research-article

Scalable and Secure Concurrent Evaluation of History-based Access Control Policies

Authors:

Wouter JoosenAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 281 - 290

https://doi.org/10.1145/2818000.2818008

Published: 07 December 2015 Publication History

Abstract

Many of today's applications are deployed on large-scale distributed infrastructures to handle large amounts of users concurrently. When applying access control to such applications, the access control policies must be evaluated concurrently as well. However, for certain classes of policies such as history-based policies one access decision depends on the previous ones. As a result, concurrency can be exploited to achieve incorrect access decisions and privilege escalation. Moreover, general techniques for concurrency control are not able to scale to the size of current applications and at the same time provide the full consistency required for security. Therefore, we present an efficient concurrency control scheme specifically for access control. By leveraging the specific structure of a policy evaluation, this scheme is able to prevent incorrect decisions due to concurrency and at the same time scale to a large number of machines while incurring only a limited and bounded latency overhead. As such, this work facilitates the adoption of policy-based access control in realistic and large-scale applications.

References

[1]

eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS Standard, 2013.

[2]

A. Alzahrani, H. Janicke, and S. Abubaker. Decentralized xacml overlay network. In IEEE CIT, June 2010.

Digital Library

[3]

D.F.C. Brewer and M.J. Nash. The Chinese Wall security policy. In IEEE Security and Privacy, May 1989.

[4]

D. Chadwick. Coordinated decision making in distributed applications. Information Security Technical Report, 2007.

[5]

D.W. Chadwick, Linying Su, O. Otenko, and R. Laborde. Coordination between distributed PDPs. In IEEE POLICY, June 2006.

Digital Library

[6]

George F Coulouris, Jean Dollimore, and Tim Kindberg. Distributed systems: concepts and design. pearson education, 2005.

Digital Library

[7]

J. Crampton and M. Huth. An authorization framework resilient to policy evaluation failures. ESORICS, 2010.

Digital Library

[8]

M. Decat, J. Bogaerts, B. Lagaisse, and W. Joosen. Amusa: middleware for efficient access control management of multi-tenant saas applications. In ACM SAC, 2015.

Digital Library

[9]

V. Dhankhar, S. Kaushik, D. Wijesekera, and A. Nerode. Evaluating distributed XACML policies. In ACM SWS. ACM, 2007.

Digital Library

[10]

Guy Edjlali, Anurag Acharya, and Vipin Chaudhary. History-based access control for mobile code. In ACM CCS, 1998.

Digital Library

[11]

P. Gama, C. Ribeiro, and P. Ferreira. A scalable history-based policy engine. In IEEE POLICY, 2006.

Digital Library

[12]

R. Gay, H. Mantel, and B. Sprick. Service automata. In Formal Aspects of Security and Trust. 2012.

Digital Library

[13]

H. Janicke, A. Cau, et al. Concurrent enforcement of usage control policies. In IEEE POLICY, 2008.

Digital Library

[14]

X. Jin, R. Krishnan, and R. Sandhu. A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. In CODASPY. 2012.

Digital Library

[15]

F. Kelbert and A. Pretschner. A fully decentralized data usage control enforcement infrastructure. In To appear in ACNS 2015. 2015.

[16]

N. Li, Q. Wang, W. Qardaji, E. Bertino, P. Rao, J. Lobo, and D. Lin. Access control policy combining: Theory meets practice. In ACM SACMAT, 2009.

Digital Library

[17]

D. Lin, P. Rao, E. Bertino, N. Li, and J. Lobo. Policy decomposition for collaborative access control. In ACM SACMAT, 2008.

Digital Library

[18]

J. Lobo, J. Ma, A. Russo, E. Lupu, S. Calo, and M. Sloman. Refinement of history-based policies. In Logic Programming, Knowledge Representation, and Nonmonotonic Reasoning. 2011.

Digital Library

[19]

D. Nguyen, J. Park, and R. Sandhu. A provenance-based access control model for dynamic separation of duties. In IEEE PST, July 2013.

Digital Library

[20]

J. Park and R. Sandhu. The UCON ABC usage control model. TISSEC, 2004.

Digital Library

[21]

L. Su, D.W. Chadwick, A. Basden, and J.A. Cunningham. Automated decomposition of access control policies. In IEEE POLICY, 2005.

Digital Library

[22]

P. Tsankov, S. Marinovic, Mohammad Torabi D., and D. Basin. Fail-secure access control. In ACM CCS, 2014.

Digital Library

[23]

S. Weil, S Brandt, E. Miller, D. Long, and C. Maltzahn. Ceph: A scalable, high-performance distributed file system. In USENIX OSDI, 2006.

Digital Library

Cited By

Gay RHu JMantel HSchickel J(2017)Towards Accelerated Usage Control Based on Access CorrelationsSecure IT Systems10.1007/978-3-319-70290-2_15(245-261)Online publication date: 4-Nov-2017
https://doi.org/10.1007/978-3-319-70290-2_15
Bui TStoller SSharma S(2017)Fast Distributed Evaluation of Stateful Attribute-Based Access Control PoliciesData and Applications Security and Privacy XXXI10.1007/978-3-319-61176-1_6(101-119)Online publication date: 22-Jun-2017
https://doi.org/10.1007/978-3-319-61176-1_6

Scalable and Secure Concurrent Evaluation of History-based Access Control Policies
1. Computer systems organization
  1. Architectures
2. Security and privacy
  1. Security services

Recommendations

Entity-Based Access Control: supporting more expressive access control policies
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Access control is an important part of security that restricts the actions that users can perform on resources. Policy models specify how these restrictions are formulated in policies. Over the last decades, we have seen several such models, including ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Constraints-based access control
Das'01: Proceedings of the fifteenth annual working conference on Database and application security

The most important aspect of security in a database after establishing the authenticity of the user is its access control mechanism. The ability of this access control mechanism to express the security policy can make or break the system.This paper ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Agentschap voor Innovatie door Wetenschap en Technologie
Research Fund KU Leuven
Prevention of and Fight against Crime Pro- gramme of the European Union (B-CCENTRE)

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
304
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)1

Reflects downloads up to 02 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gay RHu JMantel HSchickel J(2017)Towards Accelerated Usage Control Based on Access CorrelationsSecure IT Systems10.1007/978-3-319-70290-2_15(245-261)Online publication date: 4-Nov-2017
https://doi.org/10.1007/978-3-319-70290-2_15
Bui TStoller SSharma S(2017)Fast Distributed Evaluation of Stateful Attribute-Based Access Control PoliciesData and Applications Security and Privacy XXXI10.1007/978-3-319-61176-1_6(101-119)Online publication date: 22-Jun-2017
https://doi.org/10.1007/978-3-319-61176-1_6

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents