research-article

Efficient access enforcement in distributed role-based access control (RBAC) deployments

Authors:

Mahesh V. Tripunitara,

Bogdan CarbunarAuthors Info & Claims

SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies

Pages 155 - 164

https://doi.org/10.1145/1542207.1542232

Published: 03 June 2009 Publication History

Abstract

We address the distributed setting for enforcement of a centralized Role-Based Access Control (RBAC) protection state. We present a new approach for time- and space-efficient access enforcement. Underlying our approach is a data structure that we call a cascade Bloom filter. We describe our approach, provide details about the cascade Bloom filter, its associated algorithms, soundness and completeness properties for those algorithms, and provide an empirical validation for distributed access enforcement of RBAC. We demonstrate that even in low-capability devices such as WiFi network access points, we can perform thousands of access checks in a second.

References

[1]

M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, 15(4):706--734, Oct. 1993.

Digital Library

[2]

E. Al-Shaer, H. Hamed, R. Boutaba, and M. Hasan. Conflict classification and analysis of distributed firewall policies. IEEE Journal on Selected Areas in Communications (JSAC), 23(10), October 2005.

Digital Library

[3]

L. Bauer, S. Garriss, and M. K. Reiter. Distributed proving in access- control systems. In Proceedings of the IEEE Symposium on Security and Privacy, pages 81--95, 2005.

Digital Library

[4]

M. Blaze, J. Feigenbaum, J. Ioannidis, and A. D. Keromytis. The KeyNote trust-management system, version 2. IETF RFC 2704, Sept. 1999.

Digital Library

[5]

B. Bloom. Space/time trade-offs in hash coding with allowable errors. Communications of the ACM, 13(7):422--426, 1970.

Digital Library

[6]

K. Borders, X. Zhao, and A. Prakash. Cpol: High-performance policy evaluation. In Proceedings of the 12th ACM Coference on Computer and Communications Security (SACMAT'05), pages 147--157, 2005.

Digital Library

[7]

A. Broder and M. Mitzenmacher. Network applications of bloom filters: A survey. In Proceedings of the 40th Annual Allerton Conference on Communication, Control and Computing, pages 636--646. ACM Press, 2002.

[8]

B. Chazelle, J. Kilian, R. Rubinfield, and A. Tal. The bloomier filter: An efficient data structure for static support lookup tables. In Proceedings of the fifteenth annual ACM-SIAM symposium on Discrete algorithms (SODA), pages 30--39, 2004.

Digital Library

[9]

M. J. Clancy and D. E. Knuth. A programming and problem-solving seminar. Technical Report CS-TR-77-606, Stanford University, Department of Computer Science, 1977.

Digital Library

[10]

S. Cohen and Y. Matias. Spectral bloom filters. In Proceedings of the 2003 ACM SIGMOD international conference on Management of data (SIGMOD), pages 241--252, 2003.

Digital Library

[11]

L. Fan, P. Cao, J. Almeida, and A. Broder. Summary cache: A scalable wide-area web cache sharing protocol. IEEE/ACM Transactions on Networking, 8(3):281--293, 2000.

Digital Library

[12]

D. F. Ferraiolo, R. S. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security, 4(3):224--274, Aug. 2001.

Digital Library

[13]

E. Freudenthal, T. Pesin, L. Port, E. Keenan, and V. Karamcheti. dRBAC: Distributed Role-Based Access Control for Dynamic Coalition Environments. In Proceedings of the International Conference on Distributed Computing Systems, July 2002.

Digital Library

[14]

G. Karjoth. Access control with IBM Tivoli Access Manager. ACM Transactions on Information and System Security, 6(2):232--257, May 2003.

Digital Library

[15]

N. Li and M. V. Tripunitara. Security analysis in role-based access control. ACM Transactions on Information and Systems Security (TISSEC), 9(4):391--420, Nov. 2006.

Digital Library

[16]

LinkSys. The wireless-g access point - wap54g. http://www.linksysbycisco.com/US/en/support/WAP54G, 2009.

[17]

M. Mitzenmacher. Compressed bloom filters. IEEE/ACM Transactions on Networking, 10(5):604--612, 2002.

Digital Library

[18]

A. Pagh and R. Pagh. Uniform hashing in constant time and optimal space. SIAM Journal on Computing, 38(1):85--96, Mar. 2008.

Digital Library

[19]

A. Pagh, R. Pagh, and S. S. Rao. An optimal bloom filter replacement. In Proceedings of the Sixteenth Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), pages 823--829, 2005.

Digital Library

[20]

M. V. Ramakrishna. Practical performance of bloom filters and parallel free-text searching. Communications of the ACM, 32(10):1237--1239, Oct. 1989.

Digital Library

[21]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, February 1996.

Digital Library

[22]

K. Shanmugasundaram, H. Bronnimann, and N. Memon. Payload attribution via hierarchical bloom filters. In Proceedings of the 11th ACM conference on Computer and communications security (CCS'04), pages 31--41. ACM Press, 2004.

Digital Library

[23]

Sourceforge. Cpu usage limiter for linux. http://cpulimit.sourceforge.net/, 2009.

[24]

F. I. P. Standards. Secure hash standard. http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf, 2002.

[25]

M. V. Tripunitara and B. Carbunar. Efficient access enforcement in distributed role-based access control (RBAC) deployments. Technical report, ECE Department, University of Waterloo, 2009. Available from http://ece.uwaterloo.ca/~tripunit/papers/TC09a.pdf .

[26]

Q. Wei, J. Crampton, K. Beznosov, and M. Ripeanu. Authorization recycling in rbac systems. In Proceedings of the 13th ACM Symposium on Access Control, Models and Technologies (SACMAT'08), pages 63--72, 2008.

Digital Library

Cited By

Wen RMcCoy HTench DTagliavini GBender MConway AFarach-Colton MJohnson RPandey P(2024)Adaptive Quotient FiltersProceedings of the ACM on Management of Data10.1145/36771282:4(1-28)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3677128
Pandey PFarach-Colton MDayan NZhang HBarcelo PSanchez-Pi NMeliou ASudarshan S(2024)Beyond Bloom: A Tutorial on Future Feature-Rich FiltersCompanion of the 2024 International Conference on Management of Data10.1145/3626246.3654681(636-644)Online publication date: 9-Jun-2024
https://dl.acm.org/doi/10.1145/3626246.3654681
Saenko IKotenko ITakadama K(2018)Genetic algorithms for role mining in critical infrastructure data spacesProceedings of the Genetic and Evolutionary Computation Conference Companion10.1145/3205651.3208283(1688-1695)Online publication date: 6-Jul-2018
https://dl.acm.org/doi/10.1145/3205651.3208283
Show More Cited By

Index Terms

Efficient access enforcement in distributed role-based access control (RBAC) deployments
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

An empirical assessment of approaches to distributed enforcement in role-based access control (RBAC)
CODASPY '11: Proceedings of the first ACM conference on Data and application security and privacy

We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC's increasing adoption, and the proliferation of data that needs to be protected. We assess six ...
Hardware-enhanced distributed access enforcement for role-based access control
SACMAT '14: Proceedings of the 19th ACM symposium on Access control models and technologies

The protection of information in enterprise and cloud platforms is growing more important and complex with increasing numbers of users who need to access resources with distinct permissions. Role-based access control (RBAC) eases administrative ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies

June 2009

258 pages

ISBN:9781605585376

DOI:10.1145/1542207

General Chair:
Barbara Carminati
University of Insubria, Italy
,
Program Chair:
James Joshi
University of Pittsburgh, USA

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 June 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT '09

Sponsor:

SACMAT '09: 14th ACM Symposium on Access Control Models and Technologies

June 3 - 5, 2009

Stresa, Italy

Acceptance Rates

SACMAT '09 Paper Acceptance Rate 24 of 75 submissions, 32%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
588
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wen RMcCoy HTench DTagliavini GBender MConway AFarach-Colton MJohnson RPandey P(2024)Adaptive Quotient FiltersProceedings of the ACM on Management of Data10.1145/36771282:4(1-28)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3677128
Pandey PFarach-Colton MDayan NZhang HBarcelo PSanchez-Pi NMeliou ASudarshan S(2024)Beyond Bloom: A Tutorial on Future Feature-Rich FiltersCompanion of the 2024 International Conference on Management of Data10.1145/3626246.3654681(636-644)Online publication date: 9-Jun-2024
https://dl.acm.org/doi/10.1145/3626246.3654681
Saenko IKotenko ITakadama K(2018)Genetic algorithms for role mining in critical infrastructure data spacesProceedings of the Genetic and Evolutionary Computation Conference Companion10.1145/3205651.3208283(1688-1695)Online publication date: 6-Jul-2018
https://dl.acm.org/doi/10.1145/3205651.3208283
Oh SKim H(2015)Study on access permission control for the Web of Things2015 17th International Conference on Advanced Communication Technology (ICACT)10.1109/ICACT.2015.7224926(574-580)Online publication date: Jul-2015
https://doi.org/10.1109/ICACT.2015.7224926
Bloom GSimha ROsborn STripunitara MMolloy I(2014)Hardware-enhanced distributed access enforcement for role-based access controlProceedings of the 19th ACM symposium on Access control models and technologies10.1145/2613087.2613096(5-16)Online publication date: 25-Jun-2014
https://dl.acm.org/doi/10.1145/2613087.2613096
Hieb JSchreiver JGraham J(2013)A security-hardened appliance for implementing authentication and access control in SCADA infrastructures with legacy field devicesInternational Journal of Critical Infrastructure Protection10.1016/j.ijcip.2013.01.0016:1(12-24)Online publication date: Mar-2013
https://doi.org/10.1016/j.ijcip.2013.01.001
Molloy IDickens LMorisset CCheng PLobo JRusso ABertino ESandhu R(2012)Risk-based security decisions under uncertaintyProceedings of the second ACM conference on Data and Application Security and Privacy10.1145/2133601.2133622(157-168)Online publication date: 7-Feb-2012
https://dl.acm.org/doi/10.1145/2133601.2133622
Wei QCrampton JBeznosov KRipeanu M(2011)Authorization recycling in hierarchical RBAC systemsACM Transactions on Information and System Security (TISSEC)10.1145/1952982.195298514:1(1-29)Online publication date: 6-Jun-2011
https://dl.acm.org/doi/10.1145/1952982.1952985
Komlenovic MTripunitara MZitouni TSandhu RBertino E(2011)An empirical assessment of approaches to distributed enforcement in role-based access control (RBAC)Proceedings of the first ACM conference on Data and application security and privacy10.1145/1943513.1943530(121-132)Online publication date: 21-Feb-2011
https://dl.acm.org/doi/10.1145/1943513.1943530
Ran Yang Chuang Lin Yixin Jiang Xiaowen Chu (2011)An Authorization Model without Central Authority for Service Collaboration2011 IEEE Global Telecommunications Conference - GLOBECOM 201110.1109/GLOCOM.2011.6134072(1-5)Online publication date: Dec-2011
https://doi.org/10.1109/GLOCOM.2011.6134072
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents