Large scale distributed systems typically comprise resources belonging to multiple organizations. Access to these resources by agents of other organizations is subject to constraints implied by the long-term trust relationships between participating organizations. Simultaneously achieving efficiency and security goals for enforcing these access constraints is a challenging problem, particularly in dynamically evolving coalition environments consisting of multiple member organizations. Here, access constraints are dictated by transitive relationships among coalition organizations and need to be efficiently updated whenever there is a change in the high-level trust relationships. Traditionally, the solution to this problem has built upon secure group communication primitives. However, such solutions scale poorly in the context of dynamically changing coalitions because each change in coalition partner relationships requires re-keying a coalition-wide key.

The goal of the Distributed Sanctuaries project is to support efficient, scalable, secure collaborations for sharing of information and services amongst diverse agents belonging to organizations of a dynamic coalition. Unlike group communication approaches, information sharing between participants is viewed in terms of the direct interaction between delegates representing agents and objects representing services. Our approach relies upon dynamically locating delegate code and service objects close to each other by caching their components on partly-trusted intermediate hosts. Key to this approach are techniques for transitive authentication of agent activities, even when these span multiple distributed hosts, secure execution environments that protect delegate and service components from each other, and fine-grained control of delegate access to services. The resulting infrastructure will allow users of one organization to securely, efficiently, and in a scalable fashion, access data, invoke services, and run computations on computational and information resources belonging to any member organization of the coalition, to the extent permitted by the currently active access constraints, individually specifiable per resource.

The Distributed Sanctuaries project is a collaborative project involving researchers at New York University and Arizona State University.

Funding

The Distributed Sanctuaries project is supported by the Defense Advanced Research Projects Agency and SPAWAR SYSCEN under agreement number N66001-00-1-8920.