Intrusion-tolerant fine-grained authorization for Internet applications V. Nicomette a,b, * , D. Powell a,b , Y. Deswarte a,b , N. Abghour c , C. Zanon a,b a CNRS, LAAS, 7 Avenue du Colonel Roche, F-31077 Toulouse, France b Université de Toulouse; UPS, INSA, INP, ISAE; LAAS; F-31077 Toulouse, France c Université Hassan II Faculté des Sciences An Chock, Département de Mathématiques et Informatique, BP 5366 Maarif Casablanca 20100, Morocco article info Article history: Received 15 October 2009 Received in revised form 2 April 2010 Accepted 5 May 2010 Available online 13 May 2010 Keywords: Authorization scheme Fined-grained Delegation Intrusion-tolerance abstract This paper presents the architecture of an authorization service proposed for composite operations involving many Internet partners. The main contributions of this paper are: (1) a scheme for access con- trol systematically applied at the fine-grained level of each elementary operation, (2) a novel proof of authorization concept and flexible authorization delegation technique, and (3) the design and proof- of-concept implementation of an intrusion-tolerant prototype of the authorization architecture. The architecture is based on two component types: an authorization server and a set of reference monitors. The authorization server is in charge of distributing proofs of authorization for composite operations in the system. On each site involved in the execution of the composite operation, a local reference monitor is in charge of checking the validity of the proofs of authorization used for each elementary operation. The paper presents the overall design of the authorization service. It also includes a brief description of the prototype that was developed as well as performance measures. Ó 2010 Elsevier B.V. All rights reserved. 1. Introduction Authentication and authorization are key issues in computer security. The authentication process provides a way for a user to prove his identity (typically by presenting a valid username and password) while the authorization process consists in determining whether a user has permission to execute given operations in the system. This paper deals with authorization. While it is not a sim- ple issue in standalone systems, it really becomes intricate when one considers distributed applications and particularly applica- tions distributed over the Internet. Most protection models are based on the notion of a reference monitor [1] that controls all interactions in the system to check whether each access is authorized or denied, using an access matrix that stores all the access rights of the system. If we consider applications distributed across the Internet, we can imagine a di- rect application of the standalone system paradigm by using a cen- tral reference monitor located on one host of the distributed system. This reference monitor would check all interactions in the whole distributed system. An implementation of this paradigm has been proposed in [2]. A major drawback of this approach is obviously the fact that security of the entire system relies on just one machine, which is thus a single point of failure. Even if the cen- tral reference monitor were to be implemented as a fault- and intrusion-tolerant server running on several separately adminis- tered machines, it would still be a major bottleneck regarding system performance. Another possible solution can be found in the Red Book [3]. In this approach, a local reference monitor in each site of the distributed system checks all the accesses from remote entities to local entities. The local reference monitor is part of the site’s Trusted Computing Base (TCB) and each TCB trusts all the other TCBs of the whole system: when an access from a remote entity is made to a local entity, the local TCB trusts the remote TCB to correctly supply the remote entity’s identity, which is used for the verification of the access rights. Thus, in this approach, if any of the TCBs is corrupted, the security of the whole system is compromised. Our first objective was thus to design an authorization scheme that is a trade-off between totally centralized and totally distrib- uted systems and that has none of their drawbacks. Today, most Internet applications are based on the client–server model. This model is not rich enough to cope with composite oper- ations involving more than two participants. For example, an elec- tronic commerce transaction typically requires the cooperation of a customer, a merchant, a credit card company, a bank, a delivery company, etc. Each of these participants has different interests, and may thus distrust the other participants. Moreover, in this model, typically, the server distrusts clients, and grants each client access 1383-7621/$ - see front matter Ó 2010 Elsevier B.V. All rights reserved. doi:10.1016/j.sysarc.2010.05.005 * Corresponding author at: CNRS, LAAS, 7 Avenue du Colonel Roche, F-31077 Toulouse, France. E-mail addresses: nicomett@laas.fr (V. Nicomette), dpowell@laas.fr (D. Powell), deswarte@laas.fr (Y. Deswarte), nabghour@fsac.ac.ma (N. Abghour), czanon@laas.fr (C. Zanon). Journal of Systems Architecture 57 (2011) 441–451 Contents lists available at ScienceDirect Journal of Systems Architecture journal homepage: www.elsevier.com/locate/sysarc