Smith, Jonathan M
Email Address
ORCID
Disciplines
Computer and Systems Architecture
Digital Communications and Networking
Library and Information Science
OS and Networks
Software Engineering
Systems Architecture
Systems and Communications
Digital Communications and Networking
Library and Information Science
OS and Networks
Software Engineering
Systems Architecture
Systems and Communications
Research Projects
Organizational Units
Position
Faculty Member
Introduction
Research Interests
Search Results
Now showing 1 - 3 of 3
Publication Secure and Flexible Global File Sharing(2001-01-01) Miltchev, Stefan; Prevelakis, Vassilis; Ioannidis, Sotiris; Keromytis, Angelos D.; Smith, Jonathan MSharing of files is a major application of computer networks, with examples ranging from LAN-based network file systems to wide-area applications such as use of version control systems in distributed software development. Identification, authentication and access control are much more challenging in this complex large-scale distributed environment. In this paper, we introduce the Distributed Credential Filesystem (DisCFS). Under DisCFS, credentials are used to identify both the files stored in the file system and the users that are permitted to access them, as well as the circumstances under which such access is allowed. As with traditional capabilities, users can delegate access rights (and thus share information) simply by issuing new credentials. Credentials allow files to be accessed by remote users that are not known a priori to the server. Our design achieves an elegant separation of policy and mechanism which is mirrored in the implementation. Our prototype implementation of DisCFS runs under OpenBSD 2.8, using a modified user-level NFS server. Our measurements suggest that flexible and secure file sharing can be made scalable at a surprisingly low performance cost.Publication Requirements for Scalable Access Control and Security Management Architectures(2007-05-01) Keromytis, Angelos D.; Smith, Jonathan MMaximizing local autonomy by delegating functionality to end nodes when possible (the "end to end" design principle) has led to a scalable Internet. Scalability and the capacity for distributed control have unfortunately not extended well to resource access-control policies and mechanisms. Yet management of security is becoming an increasingly challenging problem, in no small part due to scaling up of measures such as number of users, protocols, applications, network elements, topological constraints, and functionality expectations. In this paper we discuss scalability challenges for traditional access control mechanisms at the architectural level, and present a set of fundamental requirements for authorization services in large-scale networks. We show why existing mechanisms fail to meet these requirements, and investigate the current design options for a scalable access control architecture. We argue that the key design options to achieve scalability are the choice of the representation of access control policy, the distribution mechanism for policy and the choice of access-rights revocation scheme. Although these ideas have been considered in the past, current access-control systems in use continue to use simpler but restrictive architectural models. With this paper, we hope to influence the design of future access-control systems towards more decentralized and scalable mechanisms.Publication Decentralized Access Control in Networked File Systems(2006-01-01) Miltchev, Stefan; Smith, Jonathan M; Prevelakis, Vassilis; Keromytis, Angelos; Ioannidis, SotirisThe Internet enables global sharing of data across organizational boundaries. Traditional access control mechanisms are intended for one or a small number of machines under common administrative control, and rely on maintaining a centralized database of user identities. They fail to scale to a large user base distributed across multiple organizations. This survey provides a taxonomy of decentralized access control mechanisms intended for large scale, in both administrative domains and users. We identify essential properties of such access control mechanisms. We analyze popular networked file systems in the context of our taxonomy.