Dominator-tree analysis for distributed authorization

Abstract

Practical analysis tools for distributed authorization need to answer quickly and accurately the question: who can access this resource? DAP (Delegation with Acyclic Paths) is a distributed authorization framework (introduced in [17]) that tries to inter-operate better with standard PKI mechanisms while retaining some of the benefits of new trust management schemes. DAP has an acyclicity requirement which makes it more difficult to answer the question quickly. In this paper we use a technique borrowed from compiler optimization, dominator-tree problem decomposition, to overcome this limitation of DAP with a fast heuristic. We show through simulation the heuristic's performance in a realistic federated resource management scenario. We also show how this heuristic can be complemented by clone-analysis techniques that exploit similarities between principals to further improve performance. We are currently using the heuristic and clone-analysis in practice in a design/analysis security tool.