let T1 and T2 be a pair of transactions assigned with purposes R1 and R2, respectively. In this paper, we define an LIF relation R1 ⪯I R2 among the purposes R1 and R2. This means that no illegal information flow occur if a transaction T1 with the purpose R1 is performed prior to another transaction T2 with the purpose R2. This means, the transaction T2 can be safely performed after the other transaction T1 is performed. Next, suppose the transaction T1 is already performed and the transaction T2 is initiated and R1 ⪯I R2 does not hold. Here, illegal information flow might occur if T2 is performed. We discuss an LIF scheduler to serialize conflicting read and write methods issued by multiple transactions so that illegal information flow is prevented based on the LIF relation. We discuss a simple algorithm where each object just remembers the purpose of a transaction which most recently manipulated the object. We show how much illegal information flow can be reduced in the LIF scheduler compared with the RO scheduler [12]. In Section 2, we discuss what role family is more significant than another role family. In Section 3, we define the LIF relation among role families. In Section 4, we discuss the LIF concurrency control algorithm of multiple transactions to prevent illegal information flow and serialize conflicting methods from transactions. In Section 5, we evaluate the LIF scheduler compared with the RO scheduler.
given tuple 〈s, o, op〉 showing that a subject s can manipulate an object o in a method op. A pair 〈o, op〉 is referred to as access right (permission). A system is secure if every object is manipulated according to the access rules. Only a subject s granted an access right (or permission) 〈o, op〉 is allowed to issue a method op to an object o. Here, the subject s is referred to as authorized. In the RBAC models [4–7], a role is specified in a set of access rights. A role shows a job function in an enterprise. Let R be a set of roles {r1, …, rn} in a system. Each role ri is a collection {αi1,…, αili} of access rights. Each access right αij is written in a pair 〈oij, opij〉 of an object oij in the object set O and a method opij for manipulating the object oij. Let SR(s) (p R) be a family of roles granted to a subject s. A subject s initiates a transaction T. A transaction [16,18] is an atomic sequence of methods on objects, which is a unit of work. Here, the transaction T is assigned a subfamily PR(T) (p SR(s)) of the roles granted to the subject s. PR(T) is referred to as purpose [12–14] of the subject s to issue the transaction T. The transaction T issues a method op to an object o for an access right 〈o, op〉 in the purpose PR(T). An object is assumed to support a pair of types of methods read and write in this paper. A pair of methods conflict with one another if and only if (iff) the result obtained by performing the methods depend on the execution order of the methods. A write method conflicts with write and read methods while a read method conflicts with a write method. A pair of transactions which issue conflicting methods are referred to as conflict with each another. Conflicting transactions should be performed in a serializable schedule [15]. Suppose a transaction T1 issues methods op11 and op12 to objects o1 and o2, respectively. Another transaction T2 issues methods op21 and op22 to the object o1 and o2, respectively. Suppose op11 and op21 conflict on the object o1 and op12 and op22 conflict on the object o2. Here, if the method op11 is performed prior to op21 on o1, op12 has to be performed prior to op22 on o2 according to the serializability theory. In the locking protocols [8,15–17], transactions arbitrarly hold objects based on the first-comer-winner principal. An object is held by transactions independently of the significancy of each transaction. In the TO schedulers [18], each transaction T is assigned a timestamp TS(T) showing when the transaction T is initiated. Transactions are totally ordered in their timestamps. Objects are manipulated by conflicting transactions in the TO order. If a pair of transactions T1 and T2 issue conflicting methods op1 and op2 to an object o, respectively, the method op1 is performed prior to the method op2 if TS(T1) b TS(T2). That is, the elder a transaction is, the earlier it is performed. The access control models imply the well-known confinement problem [8,9]. For example, a subject s1 is granted a pair of access rights 〈f, read〉 and 〈g, write〉 on file objects f and g while another subject s2 is only granted an access right 〈g, read〉. Suppose the subject s1 reads data x from the file f and then writes x to the file g. Here, the subject s2 can read x from g although the subject s2 is not allowed to read the data x in the file f. Here, information x illegally flows to the subject s2 [Fig. 1].
2. Significant relation of roles 2.1. Role-based access control models In the access control models [1,4–7,10,11], a system is composed of two types of entities, subjects and objects. A subject is an entity that issues methods to objects. Users are examples of subjects. Let S be a set of subjects in the system. An object is an entity which performs methods from subjects. Databases are examples of objects. Let O be a set of objects o1,…, om in a system. Each object oi supports read and write methods for manipulating data (i = 1,…, m). An access rule is
907
Fig. 1. Illegal information flow.
908
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
2.2. Significancy of access rights In papers [12–14], the authors discuss which role family is more significant than another role family for abstract types of methods on objects like a bank object with deposit, withdraw, transfer, and check. In this paper, we consider a simpler but practical model where only two types of fundamental methods read and write on each object. Let α1 and α2 be a pair of access rights 〈o1, op1〉 and 〈o2, op2〉, respectively, where o1 and o2 are objects and op1 and op2 are methods supported by the objects o1 and o2, respectively. First, we discuss which access right is more significant that another access right. First, we define the following relation on the access rights α1 and α2: • α1 significantly dominates α2 (α2 ⪯s α1) if o1 is more secure than o2. For example, a file f is a public one and another file g is a private one. Here, the file g is more secure than the file f. An access right 〈g, read〉 significantly dominates access rights 〈f, write〉 and 〈f, read〉 (〈f, write〉 ⪯s 〈g, read〉, 〈f, read〉 ⪯s 〈g, read〉). Next, suppose that a pair of the objects o1 and o2 belong to the same security class. • α1 significantly dominates α2 (α2 ⪯s α1) if op1 is write and op2 is read. In the files f and g, 〈f, read〉 ⪯s 〈f, write〉 and 〈g, read〉 ⪯s 〈g, write〉. 2.3. Significancy of roles By using the significant relations of access rights, we discuss relation on roles. First, we define the following relation: Definition. A role r2 significantly dominates a role r1 (r1 ⪯s r2) iff there is no access right β in r2 such that α ⪯s β for every access right α in r1. In Fig. 2, a black node indicates an access right and a directed edge α → β shows that an access right α is significantly dominated by another access right β (α ⪯s β). In Fig. 2 (a), a role r1 is more significant than another role r2 (r1 ⪯s r2) since there is no access right β in the role r2 such that α ⪯s β for every access right α in the role r1. On the other hand, r1 ⪯ / s r2 and r2 ⪯ / s r1 in Fig. 2 (b). Let r1 and r2 be roles in a role family R. The least upper bound (lub) r1 ⊔s r2 of r1 and r2 is defined to be a role r3 in R such that r1 ⪯s r3, r2 ⪯s r3, but no role r4 such that r1 ⪯s r4 ⪯s r3 and r2 ⪯s r4 ⪯s r3. The greatest lower bound (glb) r1 ⊓s r2 is defined to be a role r3 in R such that r3 ⪯s r1 and r3 ⪯s r2 and there is no role r4 such that r3 ⪯s r4 ⪯s r1 and r3 ⪯s r4 ⪯s r2. Then, a lattice 〈R, ⪯s, ⊔s, ⊓s〉 is defined. A subject s and a transaction T are assigned with role families, i.e. SR(s) and PR(T), respectively. In order to discuss which transaction and subject are more significant, we define the significantly dominant relation ⪯s among role families as follows: Definition. A role family Ri is significantly (S-) dominated by a role s s family Rj (Ri ⪯s Rj) iff ⊔r∈R r ⪯s ⊓r∈R i jr.
Fig. 3. Significancy of role families.
In Fig. 3, there are five roles r1, r2, r3, r4, and r5. A circle node ri indicates a role ri and a directed edge ri → rj shows that a role rj significantly dominates a role ri (ri ⪯s rj). Suppose a role family R1 is a collection {r1, r2, r3} of roles and another role family R2 is {r3, r4, r5}. Here, (r1 ⊔s r2 ⊔s r3) = r3 since r1 ⪯s r3, r2 ⪯s r3, and there is no role r′ such that r1 ⪯s r′ ⪯s r3 and r2 ⪯s r′ ⪯sr3. Since (r1 ⊔s r2 ⊔s r3) ⪯s (r3 ⊓s r4 ⊓s r5), the role family R1 is significantly (S-) dominated by the role family R2 (R1 ⪯s R2). Let R1 and R2 be a pair of role families. A least upper bound (lub) R1 ⊔s R2 of R1 and R2 is defined to be a role R3 in a set of role families such that R1 ⪯s R3 and R2 ⪯s R3 and there is no role R4 such that R1 ⪯s R4 ⪯s R3 and R2 ⪯s R4 ⪯s R3. A greatest lower bound (glb) R1 ⊓s R2 is defined to be a role R3 such that R3 ⪯s R1 and R3 ⪯s R2 and there is no role R4 such that R3 ⪯s R4 ⪯s R1 and R3 ⪯s R4 ⪯s R2. Thus, a lattice 〈2R, ⪯s, ⊔s, ⊓s〉 is defined to characterize a system for a set R of roles and Sdominant relation ⪯s. ⊤s and ⊥s show the top and bottom in the lattice, respectively. 3. Information flow relations 3.1. Information flow on roles Let R be a set of roles and O be a set of objects in a system. We first introduce flow relations r ↦ o and o ↦ r for a role r ∈ R and an object o ∈ O showing that 〈o, write〉 ∈ r and 〈o, read〉 ∈ r, respectively. That is, r ↦ o and o ↦ r mean that a transaction with a role r is allowed to write and read an object o ∈ O, respectively. A pair of input set In (r) and output set Out (r) are defined as follows: • In(r) = {o|o ↦ r} = set of objects which a subject granted a role r is allowed to read. • Out(r) = {o|r ↦ o} = set of objects which a subject granted a role r is allowed to write. Definition. A role r1 flows into a role r2 (r1 ↦ r2) iff r1 ↦ o and o ↦ r2 for some object o or r1 ↦ r3 ↦ r2 for some role r3, i.e. Out(r1) ∩ In(r2) ≠ ϕ. Suppose a transaction T1 is assigned with a role r1 and another transaction T2 with a role r2. A flow relation r1 ↦ r2 means that data written by the transaction T1 might be read by the other transaction T2. For example, suppose r1 = {〈x, write〉, 〈y, write〉, 〈w, write〉} and r2 = {〈x, read〉, 〈y, read〉, 〈z, write〉} where w, x, y, and z are objects. Here, Out(r1)= {x, y, w} and In(r2)={x, y}. Out(r1) ∩ In(r2)={x, y}≠ϕ. Hence, r1 ↦ r2. Definition. A role r2 reads more objects than a role r1 (r1 → r2) iff o ↦ r2 for every object o such that r1 ↦ o, i.e. In(r1) p In(r2) or r1 → r3 → r2 for some role r3.
Fig. 2. Significancy of roles.
Suppose a role r1 includes a pair of access rights 〈x, read〉 and 〈y, read〉 and another role r2 is composed of three access rights 〈x, read〉, 〈y, read〉, and 〈z, read〉. Since In(r1) = {x, y} and In(r2) = {x, y, z}, In(r1) p In(r2). Here, r1 → r2 but r2 ↛ r1.
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
909
3.2. Information flow on role families A subject s can be granted one or more than one role in a system. Let SR(s) (p R) show a family of roles granted to a subject s. If a subject s is granted three roles r1, r2, and r3, SR(s) = {r1, r2, r3}. A transaction T issued by a subject s is assigned a purpose PR(T) which is a subfamily of the subject role family SR(s). The subject s assigned a transaction T with a pair of the roles r1 and r2 in SR(s) and then issues the transaction T. Here, the purpose PR(T) of the transaction T is a role family {r1, r2}. We define the LIF relation ⪯I among role families.
Fig. 4. r1 ⇒ r2.
Definition. A role r1 legally flows into a role r2 (r1⇒ r2) iff (1) r1 ↦ r2 and r1 → r2 or (2) r1 ⇒ r3 ⇒ r2 for some role r3. In Fig. 4, there are a pair of roles r1 and r2, r1 = {〈x, read〉, 〈y, write〉, 〈z, read〉, 〈v, write〉} and r2 = {〈x, read〉, 〈y, read〉, 〈z, read〉}. In(r1) = {x, z} and Out(r1) = {y, v}. In(r2) = {x, y, z}. In(r1) p In(r2) and Out(r1) ∩ In (r2) ≠ϕ. Hence, r1 ⇒ r2. Let r1 and r2 be a pair of roles {〈x, read〉, 〈y, write〉} and {〈y, read〉}, respectively. Let T1 and T2 be a pair of transactions whose purposes PR(T1) = {r1} and PR(T2) = {r2} as shown in Fig. 5. Suppose the transaction T1 reads data v from an object x and writes the data v to another object y, i.e. 〈x, read〉 ∈ r1 and 〈y, write〉 ∈ r1. Then, suppose the transaction T2 reads the object y since 〈y, read〉 ∈ r2. However, 〈x, read〉 ∉ r2, i.e. the transaction T2 is not allowed to read data in the object x. Here, illegal information flow occurs since the transaction T2 reads x's data in the other object y although the transaction T2 is not allowed to read the object x. On the other hand, if 〈x, read〉 ∈ r2, the role r1 legally flows into the role r2 (r1 ⇒ r2). The transaction T2 can read the data of the object x from the object y since the transaction T2 is allowed to read the object x. Thus, the legal flow relation r1 ⇒ r2 shows that no illegal information flow occur if a transaction T1 with a role r1 is performed prior to another transaction T2 with a role. The following relations are defined for a pair of roles r1 and r2: 1. r1 ≡I r2 (r1 and r2 are information-flow (I-) equivalent) iff r1 ⇒ r2 and r2 ⇒ r1. 2. r1 ≺I r2 (r2 is more I-significant than r1) iff r1 ⇒ r2 but r2 ⇏ r1. 3. r1 ⪯I r2 (r2 I-dominates r1) iff r1 ⇒ r2 or r1 ≡I r2. 4. r1 ‖I r2 (r1 and r2 are I-uncomparable) iff neither r1 ⪯I r2 nor r2 ⪯I r1. A least upper bound (lub) r1 ⊔I r2 of roles r1 and r2 is a role r3 such that r1 ⪯I r3, r2 ⪯I r3, and no role r4 such that r1 ⪯I r4 ⪯I r3 and r2 ⪯I r4 ⪯I r3. The greatest lower bound (glb) r1 ⊓I r2 of roles r1 and r2 is a role r3 such that r3 ⪯I r1, r3 ⪯I r1, and no role r4 such that r3 ⪯I r4 ⪯I r1 and r3 ⪯I r4 ⪯I r2. Thus, a lattice 〈R, ⪯I, ⊔I, ⊓I〉 is defined for a set R of roles and the I-dominant relation ⪯I in a system. Here, the bottom ⊥I is ϕ and the top ⊤I is a set R of all the roles.
Fig. 5. r1 ⇒ r2.
Definition. Let R1 and R2 be a pair of role families. R2 I(information flow)-dominates R1 (R1 ⪯I R2) iff one of the following conditions holds: • ⊔rI1∈R1 r1 ⪯I ⊓r2I∈R2 r2. • R1 ⪯I R3 ⪯I R2 for some role family R3. The following relations are defined for role families R1 and R2: 1. R1 ≡I R2 (R1 and R2 are I-equivalent) iff R1 ⪯I R2 and R2 ⪯I R1. 2. R1 ≺I R2 (R2 is more I-significant than R1) iff ⊔rI1∈R1 r1 ⪯I ⊓r2I∈R2 r2 and R1 ≺I R3 ≺I R2 for some role family R3. 3. R1 ||I R2 (R1 and R2 are I-uncomparable) iff neither R1 ⪯I R2 nor R2 ⪯I R1. Suppose there are a pair of role families R1 = {r1, r2} and R2 = {r2, r3} as shown in Fig. 6. Here, let r1, r2, and r3 be roles where r1 = {〈x, read〉, 〈y, write〉}, r2 = {〈x, read〉, 〈y, read〉, 〈z, write〉}, and r3 = {〈x, read〉, 〈y, read〉, 〈z, read〉}. According to the definitions, r1 ⪯I r2 ⪯I r3 since r1 ⇒ r2 ⇒ r3. I Here, ⊔r∈R r =r1 ⊔I r2 =r2 since r1 ⪯I r2 and there is no role r′ such that 1 I I I r1 ⪯ r′ ⪯ r2. Similarly, ⊓r∈R r =r2 ⊓I r3 =r2. Then, the role family R2 I2 I I dominates the role family R1 (R1 ⪯I R2) since ⊔r∈R r ⪯I ⊔r∈R r. 1 2 The following property holds for the I-dominant relation ⪯I. / I R3 if R1 ⪯I R2 but R1 ⪯ /I Property. Let R1, R2, and R3 be role families. R2 ⪯ R3. / I R3, and R2 ⪯I R3. Since R1 ⪯I R2 and R2 ⪯I Proof. Assume R1 ⪯I R2, R1 ⪯ R3 from the assumption, R1 ⪯I R3 holds. This contradicts the assumption R1 ⪯ / I R3. Hence, the property holds. Let R1 and R2 be a pair of role families. There are two types of dominant relations S-dominant relation ⪯s and I-dominant relation ⪯I on R1 and R2. Suppose that R1 significantly dominates R2 (R1 ⪯s R2). R1 and R2 are referred to as conflict with one another iff R1 ⪯s R2 but R2 ⪯I R1. Although R2 is more significant than R1, a transaction with R1 cannot be performed prior to another transaction with R2 since illegal information flow might occur. 4. A legal information flow (LIF) scheduler 4.1. Scheduling of methods We discuss a legal information flow (LIF) scheduler (LIFS) to perform multiple conflicting transactions so as to keep objects consistent and prevent illegal information flow. A transaction issues
Fig. 6. Information flow.
910
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
a method to an object and wait for a response from the object. On completion of the method, the object sends a response to the transaction. Thus, transactions are performed on the basis of the remote procedure call (RPC) model. First, suppose a pair of transactions Tt and Tu issue methods opti and opui to an object oi, respectively. First, every method issued by the transactions is sent to a scheduler LIFSi of the object oi. In the scheduler LIFSi, methods are ordered and the top method is performed on the object oi. A method op1 is referred to as preceded another method op2 (op1 ⇒i op2) if op1 is prior to op2 in LIFSi. In the scheduler LIFSi, the methods opti and opui issued by the transactions Tt and Tu are ordered in ⇒i by the following procedure: Schedule(opti, opui) { if opti conflicts with opui, if PR(Tu) ⪯s PR(Tt), /⁎ Tt is more significant than Tu ⁎/ { if opti is write and opui is read, / I PR(Tu), { if PR(Tt) ⪯ /⁎ illegal information flow might occur ⁎/ cfresolve(Tt, Tu);} opti precedes opui (opti ⇒ i opui) in LIFSi;} else { if PR(Tt) ⪯s PR(Tu), Schedule(opui, opti); else {/⁎ PR(Tt) ≡s PR(Tu) or PR(Tt) ‖s PR(Tu) ⁎/ if opti = write and opui = read, / I PR(Tu), { if PR(Tt) ⪯ /⁎ illegal information flow might occur ⁎/ cfresolve(Tt, Tu);} else opti precedes opui (opti ⇒i opui); else opti and opui are arbitrarly ordered (opti ⇒i opui or opui ⇒i opti);} } else opti and opui are arbitrarly ordered (opti ⇒i opui or opui ⇒i opti); } Suppose that a transaction Tt issues a method opti and another transaction Tu issues a method opui to an object oi and the method opti conflicts with the method opui. In the procedure Schedule, the method opti precedes the other method opui (opti ⇒i opui) in the schedule LIFSi if the transaction Tt is more significant than the transaction Tu, i.e. PR (Tu) ⪯s PR(Tt). Here, suppose that opti is write and opui is read. opti is performed prior to opui in the scheduler LIFSi since PR(Tu) ⪯s PR(Tt). Here, if PR(Tu) ⪯I PR(Tt), no illegal information flow occur. However, illegal information flow might occur unless PR(Tu) ⪯I PR (Tt), i.e. PR(Tt) and PR(Tu) conflict. Hence, the methods opti (write) and opui (read) cannot be performed in this order. Either the transaction Tt or Tu is aborted since illegal information flow might occur. In the procedure cfresolve(Tt, Tu), the confliction of the purposes PR(Tt) and PR(Tu) of Tt and Tu is tried to be resolved. In one way to resolve the confliction, a less significant transaction Tu is aborted if PR(Tu) ⪯s PR (Tt). In this paper, we take the abort-oriented procedure cfresolve as follows:
Here, if the transactions Tt and Tu issue other conflicting methods optj and opuj to another object oj, respectively, the method opuj has to be performed prior to the method optj. If the method optj had been already performed prior to the method opuj, opui cannot be performed prior to opti. Here, the transaction Tt or Tu has to be aborted. If the following conditions are satisfied, conflicting methods opti and opui are rather primarily ordered in the I-dominant relation ⪯I than the S-dominant relation ⪯s: [IF dominant conditions] 1. Any method is performed in neither Tt nor Tu. 2. opti = write and opui = read. 3. PR(Tu) ⪯I PR(Tt). Since conflicting methods issued by multiple transactions are totally ordered on each object in the significancy of purposes of the transactions, the transactions are serializable in the scheduler LIFSi. In addition, one of the transactions Tt and Tu is aborted if illegal information flow would occur by performing methods from the transactions Tt and Tu in the scheduled order. 4.2. Information flow check If a pair of methods opti and opui are in the LIF scheduler LIFSi, the methods opti and opui can be performed without illegal information flow. Suppose one method opti is performed and another method opui is in the scheduler LIFSi. Here, if the method opui is performed, illegal information flow might occur. For example, after a write method opti of a transaction Tt was performed on an object oi, a read method opui for another transaction Tu is issued to the scheduler LIFSi and then performed on oi. Unless PR(Tt) ⪯I PR(Tu), illegal information flow might occur. Hence, each time a top method opti in the scheduler LIFSi is taken, we have to check if illegal information flow might occur by performing the method opti. A variable oi.P denoting a role family, i.e. purpose of a transaction which has most recently written the object oi is manipulated for each object oi. oi.P = ϕ in the initialization of the system. The scheduler LIFSi outputs a method opti to the object oi in the precedent order ⇒ i obtained in the procedure Schedule. Let opti be a top method in the scheduler LIFSi which is issued by a transaction Tt. The top method opti is performed on the object oi as follows [Fig. 7]: Perform(Tt, opti, oi) { if opti = write, { oi.P = PR(Tt); write oi;} else {/⁎ opti = read ⁎/ if oi.P ⪯I PR(Tt), read oi; /⁎ no illegal information flow ⁎/ else abort Tt;} } If opti is write, a purpose PR(Tt) of the transaction Tt is stored in a variable oi.P and the write method opti is performed on the object oi [Fig. 7]. Next, suppose opti is read. If oi.P ⪯I PR(Tt), the transaction Tt reads the object oi. Otherwise, the transaction Tt is aborted since illegal information flow might occur.
cfresolve(Tt, Tu) { / I PR(Tt), abort Tu; if PR(Tu) ⪯s PR(Tt) and PR(Tu) ⪯ else abort Tt or Tu; } In another way, the execution order of the methods opui and opti is reversed, i.e. opui is performed on the object oi prior to opti (opui ⇒ i opti) if PR(Tt) ⪯I PR(Tu). Here, the transaction Tu might be less significant than the transaction Tt. However, in every object, only methods from the transactions Tt and Tu have to be ordered in the I-dominant relation ⪯I.
Fig. 7. Information flow check.
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
911
the scheduled execution of op1 and op2 implies illegal information flow. It is sure that there is no illegal information flow. In this evaluation, we make the following assumptions: [Assumptions]
Fig. 8. Information flow check.
Suppose there are four transactions T1, T2, T3, and T4 with purposes R1, R2, R3, and R4, respectively, as shown in Fig. 8. Suppose R1 ⪯I R2. The transaction T1 reads an object x and then writes another object y. Then, the transaction T2 reads y and then writes an object z. First, suppose the transaction T3 reads the object z. According to the procedure Perform(T3, read, z), the purpose R2 (= PR(T2)) is stored in a variable z.P. If z.P ⪯I PR(T3), i.e. R2 ⪯I R3, the transaction T3 can read the object z. Here, suppose R1 ⪯ / I R3. Data in the object x might be brought to the object z through the transactions T1 and T2. The transaction T3 should not read the object z since R1 ⪯ / I R3. According to the properties I I of the LIF relation ⪯ , R2 ⪯ / R3 if R1 ⪯ / I R3 even if R1 ⪯I R2. Hence, R1 ⪯ /I R3 and R2 ⪯I R3 may not hold. This example shows that no illegal information flow occur in our synchronization way. Each object oi just keeps in record the purpose of a transaction which most recently writes. The variable oi.P show the purpose. By using this simple mechanism, illegal information flow can be prevented. 5. Evaluation In the concurrency control algorithms like 2PL protocol [18] and TO scheduler [18], methods are ordered without discussing if illegal information flow to occur. In the RO scheduler [12,13], conflicting methods issued by different transactions are ordered just in the significantly dominant relation ⪯s of purposes of the transactions. Suppose a transaction T1 issues a write method op1 and another transaction T2 issues a read method op2 to an object o. Here, the methods op1 and op2 conflict with one another. If the purpose PR(T1) of the transaction T1 is more significant than the purpose PR(T2), i.e. PR(T2) ⪯s PR(T1), the method op1 is performed prior to the method op2. However, illegal information flow occur unless PR(T2) ⪯I PR(T1) since the transaction T1 can read data in an object o even if the transaction T1 is not granted the access right 〈o, read〉. In the scheduler LIFS discussed here, one of the transactions T1 and T2 is aborted since
Fig. 9. ILF execution ratio.
1. There are three objects o1, o2, and o3 where each object oi supports a pair of methods read and write. The object o1 is the most secure and the object o2 is more secure than the object o3. 2. There are three roles r1 = {〈o1, write〉, 〈o1, read〉}, r2 = {〈o2, write〉, 〈o2, read〉}, and r3 = {〈o3, write〉, 〈o3, read〉}. 3. There are three purposes R1 = {r1, r2}, R2 = {r2, r3}, and R3 = {r3}. 4. There are three subjects s1, s2, and s3. Each subject si issues a same number l of transactions with the purpose Ri (i = 1, 2, 3). The roles and the purposes are ordered according to the security levels of the objects and the definition, respectively, as follows: • r3 ⪯s r2 ⪯s r1. • R3 ⪯s R2 ⪯s R1. The read–write ratio r:w shows the ratio of read and write methods to issued by transactions. For example, the read–write ratio r:w = 8:2 shows that the transaction issues eight read methods and two write methods. Each transaction issued by a subject si arbitrarly takes ten methods in the purpose Ri with a given read–write ratio r:w. The execution ratio τ of illegal information flow (ILF execution ratio) shows the ratio of the total number of methods which imply illegal information flow to the total number of executed methods. τ = 0 if no method causes illegal information flow. τ = 1 means that illegal information flow occur if any method is performed. Fig. 9 shows the ILF execution ratio τ of illegal information flow for the number of 3l transactions (l = 1,…, 34). In the RO scheduler, the ILF execution ratio τ changes between 16.7% and 22.8% where the ratio r: w of read and write methods in each transaction is 9:1. The ILF execution ratio τ changes between 9.8% and 16.7% where the read– write ratio r:w in each transaction is 5:1. If the read–write ratio is 9:1, the ILF execution ratio τ is about 7% larger than where the read–write ratio is 5:5. On the other hand, in the scheduler LIFS, the ILF execution ratio τ is always 0. No illegal information flow occur. Fig. 10 shows the ILF execution ratio τ for the number 3l of transactions for l = 1, 34, 67, 100, 134, 167, 200. In the scheduler LIFS, the ILF execution ratio τ is always 0 since there occurs no illegal information flow. In the RO scheduler, if the read–write ratio is 9:1, the ILF execution ratio τ is about 7% larger than the read–write ratio is 5:5. In the RO scheduler, illegal information flow might occur even if all transactions are serialized. On the other hand, the scheduler LIFS can prevent the illegal information flow but some transactions are aborted
Fig. 10. ILF execution ratio.
912
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
as discussed in the preceding section. We are now measuring how many transactions are aborted. 6. Concluding remarks Information systems have to be not only consistent but also secure in presence of multiple conflicting transactions. Multiple transactions issue conflicting read and write methods to objects. Conflicting methods are required to be serializably performed on objects to keep objects mutually consistent. In addition, objects have to be secure. In the access control models, there might occur confinement problem, i.e. illegal information flow occur even if only authorized subjects manipulate objects in authorized ways. In this paper, we discuss a unified algorithm for the concurrency control and security management based on the role concept. We take a fundamental model where each object supports a pair of primitive read and write methods and each subject is granted a family of roles in the mandatory access control model. We first define the significantly dominant relation R1 ⪯s R2 for a pair of role families R1 and R2. A transaction initiated by a subject s is assigned with some roles in roles granted to the subject s. The roles assigned to a transaction is referred to as purpose. Suppose a transaction T2 with purpose R2 issues a method op2 to an object o and another transaction T1 with purpose R1 issues a method op1 to the object o. Here, the method op2 should be performed prior to the method op1. We next define a legal information flow relation ⪯I among role families. If R1 ⪯I R2 for a pair of role families R1 and R2, no illegal information flow occur if a transaction with the purpose R1 is performed prior to a transaction with the other purpose R2. Otherwise, some illegal information flow might occur. We discussed the legal information flow (LIF) scheduler (LIFS) to keep objects consistent and secure. Conflicting methods are first ordered in the significancy of roles in the scheduler LIFS. Then, a method is performed on an object if no illegal information flow would occur. In the scheduler LIFS, objects are kept not only consist but also secure in presence of multiple conflicting transactions. We show that illegal information flow occurring in the other schedulers can be prevented in the scheduler LIFS in the evaluation. We evaluated the scheduler LIFS compared with the RO scheduler [12–14] and showed how illegal information flow can be prevented. Suppose R1 ⪯ / I R2. A write method op1 of a transaction T1 with purpose R1 is already performed. Here, if a read method op2 of another transaction T2 with purpose R2 is issued, the transaction T2 is aborted since R1 ⪯I R2 does not hold in the scheduler LIFS. Thus, in the scheduler LIFS, transactions are aborted to prevent illegal information flow. We are now evaluating how many transactions are aborted.
[10] D.E. Denning, A lattice model of secure information flow, Communications of the ACM 19 (5) (1976) 236–343. [11] R.S. Sandhu, Lattice-based access control models, IEEE Computer 26 (11) (1993) 9–19. [12] T. Enokido, M. Takizawa, Concurrency control based-on significancy on roles, Proc. of the IEEE 11th International Conference on Parallel and Distributed Systems (ICPADS2005), vol. 1, 2005, pp. 196–202. [13] T. Enokido, M. Takizawa, Role-based concurrency control for distributed systems, Proc. of the IEEE 20th International Conference on Advanced Information Networking and Applications (AINA-2006), vol. 1, 2006, pp. 407–412. [14] T. Enokido, M. Takizawa, Concurrency control using subject- and purpose-oriented (SPO) view, Proc. of the 2nd International Conference on Availability, Reliability and Security (ARES2007), 2007, pp. 454–461. [15] K.P. Eswaran, J.N. Gray, R.A. Lorie, I.L. Traiger, The notions of consistency and predicate locks in a database system, Communications of the ACM 19 (19) (1976) 624–633. [16] J. Gray, Notes on database operating systems, Lecture Notes in Computer Science, vol. 60, Springer, Berlin, 1978, pp. 393–481. [17] K. Watanabe, Y. Sugiyama, T. Enokido, M. Takizawa, Moderate concurrency control in distributed object systems, Journal of Interconnection Networks (JOIN) 5 (3) (2004) 233–247. [18] P.A. Bernstein, V. Hadzilacos, N. Goodman, Concurrency Control and Recovery in Database Systems, Addison-Wesley, Boston, MA, 1987.
Tomoya Enokido was born in Chiba, Japan, 1974. He received B.E. and M.E. degrees in Computers and Systems Engineering from Tokyo Denki University, Japan in 1997 and 1999, respectively. After that he worked for NTT Data Corporation, he joined Tokyo Denki University in 2002. He received his D.E. degree in Computer Science from Tokyo Denki University in 2003. After he worked for Computers and Systems Engineering as a research associate in Tokyo Denki University, he joined Faculty of Business Administration of Rissho University in 2005. He is currently a lecturer in the Faculty of Business Administration, Rissho University. He won the best paper award of The IEEE 18th International Conference on Advanced Information Networking and Applications (AINA 2004), 2004. His research interests include distributed systems, group communication, and distributed objects. He is a member of IEEE and IPSJ.
Valbona Barolli received the Bachelor's Degree in Economics from Tirana University, Albania in 1991 and MS Degree from Fukuoka Institute of Technology, Japan in 2006. Presently, she is a PhD student at Graduate School of Science and Engineering, Tokyo Denki University, Japan. She has published about 30 research papers in International Journals, International Conference Proceedings and National Workshops. She won the Best Paper Award in the International Workshop on Distributed, Parallel and Network Applications (DPNA-2005/ICPADS-2005), the Young Researcher Award from Multimedia Communications and Distributed Processing Workshop (DPSWS'2005), and the Best Papers Award in the International Workshop on Advanced Distributed, Parallel and Network Applications (ADPNA-2007/ ICPP-2007). Her research is supported by a Grand-in-Aid for Young Researchers Scholarship from C&C Foundation, Japan. Her research interests are in e-business, process and system modeling, operational research, information economics, distributed processes and systems, and network pricing models.
References [1] E. Bertino, P. Samarati, S. Jaodia, High assurance discretionary access control in object bases, Proc. of the 1st ACM Conference on Computers and Communication Security, 1993, pp. 140–150. [2] Oracle Corporation, Oracle8i Concepts Vol.1 Release 8.1.5. URL http://www.omg. org/docs/formal/98-07-04.pdf. [3] Sybase, Sybase SQL Server. URL http://www.sybase.com/. [4] D. Ferraiolo, R. Kuhn, Role-based access controls, Proc. of 15th NIST-NCSC National Computer Security Conference, 1992, pp. 554–563. [5] D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role Based Access Control, Artech House, Norwood, MA, 2005. [6] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman, Role-based access control models, IEEE Computer 29 (2) (1996) 38–47. [7] Z. Tari, S.W. Chan, A role-based access control for intranet security, IEEE Internet Computing 1 (1997) 24–34. [8] R. Chon, T. Enokido, M. Takizawa, Inter-role information flow in object-based systems, Proc. of IEEE 18th International Conf. on Advanced Information Networking and Applications (AINA-2004), vol. 1, 2004, pp. 196–201. [9] K. Izaki, K. Tanaka, M. Takizawa, Information flow control in role-based model for distributed objects, Proc. of IEEE International Conference on Parallel and Distributed Systems (ICPADS-2001), 2001, pp. 363–370.
Makoto Takizawa is a Professor in the Department of Computers and Systems Engineering. He was a Visiting Professor at GMD-IPSI (currently Fraunhofer), Germany (1989–1990) and at Keele University, England (1990). He is on the Board of Governors and a Golden Core member of IEEE Computer Society and a fellow of the Information Processing Society of Japan (IPSJ). He received his BE, ME in Applied Physics and DE in Computer Science from Tohoku University, Japan. He was a general co-chair and a program co-chair of IEEE ICDCS in 2002 and 1998, respectively. He also chairs many international conferences like IEEE ISORC, IEEE ICPADS, and DEXA. He founded the IEEE International Conference on Advanced Information Networking and Applications (AINA). His research interests include distributed systems, group communications, distributed objects, faulttolerant systems, and information security.
Contents lists available at ScienceDirect
Computer Standards & Interfaces j o u r n a l h o m e p a g e : w w w. e l s ev i e r. c o m / l o c a t e / c s i
A legal information flow (LIF) scheduler based on role-based access control model Tomoya Enokido a,⁎, Valbona Barolli b, Makoto Takizawa b a b
Faculty of Business Administration, Rissho University, 4-2-16, Osaki, Shinagawa, Tokyo, 141-8602, Japan Department of Computers and Systems Engineering, Tokyo Denki University, Ishizaka, Hatoyama, Hiki, Saitama, 350-0394, Japan
A R T I C L E
I N F O
Available online 15 March 2008 Keywords: Information flow Role-based access control model Concurrency control Security Transaction
A B S T R A C T Information systems have to be consistent and secure in presence of multiple conflicting transactions. The role-based access control (RBAC) model is widely used to keep information systems consistent and secure. A role shows a job function in an enterprise and is a set of access rights (permissions). Here, a subject s is allowed to issue a method op to an object o only if an access right 〈o, op〉 is included in the roles granted to the subject s. A subject is granted one or more than one role and issues a transaction to multiple objects. The transaction is assigned with some roles of the subject which is referred to as purpose. Even if every access request issued by every subject is authorized in the roles, illegal information flow might occur as well known confinement problem. In this paper, we define a legal information flow (LIF) relation (R1 ⪯I R2) among a pair of role families R1 and R2 to prevent illegal information flow. Here, an LIF relation R1 ⪯I R2 shows that no illegal information flow occur if a transaction T1 with a role family R1 is performed prior to another transaction T2 with a role family R2. In addition, it is significant to discuss which transaction to be performed prior to another transaction if the both transactions manipulate the same object in a conflicting way. In this paper, we define a significantly precedent relation R1 ⪯s R2 among role families R1 and R2 which implies that the role family R2 is more significant than R1. Suppose a pair of transactions T1 and T2 with role families R1 and R2 issue conflicting methods op1 and op2, respectively, to an object o. If R1 ⪯s R2, op2 is performed on the object o prior to op1. The more significant a transaction is, the more prior it is performed. We discuss a legal information flow (LIF) scheduler to synchronize transactions so as to prevent illegal information flow and to serialize conflicting methods from multiple transactions in terms of significancy and information flow relation of roles families. We evaluate the LIF scheduler in terms of how much illegal information flow can be prevented compared with the other scheduler. © 2008 Published by Elsevier B.V.
1. Introduction Information systems have to be consistent and secure in presence of various kinds of security attacks and conflicting accesses to computation resources. Information systems adopt access control models to protect unauthorized access. In the access control models [1], only a subject s, i.e. user and program is allowed to issue a method to an object like a database system [2,3] only if an access right (or permission) 〈o, op〉 is granted to the subject s. A subject granted an access right is referred to as authorized. In the mandatory access control (MAC) model, only a centralized authorizer can grant access rights to a subject s. On the other hand, a subject granted an access right 〈o, op〉 can grant the access right 〈o, op〉 to another subject in the discretionary access control (DAC) model [2,3]. In the role-based access control (RBAC) models [4–7], a role is specified in a collection of access rights. A role shows a job function, i.e. what subjects can do on
⁎ Corresponding author. E-mail addresses: [email protected] (T. Enokido), [email protected] (V. Barolli), [email protected] (M. Takizawa). 0920-5489/$ – see front matter © 2008 Published by Elsevier B.V. doi:10.1016/j.csi.2008.03.013
resource objects in an enterprise. Each subject s is granted one or more than one role. Then, the subject s issues a transaction T. A transaction is a unit of work and is a sequence of methods on objects. Here, the transaction T is assigned a family, i.e. subcollection of the roles granted to the subject s. The family of the roles is referred to as purpose of the transaction T. While the access control models are widely used in information systems like database systems [2,3], illegal information flow among subjects through objects may occur even if each subject can safely manipulate objects according to the authorized access rights. This is a well-known confident problem [8,9]. The lattice-based access control (LBAC) model is discussed in papers [10,11] to prevent illegal information flow. Here, each entity, i.e. subject and object is classified into a security class. Information flow relation among security classes is defined. Access rules on read, write, and modify are defined according to the information flow relation. However, resource objects only can be manipulated in a limited way that every system cannot take. In this paper, we discuss a novel type of concurrency control mechanism to synchronize conflicting transactions to achieve two objectives. That is named legal information flow (LIF) scheduler. The LIF scheduler aims at achieving two objectives. First, a more significant
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
method should be performed prior to others from the application point of view. In traditional database systems, types of the two-phase locking (2PL) protocol [15,18] are widely used to synchronize conflicting transactions. Locking protocols [18] are based on a principle that only the first comer is a winner and the others are losers. If some transaction T holds an object, every transaction conflicting with the transaction T cannot use the object, i.e. waits until the object is released by the transaction T. If every transaction takes the 2PL protocol, a schedule of the transactions is serializable [15] but transactions might be deadlocked. On the other hand, each transaction T is assigned timestamp TS(T) showing when the transaction T is initiated in a client in the timestamp ordering (TO) scheduler [18]. If a pair of transactions T1 and T2 issue conflicting methods op1 and op2 to an object o, respectively, the method op1 is performed prior to the method op2 if TS(T1) b TS(T2). Objects are thus manipulated by conflicting transactions in the timestamp order and no deadlock occurs. In this paper, transactions are ordered in the significancy of roles assigned to the transactions. We also discuss which role family is more significant than another role family based on the significancy of methods [12–14]. The types of role-ordering (RO) schedulers to perform a method from a more significant transaction prior to a less significant one are also discussed [12–14]. In this paper, we discuss a simpler model where every object supports only read and write methods while more general, abstract types of methods are supported in the RO scheduler. In addition, we consider the MAC model in this paper while the DAC model is taken into account in the RO scheduler. Next, no illegal information flow should occur by performing multiple conflicting transactions on objects. First, we discuss how to prevent illegal information flow in the role-based access control model. A subject s issues a transaction T to manipulate objects. The transaction T is assigned a purpose, i.e. subfamily of the roles granted to the subject s. Let T1 and T2 be a pair of transactions assigned with purposes R1 and R2, respectively. In this paper, we define an LIF relation R1 ⪯I R2 among the purposes R1 and R2. This means that no illegal information flow occur if a transaction T1 with the purpose R1 is performed prior to another transaction T2 with the purpose R2. This means, the transaction T2 can be safely performed after the other transaction T1 is performed. Next, suppose the transaction T1 is already performed and the transaction T2 is initiated and R1 ⪯I R2 does not hold. Here, illegal information flow might occur if T2 is performed. We discuss an LIF scheduler to serialize conflicting read and write methods issued by multiple transactions so that illegal information flow is prevented based on the LIF relation. We discuss a simple algorithm where each object just remembers the purpose of a transaction which most recently manipulated the object. We show how much illegal information flow can be reduced in the LIF scheduler compared with the RO scheduler [12]. In Section 2, we discuss what role family is more significant than another role family. In Section 3, we define the LIF relation among role families. In Section 4, we discuss the LIF concurrency control algorithm of multiple transactions to prevent illegal information flow and serialize conflicting methods from transactions. In Section 5, we evaluate the LIF scheduler compared with the RO scheduler.
given tuple 〈s, o, op〉 showing that a subject s can manipulate an object o in a method op. A pair 〈o, op〉 is referred to as access right (permission). A system is secure if every object is manipulated according to the access rules. Only a subject s granted an access right (or permission) 〈o, op〉 is allowed to issue a method op to an object o. Here, the subject s is referred to as authorized. In the RBAC models [4–7], a role is specified in a set of access rights. A role shows a job function in an enterprise. Let R be a set of roles {r1, …, rn} in a system. Each role ri is a collection {αi1,…, αili} of access rights. Each access right αij is written in a pair 〈oij, opij〉 of an object oij in the object set O and a method opij for manipulating the object oij. Let SR(s) (p R) be a family of roles granted to a subject s. A subject s initiates a transaction T. A transaction [16,18] is an atomic sequence of methods on objects, which is a unit of work. Here, the transaction T is assigned a subfamily PR(T) (p SR(s)) of the roles granted to the subject s. PR(T) is referred to as purpose [12–14] of the subject s to issue the transaction T. The transaction T issues a method op to an object o for an access right 〈o, op〉 in the purpose PR(T). An object is assumed to support a pair of types of methods read and write in this paper. A pair of methods conflict with one another if and only if (iff) the result obtained by performing the methods depend on the execution order of the methods. A write method conflicts with write and read methods while a read method conflicts with a write method. A pair of transactions which issue conflicting methods are referred to as conflict with each another. Conflicting transactions should be performed in a serializable schedule [15]. Suppose a transaction T1 issues methods op11 and op12 to objects o1 and o2, respectively. Another transaction T2 issues methods op21 and op22 to the object o1 and o2, respectively. Suppose op11 and op21 conflict on the object o1 and op12 and op22 conflict on the object o2. Here, if the method op11 is performed prior to op21 on o1, op12 has to be performed prior to op22 on o2 according to the serializability theory. In the locking protocols [8,15–17], transactions arbitrarly hold objects based on the first-comer-winner principal. An object is held by transactions independently of the significancy of each transaction. In the TO schedulers [18], each transaction T is assigned a timestamp TS(T) showing when the transaction T is initiated. Transactions are totally ordered in their timestamps. Objects are manipulated by conflicting transactions in the TO order. If a pair of transactions T1 and T2 issue conflicting methods op1 and op2 to an object o, respectively, the method op1 is performed prior to the method op2 if TS(T1) b TS(T2). That is, the elder a transaction is, the earlier it is performed. The access control models imply the well-known confinement problem [8,9]. For example, a subject s1 is granted a pair of access rights 〈f, read〉 and 〈g, write〉 on file objects f and g while another subject s2 is only granted an access right 〈g, read〉. Suppose the subject s1 reads data x from the file f and then writes x to the file g. Here, the subject s2 can read x from g although the subject s2 is not allowed to read the data x in the file f. Here, information x illegally flows to the subject s2 [Fig. 1].
2. Significant relation of roles 2.1. Role-based access control models In the access control models [1,4–7,10,11], a system is composed of two types of entities, subjects and objects. A subject is an entity that issues methods to objects. Users are examples of subjects. Let S be a set of subjects in the system. An object is an entity which performs methods from subjects. Databases are examples of objects. Let O be a set of objects o1,…, om in a system. Each object oi supports read and write methods for manipulating data (i = 1,…, m). An access rule is
907
Fig. 1. Illegal information flow.
908
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
2.2. Significancy of access rights In papers [12–14], the authors discuss which role family is more significant than another role family for abstract types of methods on objects like a bank object with deposit, withdraw, transfer, and check. In this paper, we consider a simpler but practical model where only two types of fundamental methods read and write on each object. Let α1 and α2 be a pair of access rights 〈o1, op1〉 and 〈o2, op2〉, respectively, where o1 and o2 are objects and op1 and op2 are methods supported by the objects o1 and o2, respectively. First, we discuss which access right is more significant that another access right. First, we define the following relation on the access rights α1 and α2: • α1 significantly dominates α2 (α2 ⪯s α1) if o1 is more secure than o2. For example, a file f is a public one and another file g is a private one. Here, the file g is more secure than the file f. An access right 〈g, read〉 significantly dominates access rights 〈f, write〉 and 〈f, read〉 (〈f, write〉 ⪯s 〈g, read〉, 〈f, read〉 ⪯s 〈g, read〉). Next, suppose that a pair of the objects o1 and o2 belong to the same security class. • α1 significantly dominates α2 (α2 ⪯s α1) if op1 is write and op2 is read. In the files f and g, 〈f, read〉 ⪯s 〈f, write〉 and 〈g, read〉 ⪯s 〈g, write〉. 2.3. Significancy of roles By using the significant relations of access rights, we discuss relation on roles. First, we define the following relation: Definition. A role r2 significantly dominates a role r1 (r1 ⪯s r2) iff there is no access right β in r2 such that α ⪯s β for every access right α in r1. In Fig. 2, a black node indicates an access right and a directed edge α → β shows that an access right α is significantly dominated by another access right β (α ⪯s β). In Fig. 2 (a), a role r1 is more significant than another role r2 (r1 ⪯s r2) since there is no access right β in the role r2 such that α ⪯s β for every access right α in the role r1. On the other hand, r1 ⪯ / s r2 and r2 ⪯ / s r1 in Fig. 2 (b). Let r1 and r2 be roles in a role family R. The least upper bound (lub) r1 ⊔s r2 of r1 and r2 is defined to be a role r3 in R such that r1 ⪯s r3, r2 ⪯s r3, but no role r4 such that r1 ⪯s r4 ⪯s r3 and r2 ⪯s r4 ⪯s r3. The greatest lower bound (glb) r1 ⊓s r2 is defined to be a role r3 in R such that r3 ⪯s r1 and r3 ⪯s r2 and there is no role r4 such that r3 ⪯s r4 ⪯s r1 and r3 ⪯s r4 ⪯s r2. Then, a lattice 〈R, ⪯s, ⊔s, ⊓s〉 is defined. A subject s and a transaction T are assigned with role families, i.e. SR(s) and PR(T), respectively. In order to discuss which transaction and subject are more significant, we define the significantly dominant relation ⪯s among role families as follows: Definition. A role family Ri is significantly (S-) dominated by a role s s family Rj (Ri ⪯s Rj) iff ⊔r∈R r ⪯s ⊓r∈R i jr.
Fig. 3. Significancy of role families.
In Fig. 3, there are five roles r1, r2, r3, r4, and r5. A circle node ri indicates a role ri and a directed edge ri → rj shows that a role rj significantly dominates a role ri (ri ⪯s rj). Suppose a role family R1 is a collection {r1, r2, r3} of roles and another role family R2 is {r3, r4, r5}. Here, (r1 ⊔s r2 ⊔s r3) = r3 since r1 ⪯s r3, r2 ⪯s r3, and there is no role r′ such that r1 ⪯s r′ ⪯s r3 and r2 ⪯s r′ ⪯sr3. Since (r1 ⊔s r2 ⊔s r3) ⪯s (r3 ⊓s r4 ⊓s r5), the role family R1 is significantly (S-) dominated by the role family R2 (R1 ⪯s R2). Let R1 and R2 be a pair of role families. A least upper bound (lub) R1 ⊔s R2 of R1 and R2 is defined to be a role R3 in a set of role families such that R1 ⪯s R3 and R2 ⪯s R3 and there is no role R4 such that R1 ⪯s R4 ⪯s R3 and R2 ⪯s R4 ⪯s R3. A greatest lower bound (glb) R1 ⊓s R2 is defined to be a role R3 such that R3 ⪯s R1 and R3 ⪯s R2 and there is no role R4 such that R3 ⪯s R4 ⪯s R1 and R3 ⪯s R4 ⪯s R2. Thus, a lattice 〈2R, ⪯s, ⊔s, ⊓s〉 is defined to characterize a system for a set R of roles and Sdominant relation ⪯s. ⊤s and ⊥s show the top and bottom in the lattice, respectively. 3. Information flow relations 3.1. Information flow on roles Let R be a set of roles and O be a set of objects in a system. We first introduce flow relations r ↦ o and o ↦ r for a role r ∈ R and an object o ∈ O showing that 〈o, write〉 ∈ r and 〈o, read〉 ∈ r, respectively. That is, r ↦ o and o ↦ r mean that a transaction with a role r is allowed to write and read an object o ∈ O, respectively. A pair of input set In (r) and output set Out (r) are defined as follows: • In(r) = {o|o ↦ r} = set of objects which a subject granted a role r is allowed to read. • Out(r) = {o|r ↦ o} = set of objects which a subject granted a role r is allowed to write. Definition. A role r1 flows into a role r2 (r1 ↦ r2) iff r1 ↦ o and o ↦ r2 for some object o or r1 ↦ r3 ↦ r2 for some role r3, i.e. Out(r1) ∩ In(r2) ≠ ϕ. Suppose a transaction T1 is assigned with a role r1 and another transaction T2 with a role r2. A flow relation r1 ↦ r2 means that data written by the transaction T1 might be read by the other transaction T2. For example, suppose r1 = {〈x, write〉, 〈y, write〉, 〈w, write〉} and r2 = {〈x, read〉, 〈y, read〉, 〈z, write〉} where w, x, y, and z are objects. Here, Out(r1)= {x, y, w} and In(r2)={x, y}. Out(r1) ∩ In(r2)={x, y}≠ϕ. Hence, r1 ↦ r2. Definition. A role r2 reads more objects than a role r1 (r1 → r2) iff o ↦ r2 for every object o such that r1 ↦ o, i.e. In(r1) p In(r2) or r1 → r3 → r2 for some role r3.
Fig. 2. Significancy of roles.
Suppose a role r1 includes a pair of access rights 〈x, read〉 and 〈y, read〉 and another role r2 is composed of three access rights 〈x, read〉, 〈y, read〉, and 〈z, read〉. Since In(r1) = {x, y} and In(r2) = {x, y, z}, In(r1) p In(r2). Here, r1 → r2 but r2 ↛ r1.
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
909
3.2. Information flow on role families A subject s can be granted one or more than one role in a system. Let SR(s) (p R) show a family of roles granted to a subject s. If a subject s is granted three roles r1, r2, and r3, SR(s) = {r1, r2, r3}. A transaction T issued by a subject s is assigned a purpose PR(T) which is a subfamily of the subject role family SR(s). The subject s assigned a transaction T with a pair of the roles r1 and r2 in SR(s) and then issues the transaction T. Here, the purpose PR(T) of the transaction T is a role family {r1, r2}. We define the LIF relation ⪯I among role families.
Fig. 4. r1 ⇒ r2.
Definition. A role r1 legally flows into a role r2 (r1⇒ r2) iff (1) r1 ↦ r2 and r1 → r2 or (2) r1 ⇒ r3 ⇒ r2 for some role r3. In Fig. 4, there are a pair of roles r1 and r2, r1 = {〈x, read〉, 〈y, write〉, 〈z, read〉, 〈v, write〉} and r2 = {〈x, read〉, 〈y, read〉, 〈z, read〉}. In(r1) = {x, z} and Out(r1) = {y, v}. In(r2) = {x, y, z}. In(r1) p In(r2) and Out(r1) ∩ In (r2) ≠ϕ. Hence, r1 ⇒ r2. Let r1 and r2 be a pair of roles {〈x, read〉, 〈y, write〉} and {〈y, read〉}, respectively. Let T1 and T2 be a pair of transactions whose purposes PR(T1) = {r1} and PR(T2) = {r2} as shown in Fig. 5. Suppose the transaction T1 reads data v from an object x and writes the data v to another object y, i.e. 〈x, read〉 ∈ r1 and 〈y, write〉 ∈ r1. Then, suppose the transaction T2 reads the object y since 〈y, read〉 ∈ r2. However, 〈x, read〉 ∉ r2, i.e. the transaction T2 is not allowed to read data in the object x. Here, illegal information flow occurs since the transaction T2 reads x's data in the other object y although the transaction T2 is not allowed to read the object x. On the other hand, if 〈x, read〉 ∈ r2, the role r1 legally flows into the role r2 (r1 ⇒ r2). The transaction T2 can read the data of the object x from the object y since the transaction T2 is allowed to read the object x. Thus, the legal flow relation r1 ⇒ r2 shows that no illegal information flow occur if a transaction T1 with a role r1 is performed prior to another transaction T2 with a role. The following relations are defined for a pair of roles r1 and r2: 1. r1 ≡I r2 (r1 and r2 are information-flow (I-) equivalent) iff r1 ⇒ r2 and r2 ⇒ r1. 2. r1 ≺I r2 (r2 is more I-significant than r1) iff r1 ⇒ r2 but r2 ⇏ r1. 3. r1 ⪯I r2 (r2 I-dominates r1) iff r1 ⇒ r2 or r1 ≡I r2. 4. r1 ‖I r2 (r1 and r2 are I-uncomparable) iff neither r1 ⪯I r2 nor r2 ⪯I r1. A least upper bound (lub) r1 ⊔I r2 of roles r1 and r2 is a role r3 such that r1 ⪯I r3, r2 ⪯I r3, and no role r4 such that r1 ⪯I r4 ⪯I r3 and r2 ⪯I r4 ⪯I r3. The greatest lower bound (glb) r1 ⊓I r2 of roles r1 and r2 is a role r3 such that r3 ⪯I r1, r3 ⪯I r1, and no role r4 such that r3 ⪯I r4 ⪯I r1 and r3 ⪯I r4 ⪯I r2. Thus, a lattice 〈R, ⪯I, ⊔I, ⊓I〉 is defined for a set R of roles and the I-dominant relation ⪯I in a system. Here, the bottom ⊥I is ϕ and the top ⊤I is a set R of all the roles.
Fig. 5. r1 ⇒ r2.
Definition. Let R1 and R2 be a pair of role families. R2 I(information flow)-dominates R1 (R1 ⪯I R2) iff one of the following conditions holds: • ⊔rI1∈R1 r1 ⪯I ⊓r2I∈R2 r2. • R1 ⪯I R3 ⪯I R2 for some role family R3. The following relations are defined for role families R1 and R2: 1. R1 ≡I R2 (R1 and R2 are I-equivalent) iff R1 ⪯I R2 and R2 ⪯I R1. 2. R1 ≺I R2 (R2 is more I-significant than R1) iff ⊔rI1∈R1 r1 ⪯I ⊓r2I∈R2 r2 and R1 ≺I R3 ≺I R2 for some role family R3. 3. R1 ||I R2 (R1 and R2 are I-uncomparable) iff neither R1 ⪯I R2 nor R2 ⪯I R1. Suppose there are a pair of role families R1 = {r1, r2} and R2 = {r2, r3} as shown in Fig. 6. Here, let r1, r2, and r3 be roles where r1 = {〈x, read〉, 〈y, write〉}, r2 = {〈x, read〉, 〈y, read〉, 〈z, write〉}, and r3 = {〈x, read〉, 〈y, read〉, 〈z, read〉}. According to the definitions, r1 ⪯I r2 ⪯I r3 since r1 ⇒ r2 ⇒ r3. I Here, ⊔r∈R r =r1 ⊔I r2 =r2 since r1 ⪯I r2 and there is no role r′ such that 1 I I I r1 ⪯ r′ ⪯ r2. Similarly, ⊓r∈R r =r2 ⊓I r3 =r2. Then, the role family R2 I2 I I dominates the role family R1 (R1 ⪯I R2) since ⊔r∈R r ⪯I ⊔r∈R r. 1 2 The following property holds for the I-dominant relation ⪯I. / I R3 if R1 ⪯I R2 but R1 ⪯ /I Property. Let R1, R2, and R3 be role families. R2 ⪯ R3. / I R3, and R2 ⪯I R3. Since R1 ⪯I R2 and R2 ⪯I Proof. Assume R1 ⪯I R2, R1 ⪯ R3 from the assumption, R1 ⪯I R3 holds. This contradicts the assumption R1 ⪯ / I R3. Hence, the property holds. Let R1 and R2 be a pair of role families. There are two types of dominant relations S-dominant relation ⪯s and I-dominant relation ⪯I on R1 and R2. Suppose that R1 significantly dominates R2 (R1 ⪯s R2). R1 and R2 are referred to as conflict with one another iff R1 ⪯s R2 but R2 ⪯I R1. Although R2 is more significant than R1, a transaction with R1 cannot be performed prior to another transaction with R2 since illegal information flow might occur. 4. A legal information flow (LIF) scheduler 4.1. Scheduling of methods We discuss a legal information flow (LIF) scheduler (LIFS) to perform multiple conflicting transactions so as to keep objects consistent and prevent illegal information flow. A transaction issues
Fig. 6. Information flow.
910
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
a method to an object and wait for a response from the object. On completion of the method, the object sends a response to the transaction. Thus, transactions are performed on the basis of the remote procedure call (RPC) model. First, suppose a pair of transactions Tt and Tu issue methods opti and opui to an object oi, respectively. First, every method issued by the transactions is sent to a scheduler LIFSi of the object oi. In the scheduler LIFSi, methods are ordered and the top method is performed on the object oi. A method op1 is referred to as preceded another method op2 (op1 ⇒i op2) if op1 is prior to op2 in LIFSi. In the scheduler LIFSi, the methods opti and opui issued by the transactions Tt and Tu are ordered in ⇒i by the following procedure: Schedule(opti, opui) { if opti conflicts with opui, if PR(Tu) ⪯s PR(Tt), /⁎ Tt is more significant than Tu ⁎/ { if opti is write and opui is read, / I PR(Tu), { if PR(Tt) ⪯ /⁎ illegal information flow might occur ⁎/ cfresolve(Tt, Tu);} opti precedes opui (opti ⇒ i opui) in LIFSi;} else { if PR(Tt) ⪯s PR(Tu), Schedule(opui, opti); else {/⁎ PR(Tt) ≡s PR(Tu) or PR(Tt) ‖s PR(Tu) ⁎/ if opti = write and opui = read, / I PR(Tu), { if PR(Tt) ⪯ /⁎ illegal information flow might occur ⁎/ cfresolve(Tt, Tu);} else opti precedes opui (opti ⇒i opui); else opti and opui are arbitrarly ordered (opti ⇒i opui or opui ⇒i opti);} } else opti and opui are arbitrarly ordered (opti ⇒i opui or opui ⇒i opti); } Suppose that a transaction Tt issues a method opti and another transaction Tu issues a method opui to an object oi and the method opti conflicts with the method opui. In the procedure Schedule, the method opti precedes the other method opui (opti ⇒i opui) in the schedule LIFSi if the transaction Tt is more significant than the transaction Tu, i.e. PR (Tu) ⪯s PR(Tt). Here, suppose that opti is write and opui is read. opti is performed prior to opui in the scheduler LIFSi since PR(Tu) ⪯s PR(Tt). Here, if PR(Tu) ⪯I PR(Tt), no illegal information flow occur. However, illegal information flow might occur unless PR(Tu) ⪯I PR (Tt), i.e. PR(Tt) and PR(Tu) conflict. Hence, the methods opti (write) and opui (read) cannot be performed in this order. Either the transaction Tt or Tu is aborted since illegal information flow might occur. In the procedure cfresolve(Tt, Tu), the confliction of the purposes PR(Tt) and PR(Tu) of Tt and Tu is tried to be resolved. In one way to resolve the confliction, a less significant transaction Tu is aborted if PR(Tu) ⪯s PR (Tt). In this paper, we take the abort-oriented procedure cfresolve as follows:
Here, if the transactions Tt and Tu issue other conflicting methods optj and opuj to another object oj, respectively, the method opuj has to be performed prior to the method optj. If the method optj had been already performed prior to the method opuj, opui cannot be performed prior to opti. Here, the transaction Tt or Tu has to be aborted. If the following conditions are satisfied, conflicting methods opti and opui are rather primarily ordered in the I-dominant relation ⪯I than the S-dominant relation ⪯s: [IF dominant conditions] 1. Any method is performed in neither Tt nor Tu. 2. opti = write and opui = read. 3. PR(Tu) ⪯I PR(Tt). Since conflicting methods issued by multiple transactions are totally ordered on each object in the significancy of purposes of the transactions, the transactions are serializable in the scheduler LIFSi. In addition, one of the transactions Tt and Tu is aborted if illegal information flow would occur by performing methods from the transactions Tt and Tu in the scheduled order. 4.2. Information flow check If a pair of methods opti and opui are in the LIF scheduler LIFSi, the methods opti and opui can be performed without illegal information flow. Suppose one method opti is performed and another method opui is in the scheduler LIFSi. Here, if the method opui is performed, illegal information flow might occur. For example, after a write method opti of a transaction Tt was performed on an object oi, a read method opui for another transaction Tu is issued to the scheduler LIFSi and then performed on oi. Unless PR(Tt) ⪯I PR(Tu), illegal information flow might occur. Hence, each time a top method opti in the scheduler LIFSi is taken, we have to check if illegal information flow might occur by performing the method opti. A variable oi.P denoting a role family, i.e. purpose of a transaction which has most recently written the object oi is manipulated for each object oi. oi.P = ϕ in the initialization of the system. The scheduler LIFSi outputs a method opti to the object oi in the precedent order ⇒ i obtained in the procedure Schedule. Let opti be a top method in the scheduler LIFSi which is issued by a transaction Tt. The top method opti is performed on the object oi as follows [Fig. 7]: Perform(Tt, opti, oi) { if opti = write, { oi.P = PR(Tt); write oi;} else {/⁎ opti = read ⁎/ if oi.P ⪯I PR(Tt), read oi; /⁎ no illegal information flow ⁎/ else abort Tt;} } If opti is write, a purpose PR(Tt) of the transaction Tt is stored in a variable oi.P and the write method opti is performed on the object oi [Fig. 7]. Next, suppose opti is read. If oi.P ⪯I PR(Tt), the transaction Tt reads the object oi. Otherwise, the transaction Tt is aborted since illegal information flow might occur.
cfresolve(Tt, Tu) { / I PR(Tt), abort Tu; if PR(Tu) ⪯s PR(Tt) and PR(Tu) ⪯ else abort Tt or Tu; } In another way, the execution order of the methods opui and opti is reversed, i.e. opui is performed on the object oi prior to opti (opui ⇒ i opti) if PR(Tt) ⪯I PR(Tu). Here, the transaction Tu might be less significant than the transaction Tt. However, in every object, only methods from the transactions Tt and Tu have to be ordered in the I-dominant relation ⪯I.
Fig. 7. Information flow check.
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
911
the scheduled execution of op1 and op2 implies illegal information flow. It is sure that there is no illegal information flow. In this evaluation, we make the following assumptions: [Assumptions]
Fig. 8. Information flow check.
Suppose there are four transactions T1, T2, T3, and T4 with purposes R1, R2, R3, and R4, respectively, as shown in Fig. 8. Suppose R1 ⪯I R2. The transaction T1 reads an object x and then writes another object y. Then, the transaction T2 reads y and then writes an object z. First, suppose the transaction T3 reads the object z. According to the procedure Perform(T3, read, z), the purpose R2 (= PR(T2)) is stored in a variable z.P. If z.P ⪯I PR(T3), i.e. R2 ⪯I R3, the transaction T3 can read the object z. Here, suppose R1 ⪯ / I R3. Data in the object x might be brought to the object z through the transactions T1 and T2. The transaction T3 should not read the object z since R1 ⪯ / I R3. According to the properties I I of the LIF relation ⪯ , R2 ⪯ / R3 if R1 ⪯ / I R3 even if R1 ⪯I R2. Hence, R1 ⪯ /I R3 and R2 ⪯I R3 may not hold. This example shows that no illegal information flow occur in our synchronization way. Each object oi just keeps in record the purpose of a transaction which most recently writes. The variable oi.P show the purpose. By using this simple mechanism, illegal information flow can be prevented. 5. Evaluation In the concurrency control algorithms like 2PL protocol [18] and TO scheduler [18], methods are ordered without discussing if illegal information flow to occur. In the RO scheduler [12,13], conflicting methods issued by different transactions are ordered just in the significantly dominant relation ⪯s of purposes of the transactions. Suppose a transaction T1 issues a write method op1 and another transaction T2 issues a read method op2 to an object o. Here, the methods op1 and op2 conflict with one another. If the purpose PR(T1) of the transaction T1 is more significant than the purpose PR(T2), i.e. PR(T2) ⪯s PR(T1), the method op1 is performed prior to the method op2. However, illegal information flow occur unless PR(T2) ⪯I PR(T1) since the transaction T1 can read data in an object o even if the transaction T1 is not granted the access right 〈o, read〉. In the scheduler LIFS discussed here, one of the transactions T1 and T2 is aborted since
Fig. 9. ILF execution ratio.
1. There are three objects o1, o2, and o3 where each object oi supports a pair of methods read and write. The object o1 is the most secure and the object o2 is more secure than the object o3. 2. There are three roles r1 = {〈o1, write〉, 〈o1, read〉}, r2 = {〈o2, write〉, 〈o2, read〉}, and r3 = {〈o3, write〉, 〈o3, read〉}. 3. There are three purposes R1 = {r1, r2}, R2 = {r2, r3}, and R3 = {r3}. 4. There are three subjects s1, s2, and s3. Each subject si issues a same number l of transactions with the purpose Ri (i = 1, 2, 3). The roles and the purposes are ordered according to the security levels of the objects and the definition, respectively, as follows: • r3 ⪯s r2 ⪯s r1. • R3 ⪯s R2 ⪯s R1. The read–write ratio r:w shows the ratio of read and write methods to issued by transactions. For example, the read–write ratio r:w = 8:2 shows that the transaction issues eight read methods and two write methods. Each transaction issued by a subject si arbitrarly takes ten methods in the purpose Ri with a given read–write ratio r:w. The execution ratio τ of illegal information flow (ILF execution ratio) shows the ratio of the total number of methods which imply illegal information flow to the total number of executed methods. τ = 0 if no method causes illegal information flow. τ = 1 means that illegal information flow occur if any method is performed. Fig. 9 shows the ILF execution ratio τ of illegal information flow for the number of 3l transactions (l = 1,…, 34). In the RO scheduler, the ILF execution ratio τ changes between 16.7% and 22.8% where the ratio r: w of read and write methods in each transaction is 9:1. The ILF execution ratio τ changes between 9.8% and 16.7% where the read– write ratio r:w in each transaction is 5:1. If the read–write ratio is 9:1, the ILF execution ratio τ is about 7% larger than where the read–write ratio is 5:5. On the other hand, in the scheduler LIFS, the ILF execution ratio τ is always 0. No illegal information flow occur. Fig. 10 shows the ILF execution ratio τ for the number 3l of transactions for l = 1, 34, 67, 100, 134, 167, 200. In the scheduler LIFS, the ILF execution ratio τ is always 0 since there occurs no illegal information flow. In the RO scheduler, if the read–write ratio is 9:1, the ILF execution ratio τ is about 7% larger than the read–write ratio is 5:5. In the RO scheduler, illegal information flow might occur even if all transactions are serialized. On the other hand, the scheduler LIFS can prevent the illegal information flow but some transactions are aborted
Fig. 10. ILF execution ratio.
912
T. Enokido et al. / Computer Standards & Interfaces 31 (2009) 906–912
as discussed in the preceding section. We are now measuring how many transactions are aborted. 6. Concluding remarks Information systems have to be not only consistent but also secure in presence of multiple conflicting transactions. Multiple transactions issue conflicting read and write methods to objects. Conflicting methods are required to be serializably performed on objects to keep objects mutually consistent. In addition, objects have to be secure. In the access control models, there might occur confinement problem, i.e. illegal information flow occur even if only authorized subjects manipulate objects in authorized ways. In this paper, we discuss a unified algorithm for the concurrency control and security management based on the role concept. We take a fundamental model where each object supports a pair of primitive read and write methods and each subject is granted a family of roles in the mandatory access control model. We first define the significantly dominant relation R1 ⪯s R2 for a pair of role families R1 and R2. A transaction initiated by a subject s is assigned with some roles in roles granted to the subject s. The roles assigned to a transaction is referred to as purpose. Suppose a transaction T2 with purpose R2 issues a method op2 to an object o and another transaction T1 with purpose R1 issues a method op1 to the object o. Here, the method op2 should be performed prior to the method op1. We next define a legal information flow relation ⪯I among role families. If R1 ⪯I R2 for a pair of role families R1 and R2, no illegal information flow occur if a transaction with the purpose R1 is performed prior to a transaction with the other purpose R2. Otherwise, some illegal information flow might occur. We discussed the legal information flow (LIF) scheduler (LIFS) to keep objects consistent and secure. Conflicting methods are first ordered in the significancy of roles in the scheduler LIFS. Then, a method is performed on an object if no illegal information flow would occur. In the scheduler LIFS, objects are kept not only consist but also secure in presence of multiple conflicting transactions. We show that illegal information flow occurring in the other schedulers can be prevented in the scheduler LIFS in the evaluation. We evaluated the scheduler LIFS compared with the RO scheduler [12–14] and showed how illegal information flow can be prevented. Suppose R1 ⪯ / I R2. A write method op1 of a transaction T1 with purpose R1 is already performed. Here, if a read method op2 of another transaction T2 with purpose R2 is issued, the transaction T2 is aborted since R1 ⪯I R2 does not hold in the scheduler LIFS. Thus, in the scheduler LIFS, transactions are aborted to prevent illegal information flow. We are now evaluating how many transactions are aborted.
[10] D.E. Denning, A lattice model of secure information flow, Communications of the ACM 19 (5) (1976) 236–343. [11] R.S. Sandhu, Lattice-based access control models, IEEE Computer 26 (11) (1993) 9–19. [12] T. Enokido, M. Takizawa, Concurrency control based-on significancy on roles, Proc. of the IEEE 11th International Conference on Parallel and Distributed Systems (ICPADS2005), vol. 1, 2005, pp. 196–202. [13] T. Enokido, M. Takizawa, Role-based concurrency control for distributed systems, Proc. of the IEEE 20th International Conference on Advanced Information Networking and Applications (AINA-2006), vol. 1, 2006, pp. 407–412. [14] T. Enokido, M. Takizawa, Concurrency control using subject- and purpose-oriented (SPO) view, Proc. of the 2nd International Conference on Availability, Reliability and Security (ARES2007), 2007, pp. 454–461. [15] K.P. Eswaran, J.N. Gray, R.A. Lorie, I.L. Traiger, The notions of consistency and predicate locks in a database system, Communications of the ACM 19 (19) (1976) 624–633. [16] J. Gray, Notes on database operating systems, Lecture Notes in Computer Science, vol. 60, Springer, Berlin, 1978, pp. 393–481. [17] K. Watanabe, Y. Sugiyama, T. Enokido, M. Takizawa, Moderate concurrency control in distributed object systems, Journal of Interconnection Networks (JOIN) 5 (3) (2004) 233–247. [18] P.A. Bernstein, V. Hadzilacos, N. Goodman, Concurrency Control and Recovery in Database Systems, Addison-Wesley, Boston, MA, 1987.
Tomoya Enokido was born in Chiba, Japan, 1974. He received B.E. and M.E. degrees in Computers and Systems Engineering from Tokyo Denki University, Japan in 1997 and 1999, respectively. After that he worked for NTT Data Corporation, he joined Tokyo Denki University in 2002. He received his D.E. degree in Computer Science from Tokyo Denki University in 2003. After he worked for Computers and Systems Engineering as a research associate in Tokyo Denki University, he joined Faculty of Business Administration of Rissho University in 2005. He is currently a lecturer in the Faculty of Business Administration, Rissho University. He won the best paper award of The IEEE 18th International Conference on Advanced Information Networking and Applications (AINA 2004), 2004. His research interests include distributed systems, group communication, and distributed objects. He is a member of IEEE and IPSJ.
Valbona Barolli received the Bachelor's Degree in Economics from Tirana University, Albania in 1991 and MS Degree from Fukuoka Institute of Technology, Japan in 2006. Presently, she is a PhD student at Graduate School of Science and Engineering, Tokyo Denki University, Japan. She has published about 30 research papers in International Journals, International Conference Proceedings and National Workshops. She won the Best Paper Award in the International Workshop on Distributed, Parallel and Network Applications (DPNA-2005/ICPADS-2005), the Young Researcher Award from Multimedia Communications and Distributed Processing Workshop (DPSWS'2005), and the Best Papers Award in the International Workshop on Advanced Distributed, Parallel and Network Applications (ADPNA-2007/ ICPP-2007). Her research is supported by a Grand-in-Aid for Young Researchers Scholarship from C&C Foundation, Japan. Her research interests are in e-business, process and system modeling, operational research, information economics, distributed processes and systems, and network pricing models.
References [1] E. Bertino, P. Samarati, S. Jaodia, High assurance discretionary access control in object bases, Proc. of the 1st ACM Conference on Computers and Communication Security, 1993, pp. 140–150. [2] Oracle Corporation, Oracle8i Concepts Vol.1 Release 8.1.5. URL http://www.omg. org/docs/formal/98-07-04.pdf. [3] Sybase, Sybase SQL Server. URL http://www.sybase.com/. [4] D. Ferraiolo, R. Kuhn, Role-based access controls, Proc. of 15th NIST-NCSC National Computer Security Conference, 1992, pp. 554–563. [5] D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role Based Access Control, Artech House, Norwood, MA, 2005. [6] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman, Role-based access control models, IEEE Computer 29 (2) (1996) 38–47. [7] Z. Tari, S.W. Chan, A role-based access control for intranet security, IEEE Internet Computing 1 (1997) 24–34. [8] R. Chon, T. Enokido, M. Takizawa, Inter-role information flow in object-based systems, Proc. of IEEE 18th International Conf. on Advanced Information Networking and Applications (AINA-2004), vol. 1, 2004, pp. 196–201. [9] K. Izaki, K. Tanaka, M. Takizawa, Information flow control in role-based model for distributed objects, Proc. of IEEE International Conference on Parallel and Distributed Systems (ICPADS-2001), 2001, pp. 363–370.
Makoto Takizawa is a Professor in the Department of Computers and Systems Engineering. He was a Visiting Professor at GMD-IPSI (currently Fraunhofer), Germany (1989–1990) and at Keele University, England (1990). He is on the Board of Governors and a Golden Core member of IEEE Computer Society and a fellow of the Information Processing Society of Japan (IPSJ). He received his BE, ME in Applied Physics and DE in Computer Science from Tohoku University, Japan. He was a general co-chair and a program co-chair of IEEE ICDCS in 2002 and 1998, respectively. He also chairs many international conferences like IEEE ISORC, IEEE ICPADS, and DEXA. He founded the IEEE International Conference on Advanced Information Networking and Applications (AINA). His research interests include distributed systems, group communications, distributed objects, faulttolerant systems, and information security.