researResearch - Télécom Bretagne
researResearch - Télécom Bretagne
researResearch - Télécom Bretagne
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
h Research<br />
9<br />
RESEARCH<br />
Main achievements of the project<br />
Security policy expression<br />
The work aimed at expanding the expressiveness<br />
of the OrBAC 1 model and the functions of the<br />
MotOrBAC prototype (a support tool for<br />
expressing a security policy with the OrBAC<br />
model) continues within the framework of the<br />
ANR Polux and Fluor projects. It consists notably<br />
of integrating both access control and information<br />
flow control requirements into the OrBAC model<br />
by using particular contexts enabling control of<br />
domain transitions [1]. We have also defined a<br />
general delegation and revocation of rights model<br />
and shown that this model is more expressive<br />
than the other existing models (thesis under joint<br />
supervision with SupCom Tunis). Finally, we have<br />
formalised a model with a wide range of<br />
obligation expressions, permitting notably the<br />
specification of obligations with deadlines, of<br />
persistent obligations and of group obligations.<br />
This formalism allows expansion of the OrBAC<br />
model in order to express security policies<br />
integrating usage control requirements (control<br />
before, during or after use of the resource).<br />
Methodology for the deployment of<br />
security policies<br />
The MotOrBAC prototype is based on a modular<br />
architecture which allows easy integration of new<br />
functions in order to deploy a security policy in the<br />
form of plug-ins. We have notably formalised the<br />
deployment of security policies that depend on<br />
contextual conditions (for example, time delays or<br />
location or intrusion events) [2]. In this case,<br />
MotOrBAC can be used to manage the contextual<br />
conditions and dynamically redeploy the policy<br />
when the context changes. We have developed<br />
another plug-in enabling translation of OrBAC<br />
requirements into the oasis standard XACML , a<br />
language to express access control policies. This<br />
work is in the process of being integrated into the<br />
negotiation of security policies architecture XENA,<br />
developed within the RNRT “Politess” project<br />
framework [9]. We are currently studying the<br />
deployment of information flow control<br />
requirements based on domain partitioning, such<br />
as those currently embedded in some secured<br />
versions of Linux, in particular Security Enhanced<br />
Linux.<br />
Implementing security<br />
The work carried out under a thesis funded by the<br />
initiative programme « Reseaux autonomes and<br />
spontanés » (Autonomous and Spontaneous<br />
Networks) supported by the Telecom Institute<br />
concerns interoperability between organisations<br />
with different security policies. The work focused<br />
on the secure management of interoperability<br />
based on the definition of contracts. This notion of<br />
a contract combined with an ontological mapping<br />
enables derivation of interoperability policies<br />
between organisations and has been integrated<br />
into O2O (Organization to Organization), an<br />
extension of the OrBAC model. We are also<br />
working on securing applications using aspect<br />
weaving techniques as in the AOP (Aspect<br />
Oriented Programming) approach. This approach<br />
is effective, each of the aspects woven into an<br />
application corresponding to a call to the API of<br />
MotOrBAC to carry out the required security<br />
checks.<br />
Secure content distribution<br />
Within the P2Pim@ges project which is supported<br />
by the business and research pole « Images et<br />
Reseaux (Images and Networks)» we study the<br />
implementation of security requirements in peer<br />
to peer(P2P) systems. Control of content<br />
distribution relies on DRM (Digital Right<br />
Management) techniques via the implemention of<br />
the OPA (Onion Policy Administration) model and<br />
the FORM (Federated Right Expression Model).<br />
This approach is integrated in the Protekto<br />
platform which combines the functions of identity<br />
management based on single authentication<br />
mechanisms (Single Sign On) with management<br />
of access to content authorisation as well as the<br />
distribution of that content.<br />
Network Security<br />
In the context of work related to the development<br />
of services through the Parlay/Parlay X bridge, the<br />
location service constitutes one of the new<br />
services creating heightened interest for<br />
operators. Privacy treatment and management is<br />
a central consideration. An improved treatment of<br />
pseudonyms was proposed and integrated into an<br />
179<br />
1) OrBAC : Organization Based Access Control<br />
2) XACML : eXtensible Access Control Markup Language