Changes between Version 31 and Version 32 of TIEDABACDemo


Ignore:
Timestamp:
07/13/09 20:24:19 (10 years ago)
Author:
faber@isi.edu
Comment:

Jay Jacob's comments

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACDemo

    v31 v32  
    44 * Expresses delegation and other authorization models efficiently and scalably
    55 * Allows access requesters and granters to control how much information they reveal
    6  * Provides auditing information that includes both the decision and reasoning
     6 * Provides auditing information that includes both the decision and reasoning behindit (the provenance)
    77 * Supports multiple authentication frameworks as entry points into the attribute space
     8
     9The reasoner is tuned for ABAC's logic and is more efficient than a general reasoning engine.
    810
    911This page outlines these features using a scenario-driven tutorial approach.  We describe the model in more detail [wiki:TIEDABACModel elsewhere] and there are [http://www.isso.sparta.com/research_projects/security_infrastructure/abac_overview.html#docs several papers about ABAC] as well. This page is intended to sketch the power of ABAC.
     
    1113== Scenario ==
    1214
    13 Consider the ACM using GENI to run a contest like the University of [http://ictf.cs.ucsb.edu/ Santa Barbara International Capture the Flag Contest] on a larger scale.  Security experts from several universities acting under ACM auspices will configure a large network of machines as a playground for intrusion testers.  They will create a slice containing many (virtual) machines that will be configured with a variety of known shortcomings.  Signed data is hidden in various places on the machines.  Then players from many universities - in fact many players from across the country or the world - are granted access to the slice and a scavenger hunt ensues.  The team that most completely audits the security of the network, by capturing the most sensitive data (taken either way), wins.  There may be other scoring.
     15Consider the ACM using GENI to run a contest like the University of Santa Barbara's [http://ictf.cs.ucsb.edu/ International Capture the Flag Contest] on a larger scale.  Security experts from several universities acting under ACM auspices will configure a large network of machines as a playground for intrusion testers.  They will create a slice containing many (virtual) machines that will be configured with a variety of known shortcomings.  Signed data is hidden in various places on the machines.  Then players from many universities - in fact many players from across the country or the world - are granted access to the slice and a scavenger hunt ensues.  The team that most completely audits the security of the network, by capturing the most sensitive data (taken either way), wins.  There may be other scoring.
    1416
    1517There are two classes of princpals that will be requesting access to GENI resources for this contest.  There will be a comparatively small number of officials that will need allocation and configuration rights to the slice in order to set up and administer the game.  There will also be the thousands or more contestants who will need access to the slice, but not configuration rights.  Because of the large number of contestants, the ACM does not want to be directly in charge of vetting each one.  Individual universities (and perhaps other sites) will be able to decide on the criteria to admit players from their institutions independently.  Should anything go amiss - or any kind of cheating be detected - officials will want to know where the contestant came from and how they were admitted.