a flexible access control service for java mobile code hpcc lab 문 정 아
TRANSCRIPT
![Page 1: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/1.jpg)
A Flexible Access Control A Flexible Access Control Service for Java Mobile CodeService for Java Mobile Code
HPCC lab문 정 아
![Page 2: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/2.jpg)
MC (Mobile Code) Tech in Internet
Security Concern design & development
of comprehensive access control frameworks
Static & Dynamic
1. Introduction
![Page 3: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/3.jpg)
2. How To Control Mobile Code- To control MC behavior
Development time control “Safe” programming languages Proof Carrying Code
Run-time access control mechanism Sandbox technique JDK 1.2 security architecture Safe-Tcl security framework
Simple access control lists (ACLs)
![Page 4: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/4.jpg)
.
2. How To Control Mobile Code- Lan-based solutions
(to separate policy from access control implementation)
Logic-based declarative languages
Procedural languages
Other languages (combining procedural & declarative rules)
![Page 5: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/5.jpg)
3. Flexible Access Control Requirements for Mobile Code
In mobile applications, MA is automatic tasks retrieval , processing of patient records
Patient records retrieval initiated from Mobile system
Strict controls on the interactions between MAs & medical DB
![Page 6: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/6.jpg)
A patient’s primary physician is allowed to read & modify the patient’s records;
A physician collaborating with the patient primary physician can read (but not modify) the records only if the patient has explicitly authorized him;
A hospital nurse can view only the records of patients currently in the ward where she is on duty, and only during duty hours;
3. Examples of healthcare applications
![Page 7: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/7.jpg)
4. The Ponder Language for Flexible Access Control Policies
For Policy specification
Expressiveness
Simplicity
Analysability
Policy
Authorisation
![Page 8: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/8.jpg)
Ex>auth+ RecordAccess {
subject s = primary_physicians;target r = patient_records;Action view, modify;When member(s, r.caring_physicians());
}
4.1. Authorisations
![Page 9: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/9.jpg)
4.1. Authorisations
Ex>Typeauth+ RecordAccess(subject s, target t) {
action view, modify;When member(s, r.caring_physicians());
}inst
auth+ r1 = RecordAccess(hospital1/physicians, hospital1/records);
r2 = RecordAccess(hospital2/paediatricians, hospital2/child-records);
}
![Page 10: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/10.jpg)
4.2. Filtering
Typeauth+ FilteredRecordAccess(subject s, target t) {
action view()if containsExternalNodes(s.itinerary){result = reject({“PatientName”, “Address”},
result);}
}
![Page 11: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/11.jpg)
4.3. Policy Groups and Roles
Typerole surgery_nurse (ward) extends nurse(ward) {
constraint workHours = time.between(0800,1700); Attended_patient(p) = member(p, ward) ;
instauth+ nurse_access{ action view(p); target patient_records; when workHours and attended_patient(p);
}
![Page 12: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/12.jpg)
5. A Flexible Access Control Service for Mobile Code
Policy Specification Component (PSC)
Policy Retrieval Component (PRC)
Permission Checking Component (PCC)
Filtering Executor Component (FEC)
![Page 13: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/13.jpg)
5.1 The Java Access Control Architecture
Java security architecture relies on building components
Policy object
Class Loader
Access controller
Security manager
![Page 14: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/14.jpg)
5.2 How to Map Ponder Policies into Java
PolicyEditor
Policycompiler
AnalysisTool
BrowserTool
StructuringTool
AnalysisTool
SemanticAnalyzer
CodeGenerator
Java PoliciesJava Policies
![Page 15: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/15.jpg)
5.3 The Enforcement of Ponder Policies
MA loading: permission assignment
MA access resource : run-time permission evaluation
![Page 16: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/16.jpg)
5.3 The Enforcement of Ponder Policies
Permission assignmentPermission assignment
Current agent execution env.Current agent execution env.
class loader
PRC
Coordinate with
발견된 모든 policy 를
Appropriate protection dom
ain 에 insert!!
발견된 모든 policy 를
Appropriate protection dom
ain 에 insert!!
![Page 17: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/17.jpg)
5.3 The Enforcement of Ponder Policies
Run-time permission evaluationRun-time permission evaluation
Proxy-based mechanism Incoming agents provides instead access proxies
& same resource interface.
Proxy coordinate with the PCC & FEC MCcheckPermissionMCfilter
![Page 18: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/18.jpg)
5.4 Implementation Issues
MCcheckPermission
Access Controller ClassAccess Controller Class
checkPermission
PonderPermissionPonderPermission
implies
Call
![Page 19: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/19.jpg)
5.4 Implementation Issues
i.e> in application MA calls new(FileInputStream(FileName))i.e> in application MA calls new(FileInputStream(FileName))
JDK 1.2 packageJDK 1.2 package
FileInputStream
constructor
PonderFilePermissionPonderFilePermission
checkPermission
Call
Solution (to support constraints with java
& appropriate constraint checkin
g):
Customisability property of the jav
a SecurityManager class.
( i.e. checkPermission method )
Solution (to support constraints with java
& appropriate constraint checkin
g):
Customisability property of the jav
a SecurityManager class.
( i.e. checkPermission method )
![Page 20: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/20.jpg)
6. Conclusion
![Page 21: A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아](https://reader036.vdocuments.pub/reader036/viewer/2022062519/5697c01c1a28abf838ccfb5b/html5/thumbnails/21.jpg)
THANK YOU FOR YOUR ATTENTION !