Bağlam-Duyarlı Rol-Tabanlı Erişim Denetiminin Çoklu-Etkileşimli Nesnelerin İnternetinde Uygulanması

Bu makalede, Nesnelerin İnterneti (Nİ) uygulamaları için rol-tabanlı, bağlam bilgisi kullanan, uyarlanabilir çoklu seviyeli kimlik doğrulaması uygulanan, dinamik bir erişim kontrol yöntemi önerisinde bulunulmaktadır. Literatürdeki mevcut çalışmalar, çok sayıda ve farklı türde nesnenin (bilgisayar, makine, kişi, süreç, servis vb.) yoğun etkileşimini içeren Nİ uygulamaları için anlık bağlam bilgisini dikkate almayan ve baştan tanımlanmış statik erişim politikaları uygulayan güvenlik çözümleri sunmaktadır. Bunlar, Nİ’deki karmaşık etkileşimden doğabilecek, konvansiyonel ağlarda görülmeyen yeni tür güvenlik zafiyetlerini önlemede yetersiz kalmaktadır. Bu nedenle Nİ uygulamaları için nesnelerin birbiriyle etkileşimini dikkate alarak dinamik ve uyarlanabilir erişim denetimi sunan bir güvenlik yöntemi geliştirilmesi önemlidir. Bu makalede sunulan yöntem, bir Nİ sistemindeki varlıkları ve aralarındaki etkileşimi bir bağlam mimarisi modeli ile biçimlendirip anlık bağlam bilgisini erişim denetiminde kullanmakta, aynı zamanda rol-tabanlı yaklaşım ile güvenlik politikalarının mümkün olduğunca sade yazılabilmesini sağlamaktadır. Böylece, Nİ uygulamalarındaki kompleks etkileşimden doğabilecek, baştan tahmin edilmesi zor, anlık yetkisiz kullanım istekleri, önceden tanımlanan karmaşık olmayan erişim denetimi politikaları kullanılarak engellenebilecektir. Bu çalışmada, önerilen yeni erişim denetimi yöntemi ile çoklu ve karmaşık etkileşimli Nİ cihazlarının yer aldığı bir uygulama senaryosunda sade güvenlik politika kuralları ile olası saldırıların mevcut yöntemlere göre daha basit bir şekilde engellenebileceği gösterilmiştir. Bunun dışında, (i) çevre, kişi, zaman ve sistem dahil tüm bağlam türlerini içeren ve diğer bağlam-duyarlı Nİ uygulamalarında da kullanılabilecek bir bağlam modeli sunulmuş, (ii) çoklu ve karmaşık etkileşimli, bağlam-duyarlı Nİ uygulamalarında ortaya çıkabilecek saldırı/tehdit vektörleri belirlenmiş ve (iii) geliştirilen bağlam-duyarlı rol-tabanlı erişim kontrolü yöntemi yeni nesil Nİ uygulamalarını temsil eden karmaşık bir senaryo altında doğrulanmıştır.

Anahtar Kelimeler:

Nesnelerin İnterneti, Güvenlik, Erişim Denetimi, Rol-tabanlı erişim denetimi, Bağlam-duyarlı güvenlik, Bağlam-duyarlı erişim denetimi.

Application of Context-aware Role-based Access Control on Internet of Things Applications with Multiple Interactions

In this work, a context-aware role-based access control method with adaptive multi-level authentication is proposed addressing security of IoT applications and results of a proof of concept implementation is presented. Security solutions that do not take instantaneous context information into account for IoT applications and that import static access policies used in conventional networks is insufficient to prevent security weaknesses of IoT networks, which involve intensive interaction of a large number of different types of things (computer, machine, person, process, service, etc.). This paper aims to model the interaction between the "things" in an IoT system in a contextual architecture and then to use this instantaneous context information in a role-based access control scheme enabling the security policies to be written as plain as possible. It is considered that, in this way, difficult to predict unauthorized usage requests that may arise from the complex interaction in IoT applications may be prevented by using predefined, uncomplicated access control policies.In this study, it is shown that the proposed new access control method is able to prevent attacks in an application scenario involving multiple and complex interactive IoT devices using simple security policy rules compared to the existing methods. Furthermore, (i) a context model is presented that covers all context types, including environment, user, time and system, and can be used in other context-sensitive IoT applications; (ii) attack/threat vectors that may arise in multiple and complex interactive, context-sensitive IoT applications are identified and (iii) the context-sensitive role-based access control method is validated under a scenario representing next generation IoT application with complex interactions.

Keywords:

Internet of Things, Security, Access Control, Role-based Access Control, Context-Aware Security,

PDF

___

Abowd G.D. 2016. Beyond Weiser: From Ubiquitous to Collective Computing, Computer, 49 (1): 17-23.
Weiser M. 1991. The Computer for the 21st Century, Scientific American, 265 (3): 78-89.
Al-Muhtadi J., Ranganathan A., Campbell R., Mickunas M.D. 2003. Cerberus: A Context-aware Security Scheme for Smart Spaces, Proceedings of the 1st IEEE International Conference on Pervasive Computing and Communications, pp489-494, 23-26 March, Texas.
Covington M.J., Long W., Srinivasan S., Dey A.K., Ahamad M., Abowd G.D. 2001. Securing Context-aware Applications Using Environmental Roles, SACMAT ’01 Proceedings of the 6th ACM Symposium on Access Control Models and Technologies, pp10-20, 3-4 May, Chantilly.
Covington M.J., Fogla P., Zhan Z., Ahamad M. 2002. A Context-aware Security Architecture for Emerging Applications, Proceedings of 18th Annual Computer Security Applications Conference, pp124-131, 9-13 December, New Orleans.
Kulkarni D., Tripathi A. 2008. Context-aware Role-based Access Control in Pervasive Computing Systems, SACMAT ’08 Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp113-122, 11-13 June, Estes Park.
Wrona K., Gomez L. 2005. Context-aware Security and Secure Context-awareness in Ubiquitous Computing Environments, XXI Autumn Meeting of Polish Information Society Conference Proceedings, pp255-265, 5-9 December, Katowise.
Bai G., Yan L., Gu L., Guo Y., Chen X. 2014. Context-aware Usage Control for Web of Things, Security and Communication Networks, 7 (12): 2696-2712.
Genç D., Tomur E., Erten Y.M. 2019. Context-aware Operation-based Access Control for Internet of Things Applications, International Symposium on Networks, Computers and Communications, pp235-256, 19-20 June, İstanbul.
Genç D. 2018. Context Aware Role Based Access Control Model For Internet Of Things Applications, Yüksek Lisans Tezi, izmir Yüksek Teknoloji Enstitüsü.
Kayes, A.S.M., Kalaria, R., Sarker, I.H., Islam, M., Watters, P.A., Ng, A., Hammoudeh, M., Badsha, S. and Kumara, I., 2020. A survey of context-aware access control mechanisms for cloud and fog networks: Taxonomy and open research issues. Sensors, 20(9), p.2464.
Dong, Y., Wan, K., Huang, X. and Yue, Y., 2018, May. Contexts-states-aware access control for internet of things. IEEE 22nd International Conference on Computer Supported Cooperative Work in Design pp. 666-671.
Roman R., Zhou J., Lopez J. 2013. On the Features and Challenges of Security and Privacy in Distributed Internet of Things, Computer Networks, 57 (1): 2266-2279.
Gubbi J., Buyya R., Marusic S., Palaniswami M. 2013. Internet of Things (IoT): A Vision Architectural Elements and Future Directions, Future Generation Computer Systems, 29 (1): 1645-1660.
Sfar A.R., Natalizio E., Challal Y., Chtourou Z. 2017. A Roadmap for Security Challenges in Internet of Things, Digital Communications and Networks, 4 (2): 118-137.
Sicari S., Rizzardi A., Grieco L.A., Coen-Porisini A. 2015. Security, Privacy and Trust in Internet of Things: The Road Ahead, Computer Networks, 76 (1): 146-164.
Vasilomanolakis E., Daubert J., Luthra M., Gazis V., Wiesmaier A., Kikiras P. 2015. On the Security and Privacy of Internet of Things, Architectures and Systems, Proceedings of the 2015 International Workshop on Secure Internet of Things (SIoT), pp49-57, 21-25 September, Washington, D.C.
Jin X., Sandhu R., Krishnan R. 2012. RABAC: Role-centric Attribute-based Access Control, International Conference on Mathematical Methods, Models and Architectures for Computer Network Security, pp84-96, 17-19 October, St. Petersburg.
Rajpoot Q.M., Jensen C.D., Krishnan R. 2015. Attributes Enhanced Role-based Access Control Model, 12th International Conference on Trust, Privacy and Security in Digital Business, pp342-357, 1-2 September, Valencia.
Schilit B., Theimer M. 1994. Disseminating Active Map Information to Mobile Hosts, Network, IEEE, 8 (5): 22-32.
Abowd, G.D., Dey A.K., Brown P.J., Davies N., Smith M., Steggles P. 1999. Towards a Better Understanding of Context and Context-awareness, Proceedings of the 1st International Symposium on Handheld and Ubiquitous Computing, pp304-307, 27-29 September, Karlsruhe.
Perera C., Zaslavsky A., Christen P., Georgakopoulos D. 2013. Context-aware Computing for the Internet of Things: A Survey, IEEE Communications, Surveys and Tutorials, 16 (1): 414-454.
Perera C., Liu C.H., Jayawardena S., Chen M. 2014. Context-aware Computing in the Internet of Things: A Survey on Internet of Things From Industrial Market Perspective, IEEE Access, 2 (1): 1660-1679.
Abdella J., Özuysal M., Tomur E. 2016. CA-ARBAC: Privacy Preserving Using Context-aware Role-based Access Control on Android Permission System, Security and Communication Networks, 5977-5995.
Trnka M., Cerny T. 2016. On Security Level Usage of Context-aware Role-based Access Control, SAC ’16 Proceedings of the 31th Annual ACM Symposium on Applied Computing, pp1192-1195, 4-8 April, Pisa.
Erten Y.M., Tomur E. 2004. A Layered Security Architecture for Corporate 802.11 Wireless Networks, IEEE Wireless Telecommunications Symposium, pp123-128, 14-15 May, Pomona.
Cheng, X.R., Chen, X.Y. , Bin, Z., 2010. Research on RBAC policy conflict and its detection algorithm Computer Engineering, 36(18), pp.135-137.
Moon CJ., Paik W., Kim YG., Kwon JH., 2005. The Conflict Detection Between Permission Assignment Constraints in Role-Based Access Control, Lecture Notes in Computer Science, vol 3822. Springer, pp.144-155, Berlin.
Huang X., Craig P., Lin H., Yan Z. 2016. SecIoT: A Security Framework for the Internet of Things, Security and Communication Networks, 9 (16): 3083-3094.