Access Control in Ultra-Large-Scale Systems Using a Data-Centric Middleware

Abstract

The primary characteristic of an Ultra-Large-Scale (ULS) system is ultra-large size on any related dimension. A ULS system is generally considered as a system-of-systems with heterogeneous nodes and autonomous domains. As the size of a system-of-systems grows, and interoperability demand between sub-systems is increased, achieving more scalable and dynamic access control system becomes an important issue. The Attribute-Based Access Control (ABAC) model is a proper candidate to be used in such an access control system. The correct deployment and enforcement of ABAC policies in a ULS system requires secure and scalable collaboration among different distributed authorization components. A large number of these authorization components should be able to join different domains dynamically and communicate with each other anonymously. Dynamic configuration and reconfiguration of authorization components makes authorization system more complex to manage and maintain in a ULS system. In this paper, an access control middleware is proposed to overcome the complexity of deployment and enforcement of ABAC policies in ULS systems. The proposed middleware is data-centric and consists of two layers. The lower layer is a Data-Distribution-Service (DDS) middleware used for loosely-coupled-communication among authorization components. The upper layer is used for secure configuration and reconfiguration of authorization components. An executable model of the proposed middleware is also represented by a Colored-Petri-Net (CPN) model. This executable model is used to analyze the behavior of the proposed middleware.