Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September 19, 2000
Dec 20, 2015
Policy-Carrying, Policy-EnforcingDigital Objects
Sandra Payette and Carl LagozeCornell Digital Library Research Group
ECDL2000Lisbon, Portugal
September 19, 2000
Digital Library Context
• Repositories of simple, familiar entities
• Repositories of complex, dynamic objects
Access Control Challenge
Enforcement of highly expressive access control policies to support context-specific and object-specific requirements of digital libraries.
Limitations of traditional access control mechanisms
• Limited expressiveness for policies
• Fixed set of abstractions– objects are files, directories, etc.– actions are read, write, execute, etc.
• Not easily extended for complex or fine-grained policies
Policy Enforcement Continuum
repository-centric object-centric
Digital Objects
general-purpose policies context-specific policies
Policy-Carrying, Policy-Enforcing Digital Objects - motivation
• Semantics of policy language must parallel the behavioral semantics of real-world entities
• Secure enforcement of fine-grained, context-sensitive policies
• Extensibility for policies and enforcement mechanisms
• Support for portability and mobile computing (enforce policies on un-trusted mobile agents)
• Decentralized policy management
Digital Libraries: context-specific policies
• Distance Education (“Lecture object”): – “guests may view course syllabus and slides 1-10 of Lecture 1, but
may not view the Lecture 1 video or other slides.”– “students may not view Lecture 2 video unless they submit
assignment for Lecture 1.”
• Library digitization (“Book object”): – “before copyright expiration on 1/1/2002 CU students can access
chapters 1-6 and CU alumni can access pages 1-20 of chapter 2; after expiration, all users can access all pages of all chapters.”
• Business Strategy (“Technology portfolio object”):– “managers may view product specification only after product
safety report has been certified by head of R&D.”– “only the executive team may run the market share simulation”
Building on existing work
• Fedora - digital object and repository architecture (Payette and Lagoze, 1998, 2000)
• Security Automata (Schneider, 1999)
• PoET - Policy Enforcement Toolkit (Erlingsson and Schneider, 1999, 2000)
FEDORA: Digital Object Architecture
• Interoperability – among heterogeneous digital objects• Interface Stability - for accessing digital objects• Extensibility – of digital object behaviors• Distribution - of digital object data and executables
• Security - flexible policy enforcement for access control • Preservation - longevity of digital objects
Fedora Digital Object Model
Disseminations
Generic interface
DataStream
DataStream
DataStream
ExtensibleMechanism
Encapsulated service request
PrimitiveDisseminator
TypedDisseminator
Internalstream
Extensible Behaviors - “Lecture”
Content Disseminations
LectureMechanism
DublinCore
GetVideo(quality)GetSlide(seqNum)
GetSyncData
GetDCRecordGetDCField(name)
LectureData
Archive
Video-H Policy-L(PSlang)Video-L
Policy-D(PSlang)
slide-2(gif)slide-1
(gif)metadata(xml)
Security Automata
• Theoretical basis for specifying policies that are enforceable, flexible, and fine-grained
• Policies are modeled as state transitions• Execution Monitoring (EM)
– Class of enforcement mechanisms that enforce policies by simulating a security automaton
– Monitors executions upon a target (system, application, object) and prevents executions that violate policy
– “Reference Monitors” are EM
Source: Schneider, 1999
Example: Simple Security Automaton
Un-authenicateduser
Authenticateduser
Present Cornell ID
“Only authenticated Cornell users can view the lecture.”
View metadata View metadataView lecture
In-Line Reference Monitoring (IRM)• Security automata simulations are merged into program
object code (checks inserted before each execution)• The application program, itself, becomes the reference
monitor, ensuring that policy is not violated when it runs.
Source: Erlingsson and Schneider, 1999, 2000
Traditional (kernel as Reference Monitor)
kernel kernel
programexecutable
OSRM
RM
Language-based security(IRM)
In-linedprogram
Policy Enforcement Toolkit (PoET)
• Trusted program rewriter - modifies Java bytecode• Secure class loader• Event-oriented policy language (PSLang)
Source: Erlingsson and Schneider, 1999, 2000
Policyin
PSlang
Policyin
PSlang
Program rewriter
SecureClass loader
Modified Bytecode
(target with policy embedded)
JVM
Java Bytecode (class file)
Program runs(obeys policy)
PoET
FEDORA and PoETIRM Policy Enforcement
Content Disseminations
Video-H
LectureMechanism
Video-LDublinCore
Java bytecode in-lined with policies at runtime
slide-2(gif)slide-1
(gif)metadata(xml)
access request
Policy-L(PSlang)
Policy-D(PSlang)
Challenges and Future Work
• Ramp up - enforcement of more complex policies, more object types
• Examine tension between object-centric vs. repository centric policy enforcement
• Mobile computing - trust schemes to support policy enforcement as objects move
• “Intentional” policies and dynamic policy binding• Preservation application of security automata -
detect unacceptable transitions
References: Fedora
Payette, Sandra and Carl Lagoze, “Flexible and Extensible Digital Object and Repository Architecture,” ECDL98, Heraklion, Crete, September 21-23, 1998, Springer, 1998, (Lecture notes in computer science; Vol. 1513). http://www.cs.cornell.edu/payette/papers/ecdl98/fedora.html
Payette, Sandra, Christophe Blanchi, Carl Lagoze, and Edward Overly, “Interoperability for Digital Objects and Repositories: The Cornell/CNRI Experiments,” D-Lib Magazine, May 1999. http://www.dlib.org/dlib/may99/payette/05payette.html
Payette, Sandra and Carl Lagoze, Policy-Carrying, Policy-Enforcing Digital Objects, accepted by Fourth European Conference on Research andAdvanced Technology for Digital Libraries, Portugal, Springer, 2000, (Lecture notes in computer science), draft available at http://www.cs.cornell.edu/payette/papers/ecdl2000/pcpe-draft.ps
Payette, Sandra and Carl Lagoze, Value Added Surrogates for Distributed Content: Establishing a Virtual Control Zone, D-Lib Magazine, June 2000,http://www.dlib.org/dlib/june00/payette/06payette.html
References:Security Automata and PoET
Schneider, Fred B., “Enforceable Security Policies,” Computer Science Technical Report #TR98-1664, Department of Computer Science, Cornell University, July 24, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR98-1664
Erlingsson, Ulfar and Fred B. Schneider, “SASI Enforcement of Security Policies: A Retrospective,” Computer Science Technical Report #TR99-1758, Department of Computer Science, Cornell University, July 19, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR99-1758 Erlingsson, Ulfar and Fred B. Schneider, “IRM Enforcement of Java Stack Inspection,” Computer Science Technical Report #TR2000-1786, Department of Computer Science, Cornell University, February 19, 2000, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR2000-1786