Access Control & Security Management
GRIDLOCK: A new scalable approach to unifying computer and communications security
The GRIDLOCK hypothesis is that use of
a globally specified and locally interpreted policy language for
specification of access control policy can provide a new, unified
approach to securing network applications. In particular, this
approach can be used to specify network access control policies and
host access control policies in combination to provide
virtual private services. Virtual Private
Services logically compose the security mechanisms of different system
components (and their policies) to provide a coherent access control
management plane, as shown below.
The Internet architecture scales to large numbers of hosts, and an
increasing number of host types, as a consequence of the
``end-to-end'' rule-of-thumb, which states roughly that functions
which must be performed at endpoints should be performed
there, and not in the network. Security, and more specifically, access
control, being an end-to-end requirement, would be performed at hosts
using the end-to-end model as a design principle. A risk, however, is
that a principle for achieving scalability may cause a tension with
security design principles. In particular, an increasing concern is
the effect that insecure applications (such as mailers and browsers
tightly integrated into host operating systems) can have on other
applications, and further, on hosts elsewhere in the network. Such
applications have been repeatedly exploited.
One approach to the problem of insecure applications damaging networks
is the use of network access control, enforced by a boundary
controller such as an application gateway or firewall. While this
approach is popular and widely deployed, it suffers from three major
problems: (1) firewalls are difficult to administer; (2)
topological restrictions must be used
to ensure that policies are enforced; and
(3) at best, they provide only a rough (and often incorrect)
approximation of the access control desired by
applications. Additional negative effects of firewalls include
interference with routing and congestion control algorithms which are
otherwise rather effective.
GRIDLOCK is an approach
that, simultaneously, provides more security to applications, greater
scalability, and unification of network access control and host access
control. Policies are specified in a new policy-expression language,
modeled on the KeyNote language we developed for trust management.
This design, like KeyNote,
supports compliance checking, with which
credentials provided by a client can be validated to provide access to
a resource. Our hypothesis is that this approach can be used for both
boundary controllers (where we have some preliminary evidence of
success) and simultaneously in hosts. If we are correct, as this
research is intended to demonstrate, then untrusted code, such as that
attached to e-mails, will be treated as such by the host, as it will
lack any credentials permitting access to anything but the simplest of
host resources. Our belief is that this layer-crossing approach to
security will lead to the creation of a multiplicity of virtual
Our approach is to combine the development of formal semantics for the
unified access control policy with a rigorous experimental
investigation of the approach, using multiple example
The GRIDLOCK project is supported by the NSF
Computing program, under Contract CCR-TC-0208972.
Angelos D. Keromytis,
Professor, Computer Science Department, Columbia University
Professor, Computer Science Department, Yale University
Jonathan M. Smith,
Professor, Computer and Information Science Department, University of Pennsylvania
Sheng Zhong (Ph.D. from Yale in 2004), post-doctoral student at DIMACS (will join the faculty at SUNY Buffalo in September 2005)
Sotiris Ioannidis (Ph.D. from U. Penn
in 2005), post-doctoral student at Stevens
Institute of Technology.
James Alexander (Ph.D. student, U. Penn)
Debra Cook (Ph.D. student, Columbia University)
Matthew Burnside (Ph.D. student,
Michael Locasto (Ph.D. student,
Publications and Presentations
a Theory of Data Entanglement (Extended Abstract)"
James Aspnes, Joan Feigenbaum,
Aleksandr Yampolskiy, and Sheng Zhong.
To appear in the Proceedings of
9th European Symposium
On Research in Computer Security
(ESORICS), September 2004, Sophie
Sandboxes: Extending Systrace to
Empower Applications" Aleksey
Kurchuk and Angelos D. Keromytis. In
Proceedings of the 19th
IFIP International Information
Security Conference (SEC), pp. 473
- 487. August 2004, Toulouse, France.
"Distributed Trust" John Ioannidis and
Angelos D. Keromytis. To appear in Practical Handbook of Internet
Computing, ed. Munindar Singh, CRC Press.
"Towards a Theory of Data Entanglement" James Aspnes, Joan Feigenbaum, Aleksandr Yampolskiy, and Sheng Zhong. Yale University Technical Report YALEU/DCS/TR-1277, March 2004.
"Attacks on the (Enhanced) Yang-Shieh Authentication" Ke-Fei Chen and Sheng Zhong. In Computers & Security, vol. 22, no. 8, 2003.
"A Comment on the Chen-Chung Scheme for Hierarchical Access Control" Sehng Zhong and Tianwen Lin. In Computers & Security, vol. 22, no. 5, 2003.
"Managing Access Control in Large Scale Heterogeneous
Networks" Angelos D. Keromytis, Kostas Anagnostakis,
Sotiris Ioannidis, Michael Greenwald, and Jonathan M. Smith. To appear
in the Proceedings of the NATO NC3A Symposium on Interoperable
Networks for Secure Communications (INSC). November 2003, The
"EasyVPN: IPsec Remote
Access Made Easy" Mark C. Benvenuto and Angelos
D. Keromytis. In Proceedings of the 17th USENIX
Systems Administration Conference
(LISA), pp. 87 - 93. October 2003, San Diego, CA.
"Verifiable Distributed Oblivious Transfer and Mobile
Agent Security" Sheng Zhong and Yang Richard Yang. In Proceedings of
DialM-POMC, September 2003, San Diego, CA.
"Secure and Flexible Global
File Sharing" Stefan Miltchev, Vassilis Prevelakis,
Sotiris Ioannidis, John Ioannidis, Angelos D. Keromytis, and Jonathan
M. Smith. In Proceedings of the USENIX Annual Technical Conference,
Freenix Track, pp. 165 - 178. June 2003, San Antonio, TX.
"Design and Implementation of
Virtual Private Services" Sotiris Ioannidis, Steven
M. Bellovin, John Ioannidis, Angelos D. Keromytis, and Jonathan
M. Smith. In Proceedings of the IEEE International Workshops on
Enabling Technologies: Infrastructure for Collaborative Enterprises
(WETICE), Workshop on Enterprise Security, Special Session on Trust
Management in Collaborative Global Computing, pp. 269 - 274. June
2003, Linz, Austria.
Administrator-Free Approach To Web File-Sharing"
Alexander Levine, Vassilis Prevelakis, John Ioannidis, Sotiris
Ioannidis, and Angelos D. Keromytis. In Proceedings of the IEEE
International Workshops on Enabling Technologies: Infrastructure for
Collaborative Enterprises (WETICE), Workshop on Distributed and Mobile
Collaboration, pp. 59 - 64. June 2003, Linz, Austria.
"Experience with the
KeyNote Trust Management System: Applications and Future
Directions" Matt Blaze, John Ioannidis, and Angelos
D. Keromytis. In Proceedings of the 1st International Conference
on Trust Management, pp. 284 - 300. May 2003, Heraclion, Greece.
"Sprite: A Simple, Cheat-Proof, Credit-Based System for Mobile
Ad-Hoc Networks" Sheng Zhong, Jiang Chen, and Yang Richard Yang. In Proceedings of
IEEE INFOCOMM. March/April 2003, San Francisco, CA.
"Requirements for Scalable Access Control and Security Management Architectures" Angelos D. Keromytis and Jonathan M. Smith. Columbia University Computer Science Department Technical Report CUCS-013-02, 2002.
Poster presentation given at the August 2003 Trusted Computing PI meeting
given by Joan Feigenbaum at the
Workshop on Sensitive Data in Medical,
Financial, and Content-Distribution
Systems, July 2004 (co-chaired by
2004 ITR PI meeting nugget poster