Access Control in Ultra-Large-Scale Systems Using a Data-Centric Middleware

The primary characteristic of an Ultra-Large-Scale (ULS) system is ultra-large size on any related dimension. A ULS system is generally considered as a system-of-systems with heterogeneous nodes and autonomous domains. As the size of a system of-systems grows, and interoperability demands between sub-systems is increased, achieving more scalable and dynamic access control system becomes an important issue. The Attribute-Based Access Control (ABAC) model is a proper candidate to be used in such an access control system. The correct deployment and enforcement of ABAC policies in a ULS system requires secure and scalable collaboration among dierent distributed authorization components. A large number of these authorization components should be able to join dierent domains dynamically and communicate with each other anonymously. Dynamic conguration and reconguration of authorization components makes authorization system more complex to manage and maintain in a ULS system. In this paper, an access control middleware is proposed to overcome the complexity of deployment and enforcement of ABAC policies in ULS systems. The proposed middleware is data-centric and consists of two layers. The lower layer is a Data-Distribution-Service (DDS) middlewareused for loosely-coupled-communication among authorization components. The upper layer is used for secure conguration and reconguration of authorization components. This layer exploits the OASIS model to provide a mechanism to allow only authorized components to get the related conguration and reconguration information. In the proposed middleware the notion of combining ABAC policies, combining decisions, and combining information is used to achieve multi-policy, multi-decision, and multi-information capabilities. An executable model of the proposed middleware is also represented by a Colored-Petri-Net (CPN) model. This executable model is used to analyze the behavior of the proposed middleware.