The PEI + UCON Framework for Application Security

There is no security without application context. Only application context can make clear the tradeoffs between security, performance, usability and cost, and further the tradeoffs between conflicting security objectives such as confidentiality, integrity and availability. To capture application security policy we need a more sophisticated model than traditional access control provides. To this end we developed a model called UCON [2] depicted in figures 1 and 2. UCON is attribute-based but goes beyond traditional attribute-based models in that attributes are mutable and can change automatically as a side-effect of access (or usage). Moreover, UCON accommodates the notions of obligations and conditions which capture additional requirements beyond authorization. Obligations require some action such as clicking on a Agree button before access is granted. Conditions capture system and environmental attributes not directly tied to the subject or object in question. The three cornerstones of UCON, authorizations, obligations and conditions can be applied before, during and after access. The goal of UCON was to unify several different access control extensions that had been published or implemented. Thus far the applications of UCON have not required us to extend it in any fundamental way, although we continue to look for applications that stress UCON so we may discover important extensions.