Show simple item record

SAFE: A Declarative Trust-Agile System with Linked Credentials

dc.contributor.advisor Chase, Jeffrey S
dc.contributor.author Thummala, Vamsidhar
dc.date.accessioned 2016-06-06T16:11:48Z
dc.date.available 2016-06-06T16:11:48Z
dc.date.issued 2016
dc.identifier.uri https://hdl.handle.net/10161/12236
dc.description.abstract <p>Secure Access For Everyone (SAFE), is an integrated system for managing trust</p><p>using a logic-based declarative language. Logical trust systems authorize each</p><p>request by constructing a proof from a context---a set of authenticated logic</p><p>statements representing credentials and policies issued by various principals</p><p>in a networked system. A key barrier to practical use of logical trust systems</p><p>is the problem of managing proof contexts: identifying, validating, and</p><p>assembling the credentials and policies that are relevant to each trust</p><p>decision. </p><p>SAFE addresses this challenge by (i) proposing a distributed authenticated data</p><p>repository for storing the credentials and policies; (ii) introducing a</p><p>programmable credential discovery and assembly layer that generates the</p><p>appropriate tailored context for a given request. The authenticated data</p><p>repository is built upon a scalable key-value store with its contents named by</p><p>secure identifiers and certified by the issuing principal. The SAFE language</p><p>provides scripting primitives to generate and organize logic sets representing</p><p>credentials and policies, materialize the logic sets as certificates, and link</p><p>them to reflect delegation patterns in the application. The authorizer fetches</p><p>the logic sets on demand, then validates and caches them locally for further</p><p>use. Upon each request, the authorizer constructs the tailored proof context</p><p>and provides it to the SAFE inference for certified validation.</p><p>Delegation-driven credential linking with certified data distribution provides</p><p>flexible and dynamic policy control enabling security and trust infrastructure</p><p>to be agile, while addressing the perennial problems related to today's</p><p>certificate infrastructure: automated credential discovery, scalable</p><p>revocation, and issuing credentials without relying on centralized authority.</p><p>We envision SAFE as a new foundation for building secure network systems. We</p><p>used SAFE to build secure services based on case studies drawn from practice:</p><p>(i) a secure name service resolver similar to DNS that resolves a name across</p><p>multi-domain federated systems; (ii) a secure proxy shim to delegate access</p><p>control decisions in a key-value store; (iii) an authorization module for a</p><p>networked infrastructure-as-a-service system with a federated trust structure</p><p>(NSF GENI initiative); and (iv) a secure cooperative data analytics service</p><p>that adheres to individual secrecy constraints while disclosing the data. We</p><p>present empirical evaluation based on these case studies and demonstrate that</p><p>SAFE supports a wide range of applications with low overhead.</p>
dc.subject Computer science
dc.subject Logic-based access control
dc.subject authorization
dc.subject SAFE
dc.subject Safelog
dc.subject Safelang
dc.subject slog
dc.subject slang
dc.subject SafeSets
dc.subject SafeX
dc.subject Security Policies
dc.subject Software-as-a-service
dc.subject Distributed Systems
dc.subject Trust Logic
dc.subject Declarative Languages
dc.subject Trust Management
dc.title SAFE: A Declarative Trust-Agile System with Linked Credentials
dc.type Dissertation
dc.department Computer Science


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record