![Page 1: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/1.jpg)
Scalable and Secure
Concurrent Evaluation
of History-based
Access Control Policies
Maarten Decat, Bert Lagaisse, Wouter Joosen
KU Leuven, Belgium
![Page 2: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/2.jpg)
Context
2
Read
Subjects Resources
Policies
Access control: enforce access rules
Application
![Page 3: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/3.jpg)
Context
3
Load balancer
Application Application
Database Database
Application
Database
Application
Database
Application
Database
Policy Decision Point
![Page 4: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/4.jpg)
Context
4
Load balancer
Application Application
Database Database
Application
Database
Application
Database
Application
Database
Policy Decision Point
Policy Decision Point
Policy Decision Point
Policy Decision Point
Policy Decision Point
![Page 5: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/5.jpg)
Problem
5
![Page 6: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/6.jpg)
Problem
Not all policies are read-only: history-based policies
“a user cannot watch more than 10 movies per month”
“an article cannot be shared more than 5 times”
“if a user has had access to documents of Bank A, he or she is not allowed to access documents of Bank B”
(Dynamic SoD)
6
![Page 7: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/7.jpg)
Problem
7
read subj.history // (= [])
… // evaluate policy = permit
append “Bank A” to subj.history
return permit
read subj.history // (= [“Bank A”])
… // evaluate policy = deny
return deny
Subject1 -> doc of Bank A
Subject1 -> doc of Bank B
![Page 8: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/8.jpg)
Problem
8
read subj.history // (= [])
… // evaluate policy = permit
append “Bank A” to subj.history
return permit
read subj.history // (= [])
… // evaluate policy = permit
append “Bank B” to subj.history
return permit
Subject1 -> doc of Bank A
Subject1 -> doc of Bank B
Read-write conflict
![Page 9: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/9.jpg)
Goal
9
We need concurrency control
Possible approach: model policy evaluations as transactions on the underlying database
However: serial equivalence does not scale E.g., MySQL: single master server for transactions E.g., Cassandra, MongoDB: compare-and-set on single
database elements
we need a domain-specific form of concurrency control to achieve both serial equivalence and scalability
![Page 10: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/10.jpg)
Approach
10
![Page 11: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/11.jpg)
Approach
11
When resource.owner == “Bank B”, apply DenyOverrides to
Deny if “Bank A” in subject.history
Permit performing append(“Bank B”, subject.history)
Obligations Attributes
Goal: detect and contain read-write conflicts for the same attribute in parallel policy evaluations
![Page 12: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/12.jpg)
Possible tactics
12
1. Locks
2. (Multi-version) time-stamp ordering
3. Optimistic concurrency control Check for conflicts before committing
Roll back any updates in case of conflict
Reasons: • Fits the structure of a policy evaluation: all attribute
updates are performed after all reads
• Does not block policy evaluations
• Does not rely on database functionality
![Page 13: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/13.jpg)
Polic
y d
ecis
ion
p
oin
t
Basic approach
13
Coordinator
Worker
Application
Attribute db
1
3
4
5
2
6
7
8 9
Optimistic concurrency
control
![Page 14: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/14.jpg)
Centralized coordinator
14
Coordinator
Worker Worker
Worker Worker
Application Application Application
![Page 15: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/15.jpg)
Centralized coordinator
15
Coordinator
Worker Worker
Worker Worker
Worker Worker
Worker Worker
Worker Worker
Worker Worker
Application Application Application
![Page 16: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/16.jpg)
Scalable distributed coordinator
16
Observations: Every policy evaluation reasons about exactly
1 subject and 1 resource
Distribute these two parts over two collaborating coordinators
![Page 17: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/17.jpg)
Worker
Coordinator
Worker
Coordinator
Scalable concurrency control
17
Application
Attribute db
1
Worker
Coordinator
3
2
6
7
8 9
10 5
12
14
Worker
Coordinator 4
11 13
Responsible coordinator based on hash of id of
subject/resource
![Page 18: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/18.jpg)
Scalable concurrency control
18
Coordinator
Worker Worker
Worker Worker
Worker Worker
Worker Worker
Worker Worker
Worker Worker
Coordinator
Coordinator
Application Application Application
![Page 19: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/19.jpg)
Scalable concurrency control
19
Worker Worker
Worker Worker
Coordinator
Worker Worker
Worker Worker
Coordinator
Worker Worker
Worker Worker
Coordinator
Application Application Application
![Page 20: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/20.jpg)
Scalable concurrency control
20
Application Application Application
Worker Worker
Worker Worker
Coordinator
Worker Worker
Worker Worker
Coordinator
Worker Worker
Worker Worker
Coordinator
![Page 21: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/21.jpg)
Performance evaluation
21
![Page 22: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/22.jpg)
Prototype and test set-up
22
Prototype: STAPL policy language [ https://github.com/stapl-dsl/ ]
Akka actor framework for concurrency and distributed communication
Test set-up: Run tests on VMs until statistically relevant
Employ realistic policy from e-health case study [ https://people.cs.kuleuven.be/∼maarten.decat/acsac2015/ ]
![Page 23: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/23.jpg)
Results
23
Coordinator
Worker Worker
Worker Worker
Client Client
![Page 24: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/24.jpg)
Results
24
Client Client
Worker Worker Worker
Worker Worker Worker
Worker Worker
Worker Worker Worker
Worker Worker
Worker Worker
Coordinator
![Page 25: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/25.jpg)
Results
25
Client Client
Worker Worker Worker
Worker Worker Worker
Worker Worker
Worker Worker Worker
Worker Worker
Worker Worker
Coordinator Coordinator Coordinator
![Page 26: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/26.jpg)
Results
26
Asymptotic maximal latency
Client Client
Worker Worker Worker
Worker Worker Worker
Worker Worker
Worker Worker Worker
Worker Worker
Worker Worker
Coordinator Coordinator Coordinator
![Page 27: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/27.jpg)
Conclusions
27
![Page 28: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/28.jpg)
Conclusions
28
Goal: applying policy-based access control on large-scale distributed systems
Focus: address concurrency issues that can arise for history-based access control policies
Contribution: a domain-specific scheme for concurrency control that: prevents incorrect decisions
can scale to a large number of machines
introduces a limited and asymptotically bounded latency overhead
![Page 29: Scalable and Secure Concurrent Evaluation of History-based ... · Scalable and Secure Concurrent Evaluation of History-based Access Control Policies Maarten Decat, Bert Lagaisse,](https://reader033.vdocument.in/reader033/viewer/2022052007/601be5a881b4b35cfc6d1ad9/html5/thumbnails/29.jpg)
Scalable and Secure
Concurrent Evaluation
of History-based
Access Control Policies
Maarten Decat, Bert Lagaisse, Wouter Joosen
KU Leuven, Belgium