Policy-Carrying, Policy-EnforcingDigital Objects

Sandra Payette and Carl LagozeCornell Digital Library Research Group

ECDL2000Lisbon, Portugal

September 19, 2000

Digital Library Context

• Repositories of simple, familiar entities

• Repositories of complex, dynamic objects

Access Control Challenge

Enforcement of highly expressive access control policies to support context-specific and object-specific requirements of digital libraries.

General-Purpose Policy Enforcement

Context-SpecificPolicy Enforcement

Limitations of traditional access control mechanisms

• Limited expressiveness for policies

• Fixed set of abstractions– objects are files, directories, etc.– actions are read, write, execute, etc.

• Not easily extended for complex or fine-grained policies

Policy Enforcement Continuum

repository-centric object-centric

Digital Objects

general-purpose policies context-specific policies

Policy-Carrying, Policy-Enforcing Digital Objects - motivation

• Semantics of policy language must parallel the behavioral semantics of real-world entities

• Secure enforcement of fine-grained, context-sensitive policies

• Extensibility for policies and enforcement mechanisms

• Support for portability and mobile computing (enforce policies on un-trusted mobile agents)

• Decentralized policy management

Digital Libraries: context-specific policies

• Distance Education (“Lecture object”): – “guests may view course syllabus and slides 1-10 of Lecture 1, but

may not view the Lecture 1 video or other slides.”– “students may not view Lecture 2 video unless they submit

assignment for Lecture 1.”

• Library digitization (“Book object”): – “before copyright expiration on 1/1/2002 CU students can access

chapters 1-6 and CU alumni can access pages 1-20 of chapter 2; after expiration, all users can access all pages of all chapters.”

• Business Strategy (“Technology portfolio object”):– “managers may view product specification only after product

safety report has been certified by head of R&D.”– “only the executive team may run the market share simulation”

Building on existing work

• Fedora - digital object and repository architecture (Payette and Lagoze, 1998, 2000)

• Security Automata (Schneider, 1999)

• PoET - Policy Enforcement Toolkit (Erlingsson and Schneider, 1999, 2000)

FEDORA: Digital Object Architecture

• Interoperability – among heterogeneous digital objects• Interface Stability - for accessing digital objects• Extensibility – of digital object behaviors• Distribution - of digital object data and executables

• Security - flexible policy enforcement for access control • Preservation - longevity of digital objects

Fedora Digital Object Model

Disseminations

Generic interface

DataStream

DataStream

DataStream

ExtensibleMechanism

Encapsulated service request

PrimitiveDisseminator

TypedDisseminator

Internalstream

Extensible Behaviors - “Lecture”

Content Disseminations

LectureMechanism

DublinCore

GetVideo(quality)GetSlide(seqNum)

GetSyncData

GetDCRecordGetDCField(name)

LectureData

Archive

Video-H Policy-L(PSlang)Video-L

Policy-D(PSlang)

slide-2(gif)slide-1

(gif)metadata(xml)

Security Automata

• Theoretical basis for specifying policies that are enforceable, flexible, and fine-grained

• Policies are modeled as state transitions• Execution Monitoring (EM)

– Class of enforcement mechanisms that enforce policies by simulating a security automaton

– Monitors executions upon a target (system, application, object) and prevents executions that violate policy

– “Reference Monitors” are EM

Source: Schneider, 1999

Example: Simple Security Automaton

Un-authenicateduser

Authenticateduser

Present Cornell ID

“Only authenticated Cornell users can view the lecture.”

View metadata View metadataView lecture

In-Line Reference Monitoring (IRM)• Security automata simulations are merged into program

object code (checks inserted before each execution)• The application program, itself, becomes the reference

monitor, ensuring that policy is not violated when it runs.

Source: Erlingsson and Schneider, 1999, 2000

Traditional (kernel as Reference Monitor)

kernel kernel

programexecutable

OSRM

RM

Language-based security(IRM)

In-linedprogram

Policy Enforcement Toolkit (PoET)

• Trusted program rewriter - modifies Java bytecode• Secure class loader• Event-oriented policy language (PSLang)

Source: Erlingsson and Schneider, 1999, 2000

Policyin

PSlang

Policyin

PSlang

Program rewriter

SecureClass loader

Modified Bytecode

(target with policy embedded)

JVM

Java Bytecode (class file)

Program runs(obeys policy)

PoET

FEDORA and PoETIRM Policy Enforcement

Content Disseminations

Video-H

LectureMechanism

Video-LDublinCore

Java bytecode in-lined with policies at runtime

slide-2(gif)slide-1

(gif)metadata(xml)

access request

Policy-L(PSlang)

Policy-D(PSlang)

Object structure view via client

DigitalObjectPolicy

End-User View … policies enforced transparently

Challenges and Future Work

• Ramp up - enforcement of more complex policies, more object types

• Examine tension between object-centric vs. repository centric policy enforcement

• Mobile computing - trust schemes to support policy enforcement as objects move

• “Intentional” policies and dynamic policy binding• Preservation application of security automata -

detect unacceptable transitions

References: Fedora

Payette, Sandra and Carl Lagoze, “Flexible and Extensible Digital Object and Repository Architecture,” ECDL98, Heraklion, Crete, September 21-23, 1998, Springer, 1998, (Lecture notes in computer science; Vol. 1513). http://www.cs.cornell.edu/payette/papers/ecdl98/fedora.html

Payette, Sandra, Christophe Blanchi, Carl Lagoze, and Edward Overly, “Interoperability for Digital Objects and Repositories: The Cornell/CNRI Experiments,” D-Lib Magazine, May 1999. http://www.dlib.org/dlib/may99/payette/05payette.html

Payette, Sandra and Carl Lagoze, Policy-Carrying, Policy-Enforcing Digital Objects, accepted by Fourth European Conference on Research andAdvanced Technology for Digital Libraries, Portugal, Springer, 2000, (Lecture notes in computer science), draft available at http://www.cs.cornell.edu/payette/papers/ecdl2000/pcpe-draft.ps

Payette, Sandra and Carl Lagoze, Value Added Surrogates for Distributed Content: Establishing a Virtual Control Zone, D-Lib Magazine, June 2000,http://www.dlib.org/dlib/june00/payette/06payette.html

References:Security Automata and PoET

Schneider, Fred B., “Enforceable Security Policies,” Computer Science Technical Report #TR98-1664, Department of Computer Science, Cornell University, July 24, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR98-1664

Erlingsson, Ulfar and Fred B. Schneider, “SASI Enforcement of Security Policies: A Retrospective,” Computer Science Technical Report #TR99-1758, Department of Computer Science, Cornell University, July 19, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR99-1758 Erlingsson, Ulfar and Fred B. Schneider, “IRM Enforcement of Java Stack Inspection,” Computer Science Technical Report #TR2000-1786, Department of Computer Science, Cornell University, February 19, 2000, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR2000-1786