Literature Search of Topics Related to

Flexible Distributed Security Management

Relative to Access Control

Fred Cohen

Sandia National Laboratories
Feb, 1997

Introduction and Context

This brief overview of literature is based on an initial investigation into the issues surrounding flexible access controls for possible future use in remote monitoring of the nuclear test ban treaty under the assumptions that nation-state monitoring rights are changeable with time based on policy and the ever-changing geo-political situation.

We begin by describing some of the well-known and often cited works related to access control in information systems, briefly examine the issues of static and dynamic access control and some of the technical limitations we currently face in these areas, discuss issues related to access control in distributed systems, consider take-grant systems and other issues related to revocation, and finally summarize.

Static Access Control

Access control has been widely studied and analyzed. The basics of access control and the theoretical underpinnings for analyzing access control in information systems and networks derives from the works of several authors published in the 1970s and 80s. [Harrison76] [Cohen86-2] [Bell73] [Denning82] [Biba77] [Denning75] [Cohen86] [Cohen87-2] An overview of this work is available on-line.

Overview Drill Down

As a general rule, access controls are implemented based on some sort of marking scheme wherein objects are marked and a decision process is used to determine wheter or not the subject attempting to access the object is authorized to do so. Basic priciples of implementing marking and the techniques for marking and evaluating markings are outlined in early works in this area. [Denning82] [Landwehr83] [Klein83] [Cohen86] An overview of historical work in these areas is available on-line.

Overview Drill Down

This introduces the issue of authentication, because, in order for authorization (another name for access control) to work, separation mechanisms must have a reliable way to differentiate between the subjects to whom they grant authority. An overview of a limited portion of the historical work in this areas is available on-line along with some less-related information, and this subject matter will not be discussed in further detail here.

Overview Drill Down

In systems providing controlled access to statistical or similar content (as opposed to whole files), additional controls are required related to inferences. A substantial body of work has been done on inference control. The early part of this work was well summarized in Denning's fine book on cryptography and data security [Denning82] and in her 1983 paper on the subject. [Denning83-2] Extended labeling has been demonstrated to augment trusted computing bases to provide enforcable record-level controls, [Picciotto94] while view-based access control has been suggested as an alternative labeling scheme for managing fine grained access controls. [Qian96]

Formal models of access control systems have ben studied in some depth. For example, formal models of capability-based protection systems, [Snyder81] analysis and synthesis of access control systems, [Bilbao83] role-based access control, [Giuri96] [Thomsen91] and validation and verification of access controls [Denning77] [OShea94] have all been studied in some depth.

In a typical computer system, there are millions of protection bits, and yet most systems have little or no capability for effectively managing these bits. [Cohen91] A partial solution to this problem is provided by security management systems developed in recent years. The simplest of these systems simply verify that known flaws in protection settings permitting easy exploit are avioded. [Baldwin90] More complex change-control system provide detection of changes in the protection state and allow automated recovery. [Cohen91] Protection management systems typically go a step further and provide automation for setting protection according to a policy. [Bernardi94]

In today's market, there are numerous systems that provide automated protection management of heterogeneous networks of computers based on central policy specifications, distribute these settings through cryptographically secured protocols, analyze audit trails from these diverse systems, and report on and react to detected intrusions. This is a special case (two-level) of a hierarchical protection system. Hierarchical protection systems have been studied for some time, both in their application to networks [Wu81] [Cohen87-8] and in their application within a trusted computing base under the name of roles.

Dynamic Access Control

While protection setting in the static case is non-trivial and, in most cases, inadequately managed in most computer systems, things become far more complex when issues of time are considered. We will consider only operation within a single processor environment in this section to retain as much simplicity as possible. Some of the issues are outlined here:

In practice, all of these phenomena have been observed both in experiments in in real-world attacks against computer systems. There are solutions to many of these challenges, but they all involve substantially increased programming cost and a level of sophistocation rarely found in modern programmers. Language support to address these issues is also lacking, making the task system dependent and manual.

Substantial results have been attained relating to these issues. [Istrail93] [Trueblood86] [Bishop96] [Cohen94]

Distributed System Issues

Dynamic access control is a highly co mplex problem in a single system, but when dynamic access control is distributed throughout a network, thigs get even more complex. Several key issues have to be addressed:

Related work has been done for some time. [Karger89] [Gligor79] [Corsini84] [Minsky81] [Cohen94] [Ammann93] [Goldberg89] [Kumar94] [Lampson92] [Bishop81] [Ramamritham86] [Villiers88] [Stubblebine95]

Alternative Methodologies

While the access control methods considered to date in the Flexible Distributed Security Management project are potentially useful, there are many alternative lines that might be better suited to the treaty verification issue central to the project's underlying purpose. For example:

This list is by no means comprehensive, but it gives a flavor for some of the variations that might be considered for implementing a flexible distributed access control system for this application.


There has been a substantial amount of research in the field of access control that relates to issues in flexible policy management for distributed systems. This short overview is neither complete nor comprehensive, but it does give an introduction to the topic that we hope will be of some use in further investigation in this area.