Changes between Version 31 and Version 32 of TIEDABACDemo
- Timestamp:
- 07/13/09 20:24:19 (15 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TIEDABACDemo
v31 v32 4 4 * Expresses delegation and other authorization models efficiently and scalably 5 5 * Allows access requesters and granters to control how much information they reveal 6 * Provides auditing information that includes both the decision and reasoning 6 * Provides auditing information that includes both the decision and reasoning behindit (the provenance) 7 7 * Supports multiple authentication frameworks as entry points into the attribute space 8 9 The reasoner is tuned for ABAC's logic and is more efficient than a general reasoning engine. 8 10 9 11 This page outlines these features using a scenario-driven tutorial approach. We describe the model in more detail [wiki:TIEDABACModel elsewhere] and there are [http://www.isso.sparta.com/research_projects/security_infrastructure/abac_overview.html#docs several papers about ABAC] as well. This page is intended to sketch the power of ABAC. … … 11 13 == Scenario == 12 14 13 Consider the ACM using GENI to run a contest like the University of [http://ictf.cs.ucsb.edu/ Santa BarbaraInternational Capture the Flag Contest] on a larger scale. Security experts from several universities acting under ACM auspices will configure a large network of machines as a playground for intrusion testers. They will create a slice containing many (virtual) machines that will be configured with a variety of known shortcomings. Signed data is hidden in various places on the machines. Then players from many universities - in fact many players from across the country or the world - are granted access to the slice and a scavenger hunt ensues. The team that most completely audits the security of the network, by capturing the most sensitive data (taken either way), wins. There may be other scoring.15 Consider the ACM using GENI to run a contest like the University of Santa Barbara's [http://ictf.cs.ucsb.edu/ International Capture the Flag Contest] on a larger scale. Security experts from several universities acting under ACM auspices will configure a large network of machines as a playground for intrusion testers. They will create a slice containing many (virtual) machines that will be configured with a variety of known shortcomings. Signed data is hidden in various places on the machines. Then players from many universities - in fact many players from across the country or the world - are granted access to the slice and a scavenger hunt ensues. The team that most completely audits the security of the network, by capturing the most sensitive data (taken either way), wins. There may be other scoring. 14 16 15 17 There are two classes of princpals that will be requesting access to GENI resources for this contest. There will be a comparatively small number of officials that will need allocation and configuration rights to the slice in order to set up and administer the game. There will also be the thousands or more contestants who will need access to the slice, but not configuration rights. Because of the large number of contestants, the ACM does not want to be directly in charge of vetting each one. Individual universities (and perhaps other sites) will be able to decide on the criteria to admit players from their institutions independently. Should anything go amiss - or any kind of cheating be detected - officials will want to know where the contestant came from and how they were admitted.