Authorization Recycling in RBAC Systems

Size: px

Start display at page:

Download "Authorization Recycling in RBAC Systems"

Magdalene Perkins
5 years ago
Views:

1 Authorization Recycling in RBAC Systems Qiang Wei 1, Jason Crampton 2, Konstantin Beznosov 1, Matei Ripeanu 1 1 Laboratory for Education and Research in Secure Systems Engineering (LERSSE), University of British Columbia 2 Information Security Group, Royal Holloway, University of London

2 the overview outline authorization architecture motivation recycling approach recycling algorithms experimental evaluations summary & future work 2 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

3 a typical authorization architecture subject client application response application request protected application objects policy enforcement point (PEP) application server (request, allow) authorization response authorization request (subject, object, read) policy decision point (PDP) authorization server - also known as request-response paradigm - applied by IBM Access Manager, Entrust GetAccess, CA SiteMinder, etc. 3 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

4 motivations PEP + re-use of authorization logic + consistent policy enforcement PDP PEP PEP - reduced availability - increased latency - reduced scalability 4 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

5 existing approaches fault-tolerance by replication/redundancy + improve availability - latency remains unchanged - require specialized OS/middleware - poorly scale on large populations caching previous authorizations + simple, inexpensive + improves performance & availability - serves only requests that have been issued before (precise recycling) 5 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

6 secondary and approximate authorization model (SAAM) 1 PEP SDP PEP SDP secondary authorization recycling PDP PEP SDP secondary decision point (SDP) 1. resolve returning requests (precise recycling) 2. resolve new requests (approximate recycling) 1 J. Crampton, W. Leung and K. Beznosov, The Secondary and Approximate Authorization Model and its Application to Bell- LaPadula Policies, in the Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT), Lake Tahoe, California, USA, 7-9 June, Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

control (RBAC) model develop recycling algorithms specifically for RBAC 7

7 SAAM SAAM RBAC only an abstract model a specific SAAM recycling algorithm is needed for each access control model SAAM RBAC apply SAAM to role-based access control (RBAC) model develop recycling algorithms specifically for RBAC 7 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

8 outline the overview recycling algorithms experimental evaluations summary & future work 8 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

9 terminology request: issued by a subject s for a permission p request=(s,p) ±: denotes the decision to a request an allow response: +(s,p) a deny response: (s,p) subject: modeled as the set of roles r activated in a session s= {r 1, r 2, r 3 } 9 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

10 inference rules Rule + : if +(s,p) and s s, then request (s',p) should also be allowed Rule - : if -(s,p) and s s, then request (s',p) should also be denied + S 1 = {r 1 } Rule + Rule - + S 2 = {r 1, r 2 } Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

11 SAAM RBAC recycling algorithms cache construction decision cache update SDP primary responses PDP PEP secondary responses policy change messages cache 11 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

12 cache + and cache - PDP built from allow responses built from deny responses cache + cache - p 1 {{r 3, r 4 },{r 5, r 6 }} p 2 {{r 1 },{r 5, r 6 }} p 3 {{r 2, r 4 },{r 1, r 2 }} SDP p 1 {r 1, r 2 } p 2 {r 3, r 4} p 3 {r 5, r 6} 12 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

13 example: SDP receives 1 st deny response - ({r 1, r 2 }, p) cache + cache - {r 1, r 2 } PDP SDP 13 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

14 example: SDP receives 1 st allow response + ({r 2, r 3, r 4 }, p) cache + cache - {{r 3, r 4 }} {r 1, r 2 } PDP SDP 14 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

15 example: SDP receives 2 nd allow response + ({r 4, r 5, r 6 }, p) cache + cache - {{r 3, r 4 }, }} {r 1, r 2 } {r 4, r 5, r 6 }} PDP SDP 15 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

16 example: SDP receives 2 nd deny response - ({r 4, r 7 }, p) cache + cache - {{r 3, r 4 }, {r 4, r 5, r 6 }} {r 1, r 2,} r 4, r 7 } PDP SDP 16 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

17 example: SDP receives 2 nd deny response - ({r 4, r 7 }, p) cache + cache - {{r 3 }, {r 5, r 6 }} {r 1, r 2, r 4, r 7 } PDP SDP 17 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

18 example: SDP makes an allow decision ({r 3, r 4 }, p) PEP allow cache + cache - {{r 3 }, {r 1, r 2, {r 5, r 6 }} r 4, r 7 } SDP 18 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

19 example: SDP makes a deny decision ({r 1, r 4, r 7 }, p) PEP deny cache + {{r 3 }, {r 5, r 6 }} cache - {r 1, r 2, r 4, r 7 } SDP 19 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

20 example: SDP makes an undecided decision ({r 1, r 5 }, p) PEP undecided cache + cache - {{r 3 }, {r 1, r 2, {r 5, r 6 }} r 4, r 7 } SDP 20 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

21 example: summary secondary responses PEP + ({r 3, r 4 }, p) - ({r 1, r 4, r 7 }, p)? ({r 1, r 5 }, p) these two are new requests! SDP cache + p {{r 3 },{r 5, r 6 }} cache - p {r 1, r 2, r 4, r 7 } PDP - ({r 1, r 2 }, p) + ({r 2, r 3, r 4 }, p) + ({r 4, r 5, r 6 }, p) - ({r 4, r 7 }, p) primary responses algorithm correctness is proved if the SDP makes any allow or deny decision, the PDP will always make the same decision 21 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

22 outline the overview recycling algorithms experimental evaluations summary and future work 22 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

23 SDP hit rate a cache hit evaluation metrics a request is resolved by the SDP higher hit rate => more requests resolved by the SDP even when the PDP fails => higher availability reducing the load of the PDP => higher scalability SDP inference time the time used to infer approximate responses less inference time, more efficient the system 23 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

24 evaluation methodology data input files warming request set testing request set RBAC policy input parameters evaluation engine PDP cache + cache - SDP warming phase testing phase 24 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

25 hit rate RABC policy: 100 subjects, 1,000 objects, 50 roles compared with simple caching, hit rate is improved significantly by using SAAM RBAC recycling algorithm 25 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

26 the impact of various system parameters the percentage of deny responses the number of roles the number of roles assigned per permission the number of roles assigned per user the popularity distribution of role assignment 26 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

27 inference time RABC policy: 100 subjects, 1,000 objects, 50 roles inference time stabilizes 27 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

28 cache size RABC policy: 100 subjects, 1,000 objects, 50 roles cache size stabilizes 28 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

29 outline the overview recycling algorithms experimental evaluations summary and future work 29 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

30 summary 30 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

31 future work when role hierarchy is available cache replacement algorithm experiment with real enterprise RBAC policies and request traces 31 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

32 We are looking for policies and traces from real applications! If you are willing to share them, please talk to me or contact me at: lersse.ece.ubc.ca 32 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

Cooperative Secondary Authorization Recycling

Cooperative Secondary Authorization Recycling Qiang Wei, Matei Ripeanu, Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca) University of British