Scalable and Secure Concurrent Evaluation of History-based Access Control Policies

Proceedings of the 31st Annual Computer Security Applications Conference Pub Date : 2015-12-07 DOI:10.1145/2818000.2818008

Maarten Decat, B. Lagaisse, W. Joosen

{"title":"Scalable and Secure Concurrent Evaluation of History-based Access Control Policies","authors":"Maarten Decat, B. Lagaisse, W. Joosen","doi":"10.1145/2818000.2818008","DOIUrl":null,"url":null,"abstract":"Many of today's applications are deployed on large-scale distributed infrastructures to handle large amounts of users concurrently. When applying access control to such applications, the access control policies must be evaluated concurrently as well. However, for certain classes of policies such as history-based policies one access decision depends on the previous ones. As a result, concurrency can be exploited to achieve incorrect access decisions and privilege escalation. Moreover, general techniques for concurrency control are not able to scale to the size of current applications and at the same time provide the full consistency required for security. Therefore, we present an efficient concurrency control scheme specifically for access control. By leveraging the specific structure of a policy evaluation, this scheme is able to prevent incorrect decisions due to concurrency and at the same time scale to a large number of machines while incurring only a limited and bounded latency overhead. As such, this work facilitates the adoption of policy-based access control in realistic and large-scale applications.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"293 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 31st Annual Computer Security Applications Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2818000.2818008","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Many of today's applications are deployed on large-scale distributed infrastructures to handle large amounts of users concurrently. When applying access control to such applications, the access control policies must be evaluated concurrently as well. However, for certain classes of policies such as history-based policies one access decision depends on the previous ones. As a result, concurrency can be exploited to achieve incorrect access decisions and privilege escalation. Moreover, general techniques for concurrency control are not able to scale to the size of current applications and at the same time provide the full consistency required for security. Therefore, we present an efficient concurrency control scheme specifically for access control. By leveraging the specific structure of a policy evaluation, this scheme is able to prevent incorrect decisions due to concurrency and at the same time scale to a large number of machines while incurring only a limited and bounded latency overhead. As such, this work facilitates the adoption of policy-based access control in realistic and large-scale applications.

查看原文本刊更多论文

基于历史访问控制策略的可扩展和安全并发评估

当今的许多应用程序都部署在大规模分布式基础设施上，以并发处理大量用户。在对此类应用程序应用访问控制时，还必须并发地评估访问控制策略。但是，对于某些类型的策略(如基于历史的策略)，一个访问决策依赖于之前的访问决策。因此，可以利用并发性来实现错误的访问决策和特权升级。此外，用于并发控制的一般技术不能扩展到当前应用程序的大小，同时提供安全性所需的完全一致性。因此，我们提出了一种针对访问控制的高效并发控制方案。通过利用策略评估的特定结构，该方案能够防止由于并发性而导致的错误决策，并同时扩展到大量机器，同时只产生有限的延迟开销。因此，这项工作有助于在实际的大规模应用程序中采用基于策略的访问控制。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 31st Annual Computer Security Applications Conference

自引率

0.00%

发文量