A Hardware Approach for Trusted Access and Usage Control

Introduction

In computer systems, access control models are used to express who is granted privilege to execute which actions on which set of resources. Many works have been conducted on access control management in the database context, trying to provide the finest granularity of sharing. In relational database systems, privileges can be granted on virtual objects, called views, dynamically built by an SQL query (Melton et al., 1993). In XML databases, XPath expressions are usually used to delineate the objects or document parts targeted by an access control rule (Bertino et al., 2001; Gabillon et al., 2001; Damiani et al., 2002). The reason for this granularity concern is that databases often contain sensitive information (e.g., personal, commercial, administrative, military data) shared by a large number of users playing different roles with different privileges. Digital Right Management (DRM) models are also used to regulate the access to resources. DRM models primarily target the protection of digital assets (e.g., videos and sounds). The granularity of the access control is of lesser concern here but the conditions (e.g., to pay a fee) and obligations (e.g., to increment a counter at each copy) related to how a privilege can be exercised become central (XrML; ODRL). Hence DRM models complement access control with usage control. Another major concern of DRM systems is the enforcement of the access and usage control rules to fight against a large scale piracy threatening the global multimedia content industry (IFPI).

As the information distributed to customers becomes more complex and structured (e.g., encyclopaedia, cultural collections, stock exchange databases) the need for finer granularity rules arise in the DRM context. Conversely, as database applications show an increasing concern for regulating the usage made of the information legally accessed, the need for access control rules integrating contextual conditions and obligations arises. This is particularly true for databases containing personal data (Agrawal et al., 2002). The management of Electronic Health Records illustrates this well. For example, permissive access control rules should apply to a medical folder in specific contexts like an emergency situation. Obligations like registering all accesses to a medical folder in a log are also required to allow auditing the system.

In this chapter, we advocate the convergence between the access control and DRM worlds, encompassing the expression of fine grain access control and accurate usage control. This convergence is also expected in terms of control enforcement. In database environments, the access control is usually enforced by the database server, under the assumption that the server is trusted. Unfortunately, even the most defended servers (including those of Pentagon, FBI and NASA) have been successfully attacked, and database systems are identified as the primary target of computer criminality (Computer Security Institute, 2007). This motivated the design of new architectures where the server role amounts to deliver raw content to smart clients implementing the access control (Bouganim et al., 2004; Hacigumus et al., 2002). The question becomes how to enforce access and usage control on the client side. This question is not new in the DRM context, though no satisfactory solutions have been proposed yet. Indeed, today’s DRM methods are so coercive that they do nothing but exasperating consumers and legitimize piracy (Champeau, 2004). The question is newer in the database world, people slowly becoming aware of the value of personal data and starting considering that protecting privacy is at least as important as protecting digital assets.