Access control in semantic grid - Semantic Scholar

Future Generation Computer Systems 20 (2004) 113–122

Access control in semantic grid Guanying Bu, Zhiwei Xu∗ Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100080, PR China

Abstract The semantic grid (SG) aims at connecting information silos of web into a gigantic database, and supplying only the useful information to the users. Much advance has been made on information representation, extraction and sharing, but access control in SG is seldom discussed. This paper presents an access control model for semantic gird, which uses asynchronous automata to simulate grid nodes and grids. The classic Bell–LaPadula model is extended to deal with security properties of SG. Based on application scenarios of information sharing in China railways industry, this model is used to study convergence and consistence problems in SG. A prototype is implemented to verify our model. © 2003 Published by Elsevier B.V. Keywords: Semantic grid; Access control; Vega Grid; Asynchronous automaton

1. Introduction The semantic web is an extension of the current web in which information is given well-defined meaning, better enabling computers and people to work in cooperation [1]. It aims at connecting information/ knowledge islands into a gigantic database, supplying only the useful information to the users [4]. Much advance has been made on effective representation, sharing, clustering and organization of information, knowledge and services [16,17]. Information sharing and integration will undoubtedly bring forth the problem of access control, which is seldom discussed in the semantic grid (SG) setting. This paper addresses the problem of authorization, and in particular, how to ensure consistent access control in an SG. This problem is challenging because the hosts in an SG environment usually span multiple autonomously administrative domains, and multiple information/knowledge

∗

Corresponding author. E-mail address: [email protected] (Z. Xu). 0167-739X/$ – see front matter © 2003 Published by Elsevier B.V. doi:10.1016/S0167-739X(03)00168-7

objects in an SG environment are often semanticrelated. For authorization in traditional computer systems, the Bell–LaPadula model [6,9,13] provides a theoretical basis. Many influential secure systems, including the US DoD TCSEC [12] and the ISO/IEC Common Criteria (CC) security standards [5], utilized the Bell–LaPadula model. There are a few research efforts dealing with authorization in a grid computing environment. In community authorization service (CAS) [8], a CAS server is in charge of authorization of a community, while resource providers in the community only need authentication after delegating authorization functions to the CAS server. In generic authorization and access control (GAA) [3], GAA API functions obtain policies from local files, distributed authorization servers, and from credentials provided by the user. Its goal is to design a flexible and expressive mechanism for representing and evaluating these authorization policies. The Global Grid Forum is working on a grid security architecture standard [10,11], which is based on Web Services security studies, and tries to define

114

G. Bu, Z. Xu / Future Generation Computer Systems 20 (2004) 113–122

fine-grained and coarse-grained authorization mechanisms under the Open Grid Service Architecture (OGSA) framework. In our previous work [14], we presented a grid access control model and proved a grid access control theorem. This theorem addresses the confidentiality and integrity of grid access control, without semantic considerations. SG has its own semantically based characteristics, which complicate the access control issue by requiring that the SG access control components should “understand” the semantic relationship among multiple objects and subjects. In this paper, we address the access control issues related to two kinds of semantic characteristics, named convergence and consistence. We simulate each node in an SG with an asynchronous automaton [7], and composite all these automata together to simulate an entire SG. We record all the cases related to these characteristics, then process them with the semantic-enabled transitions defined in the automata, thus maintain security of an SG. We also implemented a prototype to verify our theoretic work. The rest of the paper is organized as follows. In Section 2, we illustrate access control issues special to SGs, especially the convergence and consistence problems, drawn from China railways applications scenarios. In Section 3, we present an SG access control model and describe its salient features. In Section 4, we present a theorem that identifies conditions for achieving access control security in an SG with the convergence and consistence problems. In Section 5 we briefly discuss an implementation and offer a few concluding remarks.

2. Convergence and consistence The Vega Grid is an 80-person strong research project at Institute of Computing Technology, Chinese Academy of Sciences [15]. Our Vega Grid research team is asked by the China railways industry to assist them in designing their next-generation information systems, utilizing grid technology. Currently, about a dozen information systems are in production use in China railways, which help to manage daily operation of the largest railway system in the world. However, all these information systems are isolated silos. To further improve productivity, the next-generation sys-

U

O

O1

......

U

O1

O

Ot

On

(a) Convergence

On (b) Consistence

Fig. 1. Convergence and consistence problems in railways grid.

tems have set information sharing and applications integration as key design objectives. In designing railways information grid systems, we find that we must consider semantic issues. This paper will focus on two problems, named convergence and consistence, as illustrated in Fig. 1 (more detailed information is shown in Fig. 3). These issues are not unique to the railways systems, but should be considered by access control in any SG. We only informally discuss the two problems here. More formal definitions will be given in Section 3. The convergence problem is illustrated in Fig. 1(a). A user U wants to buy a railway ticket. Since the railways grid provides single system image, the user would access a logically single object of ticket information represented as O. However, semantically, O is composed of n information objects O1 , . . . , On (denoted as O = (O1 , . . . , On )) that may be distributed among multiple grid nodes. The consistence problem is illustrated in Fig. 1(b). The railways people use equipment graphs (also called device graphs) to record current equipment distribution among stations and bureaus. These graphs are stored in an equipment graph database. At the same time, semantically related information is stored in other databases. When an equipment manager U wants to update an equipment graph (O), this change must be propagated to other semantically related objects O1 , . . . , On to keep the information in the SG consistent. The above two cases bring new access control requirements to which our original work (see Theorem 1

G. Bu, Z. Xu / Future Generation Computer Systems 20 (2004) 113–122

below) could not handle. Under an SG environment, each grid node is autonomous, and it could make its own access control policies while not conscious of the access policies of the grid. In Fig. 1(a), if U is allowed to access O but forbidden to access O1 , U still cannot access the ticket information he needs. In Fig. 1(b), if U is allowed to update O but forbidden to update O1 , then equipment information will become inconsistent. In this paper, we will present a model to address these kinds of problems. This model is based on the Bell–LaPadula model [6] and asynchronous automaton theory [7]. It simulates access control using asynchronous automata, whose states and transitions observe the security properties of the Bell–LaPadula model.

3. An SG access control model In this paper, we will study and prove the confidentiality [13] of our model. The integrity of our model could be proved using the same method. When we say a grid is secure, we mean confidentiality is enforced in the grid. In our Vega Grid research project [15], we view a grid as comprised of a set of multiple grid nodes, interconnected by a wide-area network. This grid, although containing physically distributed nodes, should provide a single system image. Authorization poses several challenges in this environment. What should be a valid grid access control policy that governs how grid users access grid resources? How should a grid access policy be implemented to comply with the access control policies of the individual nodes? Is it possible that node policies could contradict one another? A grid system can be viewed as an undirected graph G = (N, E). Every node Ni in G represents a grid node. Associated with each node Ni ∈ N, we have a grid node automaton; and every edge in G represents the message channel between two grid nodes. Associated with each edge (Ni Nj ) in G, there is a channel automaton. We assume any communication channel that connects two automata is “trusted” [5,14]. 3.1. Subjects and objects In a grid environment, the subjects are classified into two types: grid subjects (global subjects) and node

115

subjects (local subjects). The objects are also classified into two types: grid objects (global objects) and node objects (local objects). If a subject or an object is viewed from the grid, it is a grid subject or a grid object; if it is viewed from a node, it is a node subject or a node object. A grid usually spans multiple autonomously administrative domains, and each domain makes all access control decisions locally on the basis of the local subjects and local objects. In our model, grid subjects, node subjects, grid objects and node objects coexist. We assume each grid subject is associated with a security level, and the security level set forms a lattice with partial ordering relation “≥” [9]. We make two assumptions about grid objects: • Our model only considers grid visible objects, and the objects which are not accessed by grid are not considered. • Objects are independent between two nodes. No object could coexist on two nodes at the same time. For every grid node, we assume it observes the Bell– LaPadula model. Therefore, in any grid node i, the security levels of node objects form a lattice. The security levels of grid objects are constructed according to the node object lattice of each node i, as prescribed in Definition 1 below. Definition 1. Let n = |N|. Suppose l(i) is the node object lattice of node Ni , li is the maximum security level of l(i), and li is the minimum security level of l(i). Then the set {Sup(l1 , . . . , ln ), Inf(l1 , . . . , ln )} ∪ (∪1≤i≤n l(i)) forms the grid object lattice. Definition 2. Let o be the set of all node objects, O be the set of all grid objects. For any node object oj of Nm , the mapping δ : o →
O maps oj to an unique grid object Ok , where k = l<m g(Nl ) + j, and g(Nl ) is the number of objects in Nl . 3.2. Order-preserving mapping When we implement our grid, we must map grid subjects to node subjects, because only node subjects could directly access node objects of a grid node. We denote this mapping as θ.

116

G. Bu, Z. Xu / Future Generation Computer Systems 20 (2004) 113–122

Definition 3. The mapping θ maps grid subjects to node subjects, such that si = θ(Si , m) denotes that grid subject Si is mapped to node subject si of node m. Through the mapping θ, we can construct the relationship between grid subjects and grid objects. Based on this relationship, we can deduct the security properties of grid. But this mapping could not be arbitrary. We need this mapping to be order-preserving on a grid node, and if it is not order-preserving, the objects of this node should be local trivial. Definition 4. Suppose Si , Sj are any two grid subjects. Si , Sj were mapped to node subjects si , sj of node m by θ, and their security levels are Li , Lj , li , lj , respectively. The possible relationships between li , lj are: (i) li > lj ; (ii) li < lj ; (iii) li || lj ; (iv) li = lj . We say θ is order-preserving on node m if the following conditions hold: if Li > Lj , case (i) or (iii) holds; if Li = Lj , case (iii) or (iv) holds. The notation “||” means none of li > lj , li < lj , li = lj holds. Definition 5. Suppose Si , Sj are any two grid subjects. Si , Sj were mapped to node subjects si , sj of node m by an non-order-preserving mapping θ, and their security levels are Li , Lj , li , lj , respectively. A subject could have three access rights to an object: read (r), write (w), append (a). We say the objects of node m are local trivial, if for any object op of m with security level lp , Ok is the grid object such that Ok = δ(op ), the current security levels [6] of si , sj are lCi , lCj , and the following conditions (A)–(D) hold: (A) When two grid subjects are mapped to the same grid node: (1) If Si , Sj all have right r to Ok and Li > Lj , and they are mapped to node subjects si , sj

of the same grid node, then lj ≥ li ≥ lp holds. (2) If Si , Sj all have right a to Ok , Li < Lj , and they are mapped to node subjects si , sj of the same grid node, then lj ≤ li , lCj ≤ lp and lCi ≤ lp hold. (B) When two grid subjects are mapped to different grid nodes: (1) If Si , Sj all have right r to Ok , Li = Lj , they are mapped to node subjects si , sj with security level li , lj , respectively, one of the following cases holds: (a) lj > li ≥ lp ; (b) li > lj ≥ lp . (2) If Si , Sj all have right a to Ok , Li = Lj , they are mapped to node subjects si , sj with security level li , lj , respectively, then li = lj , lCj ≤ lp and lCi ≤ lp hold. (C) If Si is mapped to si , Si does not access any grid object (that is, si does not access any node object), then Si , si could be any security level. (D) For all the cases other than (A)–(C), if Li = Lj , then li = lj or li || lj holds; if Li > Lj , then li > lj or li || lj holds. Fig. 2 shows two local trivial examples. Here S1 , S2 are grid subjects with security level L1 , L2 , respectively, L1 > L2 , s1 , s2 are node subjects with security level l1 , l2 , respectively. An arrow from a grid subject to a node subject indicates that the grid subject is mapped to the node subject. The arrow from node subject s2 to node object o3 with label r1 indicates that s2 has access right r1 to o3 . In (a), l1 = l2 , r1 could be r or a; in (b), l1 < l2 , r1 , r2 could all be r, or all be a. If θ is not order-preserving, these cases could violate the Bell–LaPadula model, hence make a security compromise. These examples show that we do need the “order-preserving” and “local trivial” conditions to maintain grid security. S1

S1

s2 r2

S2

s2

r1

o3

S2

(a)

s1

r1

(b) Fig. 2. Illustrating local trivial examples.

o3

G. Bu, Z. Xu / Future Generation Computer Systems 20 (2004) 113–122

3.3. Convergence and consistence In Fig. 1(a), object O = (O1 , . . . , On ). When a grid user U wants to read O, if access right {r} belongs to the access matrix entry of U about O, and {r} is not included in that of U about Ot , 1 ≤ t ≤ n, then U could read O while it could not read Ot . In Fig. 1(b), object Ot has semantic relation with object O, for example Ot = 2×O. When grid user U wants to write to object O, if access right {w} belongs to the access matrix entry of U about O, and {w} is not included in that of U about Ot , then U could write O while it could not write Ot . Both cases make contradictions. We define these two cases as convergence and consistence, respectively. Definition 6. Suppose object O = (O1 , . . . , On ). Here if O is a global object, then O1 , . . . , On are all global objects; if O is a node object, then O1 , . . . , On are all local objects on (not necessary) different nodes. Definition 7. Suppose object O = R(Ot ), where R is a one–one function of object Ot , for example O = 2×Ot . Here if O is a global object, O1 , . . . , On are all global objects; if O is a node object, O1 , . . . , On are all local objects on (not necessary) different nodes. The two examples in Fig. 1 illustrate the distinctive characteristics of SG environment: • An object could be semantically composed of many other objects (convergence). • An object could be semantically related to other objects (consistence). Suppose subject S accesses object O under SG environment. The convergence requirement indicates that when O is the combination of multiple objects, the access to O implies the accesses to the underlying objects. This requires the access right of S about O must belong to the access matrix [6] entry of S about any of the underlying objects. The consistence shows that when multiple objects are related with O, the access to O implies the accesses to the related objects. This requires the access right of S about O must belong to the access matrix entry of S about any of the related objects. In summary, the requirements for SG access control are:

117

• Accessible: A user could access the objects he is authorized to access without knowing the details of the underlying grid nodes. • Secure [6,9]: The access should be secure. • Autonomous Control Compatibility: The access control policies of SG should not conflict with the access control policies of the underlying grid nodes. We define two properties to reflect these requirements. Definition 8 (Access  right invariableness for grid N). Suppose grid N = i∈I Ni , object O = (O1 , . . . , On ) or O = R(O1 ). Consider the following two cases: (1) O is a global object of N, S is a grid subject of N and for any i, 1 ≤ i ≤ n, Oi is a grid object of N. (2) O is a local object of Nh , S is a local subject of Nh , and for any i, 1 ≤ i ≤ n, Oi is a local object of Nm . Let MSO be the access matrix entry of S about O, access right x belongs to MSO , that is x ∈ MSO . Then we say N satisfies access right invariableness, if the following conditions hold: (A) When case (1) holds, for each i, 1 ≤ i ≤ n, access right x must belong to the access matrix entry of S about Oi , that is x ∈ MSOt . (B) When case (2) holds, let s be any global subject s ∈ θ −1 (S, h), for each i, 1 ≤ i ≤ n, access right x must belong to the access matrix entry of θ (s, m) about Oi , that is x ∈ Mθ(s,m)Oi . Definition 8 (Access right invariableness for grid node  Nh ). Suppose Nh is a grid node of grid N, N = i∈I Ni , O is a local object of Nh , S is a local subject of Nh , object O = (O1 , . . . , On ) or O = R(O1 ), and for any i, 1 ≤ i ≤ n, Oi is a local object of Nm . Access right x belongs to the access matrix entry of S about O, that is x ∈ MSO ,

118

G. Bu, Z. Xu / Future Generation Computer Systems 20 (2004) 113–122

then we say Nh satisfies access right invariableness, if for any global subject s ∈ θ −1 (S, h) and for each i, 1 ≤ i ≤ n, access right x must belong to that of θ (s, m) about Oi , that is x ∈ Mθ(s,m)Oi . Definition  9 (SO-preserving for grid N). Suppose grid N = i∈I Ni , object O = (O1 , . . . , On ) or O = R(O1 ), one of the following cases holds:

3.4. Semantic secure grid and grid node Now we can define semantic security of a grid and of a grid node. Definition 10. A grid is the composition of grid node automata and channel automata. Definition 11. A state v of a grid or a grid node is (b, M, f), where b, M, f are defined as follows:

(1) O is a global object of N with security level fh , S is a grid subject of N with security level lh and for any i, 1 ≤ i ≤ n, Oi is a grid object of N with security level fi . (2) O is a local object of Nh with security level fh , S is a local subject of Nh with security level lh and for any i, 1 ≤ i ≤ n, Oi is a local object of Nm with security level fi .

• b ∈ 2S×O : indicating which subjects have access to which objects in the state v, • M ∈ R: indicating the entries of the access matrix in the state v, • f ∈ F : indicating the (maximum and current) security levels of all subjects and the security levels of all objects.

Then we say N is SO-preserving, if the following conditions hold:

Definition 12. Suppose Q is either a grid automaton or a grid node automaton. We say a state v of Q is secure iff v satisfies the ss-property, ∗-property, ds-property [6,9,13].

(A) If case (1) holds, the following conditions must be satisfied: (1) If lh ≥ fh , then for any Oi , 1 ≤ i ≤ n, lh ≥ fi . (2) If lh ≤ fh , then for any Oi , 1 ≤ i ≤ n, lh ≤ fi . (B) If case (2) holds, let s be the global object s = θ −1 (S, h), for each i, 1 ≤ i ≤ n, θ(s, m) is the local subject of m with security level li , the following conditions must be satisfied: (1) If lh ≥ fh , then for any Oi , 1 ≤ i ≤ n, li ≥ fi . (2) If lh ≤ fh , then for any Oi , 1 ≤ i ≤ n, li ≤ fi . Definition 9 (SO-preserving for grid nodeNh ). Suppose Nh is a grid node of grid N, N = i∈I Ni , O is a local object of Nh with security level fh , S is a local subject of Nh with security level lh , object O = (O1 , . . . , On ) or O = R(O1 ), and for any i, 1 ≤ i ≤ n, Oi is a local object of Nm with security level fi . Then we say Nh satisfies SO-preserving, if the following conditions hold: (1) If lh ≥ fh , then for any Oi , 1 ≤ i ≤ n, li ≥ fi . (2) If lh ≤ fh , then for any Oi , 1 ≤ i ≤ n, li ≤ fi .

Definition 13. Suppose Q is either a grid automaton or a grid node automaton. We say a state v of Q is semantic secure iff v is secure and satisfies access right invariableness and so-preserving property. Definition 14. Suppose Q is either a grid automaton or a grid node automaton. We say a transition T of Q is a secure-state-preserving transition iff for any state v1 of Q, T : v1 → v2 , if v1 is a secure state, then v2 is a secure state. Definition 15. Suppose Q is either a grid automaton or a grid node automaton. We say a transition T of Q is a semantic-secure-state-preserving transition iff for any state v1 of Q, T : v1 → v2 , if v1 is a semantic secure state, then v2 is a semantic secure state. Definition 16. Suppose Q is either a grid automaton or a grid node automaton. We say Q is secure iff any state v of Q satisfies the ss-property, ∗-property, ds-property. Definition 17. Suppose Q is either a grid automaton or a grid node automaton. We say grid Q is semantic

G. Bu, Z. Xu / Future Generation Computer Systems 20 (2004) 113–122

secure iff any state v of Q is secure and satisfies access right invariableness and so-preserving property.

send-get-write(Si , Oj )qd , 1 ≤ d ≤ n send-release(Si , Oj )qd , 1 ≤ d ≤ n send-give(Sχ , Si , Oj , x)qd , 1 ≤ d ≤ n send-rescind(Sχ , Si , Oj , x)qd , 1 ≤ d ≤ n send-change-subject-current-security-level (Si , Lu )qd , 1 ≤ d ≤ n ◦ send-change-object-security-level(Si , Oj , Lu )qd , 1≤d≤n

◦ ◦ ◦ ◦ ◦

4. Semantic secure SG access control automaton To adapt to the convergence and consistence problems of SG, we must define the transitions of the automata carefully to deal with these two semantic characteristics, so that the security of the SG could be enforced. We now define the secure asynchronous automaton SecureAutomatonq that simulates access control of grid node q. This automaton has 10 input actions and 10 output actions. 4.1. Signature • Input: ◦ get-read(Si , Oj )qd ◦ get-append(Si , Oj )qd ◦ get-execute(Si , Oj )qd ◦ get-write(Si , Oj )qd ◦ release(Si , Oj )qd ◦ give(Sχ , Si , Oj , x)qd ◦ rescind(Sχ , Si , Oj , x)qd ◦ receive-decide(decide)qd ◦ change-subject-current-security-level(Si , Lu )qd ◦ change-object-security-level(Si , Oj , Lu )qd • Output: ◦ send-decide(decide)qd , 1 ≤ d ≤ n ◦ send-get-read(Si , Oj )qd , 1 ≤ d ≤ n ◦ send-get-append(Si , Oj )qd , 1 ≤ d ≤ n ◦ send-get-execute(Si , Oj )qd , 1 ≤ d ≤ n

119

For every input action of above, there is a corresponding send output action to forward the request which cannot be processed locally to the automaton which can process it, such as the get-read(Si , Oj )qd having a corresponding sendget-read(Si , Oj )qd . We use send-requestqd as shorthand for all the “send” security requests. The action send-decide(decide)qd sends the decision back to the automaton which sends the corresponding request to this automaton. All the transitions corresponding to these actions just complete the forward of requests and decisions, and the transitions themselves do not change the security state of the grid. 4.2. States • D, v as defined in Definition 11. • LiL , LiH ∈ L for every subject Si in node q, initially LiL is the lowest security level, LiH is the greatest security level. 4.3. Transitions For the reason of space, we only show the transition that control the authorization get-read(Si , Oj )qd here. Suppose Oj is located in node t.

get-read(Si , Oj )qd Effect: if t = q then send the request to node t else D = Yes if Oj = (O1 , . . . , On ) then for each k, 1 ≤ k ≤ n: if (Ok is on Nq ) if (S, Ok , r) ∈ / Msok then D = No else if (Ok is on Np ) then

(a)

120

G. Bu, Z. Xu / Future Generation Computer Systems 20 (2004) 113–122

send-get-read(Si , Oj )pd if receive-decide(decide)qp = No then D = No

if D = No then for each k, Oj = R(Ok ): if (Ok is on Nq ) / Msok then D = No if (S, Ok , r) ∈ else if (Ok is on Np ) then send-get-read(Si , Oj )pd if D = No and fC (Si )! ≥ fO (Oj ) and r ∈ Mij then if fS (Si ) ≥ fO (Oj ) and fO (Oj ) ≤ LiH then fC (Si ) = Sup(fC (Si ), fO (Oj )) LiL = Sup(LiL , fO (Oj )) b = b ∪ (Si , Oj , r) D = yes else D = No else if D = No and [ Si ∈ S and fS (Si ) ≥ fO (Oj ) ] and r ∈ Mij then b = b ∪ (Si , Oj , r) D = yes else D = No

4.4. Tasks • For every d = q, • { send-decide(decide)qd ; send-requestqd ; }. In our previous work [14], we have shown the following theorem. Theorem 1. Let {Ni }i∈I be a compatible collection of  node automata (I = {1, . . . , n}) and N = i∈I Ni , the mapping θ(Sk , m) maps grid subject Sk to node subject of any node m, then N is a secure grid automaton iff: (1) For each i ∈ I, Ni is a secure automaton. (2) The mapping θ(Sk , m) is order-preserving on node m or the objects of node m are local trivial. Theorem 1 does not address the semantic issues of convergence and consistence. To adopt it to the SG environment, we must introduce the semantic concepts we defined in the former sections. We can prove the following two results. The proof details are show in [2].

(b)

(c)

(d)

Lemma 1. Every transition we defined in SecureAutomatonq is a semantic-secure-state-preserving transition. Theorem 2. Let {Ni } i∈I be a compatible collection of automata and N = i∈I Ni , I = {1, . . . , n}, then N is a semantic secure automaton if the following conditions hold: (1) N is a secure automaton. (2) Any transition of SecureAutomatonq , q ∈ I is a semantic-secure-state-preserving transition. Proof. (A) N satisfies access right invariableness. Suppose grid object O = (O1 , . . . , On ) or O = R(O1 ), O = δ(o). A grid subject S with access right x to O implies that there exists a local subject s of Nj that has access right x to o. According to (2), for any i ∈ I, s has access right x to op , Oi = δ(op )j , Thus, access right invariableness is satisfied. (B) N satisfies so-preserving.

G. Bu, Z. Xu / Future Generation Computer Systems 20 (2004) 113–122

Suppose local object o of Nj has security level l, o = (o1 , . . . , on ) or o = R(o1 ), s is a local subject of Nj with security level ls . When ls ≥ lo , according to (1), s could only have access right x on o, x ∈ {r, w}. If N does not satisfy so-preserving, then grid subject S has security level less than that of grid object O, O = δ(o), s = θ(S, j), but S has access right r or w on O. This is a contradiction. When ls ≤ lo , according to (1), s could only have access right x on o, x ∈ {a, w}, if N does not satisfy so-preserving, then grid subject S has security level greater than that of grid object O, O = δ(o), s = θ(S, j), but S has access right a or w on O, this also makes a contradiction. 䊐 According to Definition 17, N is semantic secure.

5. Implementation Although our method is theoretic, the requirements come from applications in China railways. We have used the theoretic study to guide the design of the China railways information grid. Our Vega Grid team has built a prototype SG system, applying the results in previous sections. Access control in this information grid prototype is illustrated in Fig. 3.

121

This figure shows three legacy information systems, the ticketing system, the RSMIS statistics system, and the equipment management system, which are distributed information systems spanning multiple railways bureaus/stations. For instance, ticket information is distributed across all the sub-bureaus. However, the railways grid should provide a single system image to the user, who can access ticket information from a single entry point (a portal) shown in Fig. 3 as the Zhengzhou bureau. The grid should also allow information sharing and integration between two systems (RSMIS and the equipment system), connecting silos into a whole. To maintain grid-wide confidentiality, our railways grid system includes a logically centralized grid Information Service module, which maintains convergence and consistence information. This Information Service module coordinates with the access control modules in all the grid nodes (Zhengzhou, Xinxiang, Luoyang, Shangqiu) to implement automata transitions that are semantic-secure-state-preserving.

6. Conclusions In this paper, we have extended the Bell–LaPadula model to study access control in an SG. With the tools

Zhengzhou Bureau

Grid User Ticket

Device Graph

Information Service Grid Access Control

Xinxiang Local Access Control

Luoyang Local Access Control

Convergence and Consistence Information

Shangqiu RSMIS

Zhengzhou Local Access Control

Local Access Control Sub-bureaus

Fig. 3. Access control in china railways information grid prototype.

122

G. Bu, Z. Xu / Future Generation Computer Systems 20 (2004) 113–122

of asynchronous automata and lattice theory, we present an SG access control model and an SG security theorem. Our main result is Theorem 2, which indicates that by carefully defining transitions, one can maintain confidentiality in an SG where the issues of convergence and consistence could arise. We also built a prototype SG system for China railways information sharing and integration. Tests based on applications scenarios indicate that this approach is viable. Theorem 2 only identifies sufficient conditions for semantic security. A future research topic is to find necessary and sufficient conditions.

Acknowledgements This work is supported in part by the National Natural Science Foundation of China (Grant No. 69925205), the China Ministry of Science and Technology 863 Program (Grant No. 2002AA104310) and the Chinese Academy of Sciences Oversea Distinguished Scholars Fund (Grant No. 20014010). This paper benefited from discussions with Mr. Boyu Chen, Mr. Xinzhou Liu, Mr. Yigang He of the Zhengzhou Railways Bureau, and Dr. Songlin Hu of Institute of Computing Technology, Chinese Academy of Sciences. References [1] T. Berners-Lee, J. Hendler, O. Lassila, The semantic web, Sci. Am. 5 (2001). [2] G. Bu, Z. Xu, A semantic grid access control theorem and its proof, Vega Grid technical report, VGP-5, Institute of Computing Technology, Chinese Academy of Sciences, January 2003. [3] G. Gheorghiu, T. Ryutov, B.C. Neuman, Authorization for metacomputing application, in: Proceedings of the Seventh International Symposium on High Performance Distributed Computing, 1998. [4] J. Hendler, T. Berners-Lee, E. Miller, Integrating applications on the semantic web, J. Inst. Electrical Eng. Jpn. 122 (10) (2002) 676–680 (English version). [5] International Standard, Evaluation Criteria for IT Security. Part 1. Introduction and General Model, 1st ed., ISO/IEC 15408-1, December 1999.

[6] T.Y. Lin, Bell–LaPadula Axioms: a ‘new’ paradigm for an ‘old’ model, in: Proceedings of the 1992 ACM SIGSAC New Security Paradigms Workshop, 1992, pp. 82–93.2 [7] N.A. Lynch, Distributed Algorithms, Morgan Kaufmann, Los Altos, CA, 1997. [8] L. Pearlman, V. Welch, I. Foster, C. Kesselman, S. Tuecke, A community authorization service for group collaboration, in: Proceedings of the IEEE Third International Workshop on Policies for Distributed Systems and Networks, 2001. [9] R.S. Sandhu, Lattice-based access control models, IEEE Comput. 26 (11) (1993) 9–19. [10] F. Siebenlist, V. Welch, S. Tuecke, I. Foster, N. Nagaratnam, P. Janson, J. Dayka, A. Nadalin, OGSA security roadmap, July 2002. [11] S. Tuecke, Grid security infrastructure (GSI) roadmap, Grid Forum Draft, GSI Working Group, October 2000. [12] Trusted computer system evaluation criteria, DOD5200.28STD, US Department of Defense, December 1985. [13] N.A. Waldhart, The army secure operating system, in: Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, 1990, pp. 50–60. [14] Z. Xu, G. Bu, A theorem on grid access control, in: Proceedings of the International Workshop on Grid and Cooperative Computing, 2002, pp. 1003–1016. [15] Z. Xu, N. Sun, D. Meng, W. Li, Cluster and grid superservers: the dawning experience in China, in: Proceedings of the Third IEEE International Conference on Cluster Computing, 2001. [16] H. Zhuge, A knowledge grid model and platform for global knowledge sharing, Expert Syst. Appl. 22 (4) (2002) 313–320. [17] H. Zhuge, Clustering soft-devices in semantic grid, Comput. Sci. Eng. 11/12 (2002) 60–62.

Guanying Bu received his PhD from Institute of Computing Technology, Chinese Academy of Sciences. His research interests are grid computing and its theoretical model.

Zhiwei Xu received his PhD from University of Southern California. He is a professor and deputy director of the Institute of Computing Technology, Chinese Academy of Sciences. His research interests are grid and cluster computing, computer architecture and secure operating system.