Malicious-and Accidental-Fault Tolerance for Internet Applications
IST Research Project IST-1999-11583
1 January 2000 - 28 February 2003

Check out a summary of the project, or browse through the original project proposal.

MAFTIA involved experts from 5 countries and 6 organisations. The Industrial Advisory Board provided valuable feedback on the work of the project.

Research was organised into six workpackages.

Find out more about the key scientific results and achievements, and the benefits of this research collaboration.

Conceptual Model and Architecture
WP1 concentrated on the Conceptual Model and Architecture of attack tolerance.

Dependable Middleware
WP2 developed a modular and scalable cryptographic group-oriented middleware suite

Intrusion Detection
WP3 investigated ways of reducing the high rate of false positives and false negatives for existing Intrusion Detection Systems (IDSs), whilst making the IDS itself intrusion-tolerant

Trusted Third Parties
WP4 designed a generic architecture for dependable Trusted Third Party (TTP) services based on results from WP2.

Distributed Authorisation
In WP5, we defined a framework for access control and authorisation

Verification and Assessment
worked towards formalisation of the MAFTIA conceptual model

Distributed Authorisation

The objective of this work package was to define a consistent framework for authorisation and access control in emerging and future applications distributed on large networks such as Internet, electronic commerce, virtual libraries, teleworking, telemedicine, etc. These applications exhibit new security requirements that current authorisation schemes and access control mechanisms cannot cope with.

For instance, most current authorisation schemes are based on a client-server model, while many of these new applications involve more than two entities. For example, an electronic commerce transaction may need co-operation between the customer, the merchant, the customer’s bank, the merchant’s bank, and possibly other parties (broker, delivery company, electronic cash issuer or credit card company, etc.).

Each of these parties may be considered by the others as not absolutely trustworthy, and even possibly malicious.

Many, sometimes conflicting, dependability aspects need to be taken into account and can be partly enforced by authorisation schemes: confidentiality of personal or proprietary information, reliability of services and communications (e.g., by preventing denial of service), survivability against information warfare or terrorist attacks, protection of intellectual property, etc.

In the usual client-server model, the authorisation is enforced by the server: the server decides to fulfil or deny the client request, according to the client identity (verified by some authentication scheme) and according to some locally-enforced rules. When more than two entities are involved, the client can delegate some of its rights to a server, which can then act on behalf of the client in requesting a service from another server. This can be done by using a proxy, such as in Kerberos V5, SESAME, or CORBA.

This scheme presents several drawbacks. First, the delegate has to be trusted by the client: the delegate is authorised to use (and possibly abuse) the client’s privileges to perform actions, usually even with the client’s identity. If malicious, the delegate can perform actions unwanted by the client.

Moreover, he does so with impunity since these actions will be attributed to the client. The second drawback is that the client must possess more privileges than necessary, in order to be able to transfer these privileges (e.g., a client must possess the read right on a file to transfer this privilege to a print spooler). Finally, another drawback is that the server has too much responsibility: since the server is the only entity that enforces the authorisation, this scheme is ill adapted to peer-to-peer communications or other transactions involving several mutually suspicious entities.

Some of these drawbacks have been addressed by some proxy implementations or by more sophisticated authorisation schemes. The goal of this work package was to develop such authorisation schemes and implement corresponding authorisation servers, as third-party entities able to manage various flexible authorisation schemes. The authorisation servers are responsible for granting or denying authorisations (e.g., capabilities) for operations that will be executed by the various parties involved. To do so, they interact with the local access control mechanisms (e.g., those of Java Virtual Machines) and with authentication servers.

Authorisation servers implementing simple schemes have already been proposed, for instance, in Delta-4, HP Praesidium, or Adage. However, in addition to implementing more comprehensive authorisation schemes, the MAFTIA authorisation servers benefit from the results of WP4 and are designed to be intrusion-tolerant.