ACM SIGCOMM Computer Communication Review
Using encryption for authentication in large networks of computers
Communications of the ACM
Programming semantics for multiprogrammed computations
Communications of the ACM
File System Indexing and Backup
Proceedings of the International Workshop on Operating Systems of the 90s and Beyond
ACM SIGOPS Operating Systems Review
ACM SIGOPS Operating Systems Review
Secure Internet programming
Modular, extensible storage services through object interfaces
EW 6 Proceedings of the 6th workshop on ACM SIGOPS European workshop: Matching operating systems to application needs
Access Control Mechanisms in a Distributed, Persistent Memory System
IEEE Transactions on Parallel and Distributed Systems
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Object protection in distributed systems
Journal of Parallel and Distributed Computing
| Hi-index | 0.00 |
We discuss the protection requirements of a distributed storage service comprising a two-level hierarchy of storage servers with value-adding service layers above them. A flexible and extensible access control mechanism is required. Our scheme uses Access Control Lists (ACLs) to allow fine grained expression of policy together with capabilities for efficient runtime access after a once-off ACL check. Our capabilities are principal- specific and transient and their design ensures that access to objects is via the correct service hierarchy; for example, a directory object may only be manipulated via a directory service. The implementation of this protection is stateless at the servers above the storage service. The scheme also provides a convenient means to delegate rights for an object, temporarily, to an unprivileged server, for example a print-server. The fact that our capabilities are short-lived alleviates the requirement for selective revocation and crash recovery.