Flexible Regulation of Virtual Enterprises

Flexible Regulation of Virtual Enterprises

Naftaly Minsky

Rutgers University

Joint work with Xuhui Ao

N. Minsky: DIMACS, e-commerce May05 2

Outline

The challenges to access control posed by e-commerce.

Regulation of virtual enterprises — a case study.

The law-governed interaction (LGI) mechanism, and how it meets the challenges to access control.

Conclusion


The Challenges to AC

The distributed and open nature of E-commerce, and its scale. PKI facilitates scalability; but enforcement of AC policies is still done largely in a

centralized fashion, making it hard to scale. The need for more sophisticated policies, e.g.,

Stateful policies, sensitive to the history of interaction, like budgetary control.

Policies that mandate extra actions, like state change, or auditing.


The Challenges to AC (cont)

The need for communal (rather than “server-centric”) policies, such as: An enterprise-wide policy governing a set of servers. Decentralized electronic marketplace. B2B commerce, and supply chains.

The need for interoperation between different policies, and for hierarchical organization of policies.

All these challenges need to be met via a single scalable mechanism—for specifying policies, and for enforcing them.


Governance of Virtual Enterprise(a Case Study)

Consider a coalition C of enterprises {E1,..., En}, governed by a coalition-policy PC---where each Ei is governed by its own internal-policy Pi . As in: virtual enterprises, supply chains, grid computing, etc.

E3

E2 E1

P2 P1

P3

PC


Policies Governing a Virtual Enterprise(an Example)

E2

E3

E1

Roles: each Ei should have its director

Di(*); and the coalition C a director DC.A director Di can mint Ei-currency $i needed to pay for services provided by Ei and it can give DC some of this currency

A director DC can distribute some of its $i currency among other directors.

$1

$1

Servers at E1 can send their earning in $1 back to their director

PC

P2P1

$1

$1

$1

$i Currency cannot be forged—by anyone!

A director D2 can distribute its $i budget among agents at its enterprise

$1

$1


The Main Challenges

The flexible formulation of such policies, so that: they will be consistent, and their specification and evolution would be

manageable. Enforcement of such policies, and in a

scalable manner.


The Compositions Approach…

Given the set {PC , P1,. . ., Pn} of policies.Construct a set composed policies:

{Pi,j = composition (Pi , PC , Pj)}Provide these compositions to the

reference monitor (RM) that mediates all coalition-relevant interactions.

Compositions were studied by: Gong & Qian 96, and by Bidan & Issarny 98, ...


… and its Problematics

It is unlikely for arbitrary, and independently formulated, policies to be consistent—so such composition is likely to fail.

Policy composition is computationally intractable(McDaniel & Prakash 2002)—and, we need N^2 such compositions!

Inflexibility: consider changing a single Pi . . .


The Proposed Approach

Instead of creating N^2 compositions (Pi , PC , Pj), we will enable each enterprise Ei to create it own policy Pi , subject only to the constraint that Pi would conform to PC .

We will then allow Ei and Ej to interoperate, each enforcing its own policy, Pi & Pj respectively

We will do this via the control mechanism called law-governed interaction (LGI).


Law-Governed Interaction (LGI)(main characteristics)

LGI is an access-control and coordination mechanism LGI is communal: can impose mandatory policies (called

“laws”) over an entire community. Enforcement is decentralized for scalability (actually,

supports a whole spectrum of decentralization). Supports a wide range of laws including those that

mandate extra actions, in a stateful manner. Supports hierarchy and interoperability. Efficient (overhead of about 0.1 ms), and incremental. Due to be released this summer.


Centralized Enforcement of Communal Policies

* The problems: potential congestion, and single point of failure

m’x

u v

ym ==> y

m ==> xm

Legend: P---Explicit statement of a policy. I---Policy interpreter S---the interaction state of the community

P

I

S

Reference monitor

* Replication does not help, if S changes rapidly enough


Distributed Law-Enforcement under LGI

L

I

S

x

u v

y

LI

Sx

LI

Sv

LI

Sy

LI

Su

m ==> y m’ m’’

m m ==> ym


Deployment of LGIvia a Distributed TCB (DTCB)

III

I

IIx y

controller servercontroller server

m’adopt(L, name) L

m’’adopt(L, name)Lm ==> y


On the basis for trust between members of a community

For a pair of interlocutors to trust each other to comply with the same law, one needs to ensure: that the exchange of messages is mediated by correctly

implemented controllers . that interacting controllers operate under the same law L.

Such assurances are provided, basically, via certification of controllers, and the exchange of the hash of the law.

x y

LI

CSx

LI

CSy

m ==> y m’’[m’,hash(L)] Cx

Cx Cy

Hierarchy Organization of Coalition Policies(back to the case study)

PC

P1 P2 Pn

superior subordinate

Pi is defined as subordinate to Pc, as thus constrained to conform to it.


Interoperability

Let us focus on the interoperability between E2 and E1

E3

E2 E1

P2 P1

P3

PC


Interoperability (cont.)

imported(x,P2,m)

E2 E1

x y

Authenticated by CA2 and CAC

Authenticated by CA1 and CAC

controller controller

P1P2

Cx Cy

CSx

I I

CSx

m

export(m,y,P1)


Conclusion

LGI implementation via the Moses middleware is to be released in May 2005, via:http://www.cs.rutgers.edu/moses/ This initial release would not support policy

hierarchy. For a complete treatment of the coalition problem,

see: Flexible Regulation of Distributed Coalitions Ao and Minsky In Proc. of the 8th European Symposium on Research in Computer Security (ESORICS) October 2003.

http://www.cs.rutgers.edu/moses/



Questions?


Server-Centric Access-Control (AC)

Reference Monitor

(RM)

server

It generally supports only stateless, purely reactive,ACL-based policies, enhanced with RBAC—and this is far from sufficient.


Enforcing a Communal AC Policy

Enterprise-wide (communal) policyP

Enterprise

delegate

The communal policy may be that certain type of transactions need to be monitores…

Documents

Flexible Regulation of Virtual Enterprises