cooperative secondary authorization recycling
play

Cooperative Secondary Authorization Recycling Qiang Wei, Matei - PowerPoint PPT Presentation

Dec 18, 2023 •26 likes •256 views

Cooperative Secondary Authorization Recycling Qiang Wei, Matei Ripeanu, Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca) University of British Columbia Typical Authorization

  1. Cooperative Secondary Authorization Recycling Qiang Wei, Matei Ripeanu, Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca) University of British Columbia

  2. Typical Authorization Architecture protected application objects (request, allow) application authorization response response Policy Policy Decision Enforcement subject Point Point application authorization (PDP) (PEP) request request client (subject, authorization application object, read) server server Also known as request-response paradigm e.g. IBM Access Manager, EJB, XACML 2 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  3. Motivation Problems PEP reduced availability reduced PDP scalability PEP PEP 3 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  4. Secondary and Approximate Authorization Model (SAAM) PEP SDP PDP Secondary Authorization PEP SDP Recycling Secondary Decision Point (SDP) PEP SDP 1. reuse cached responses 2. infer approximate responses 4 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  5. Cooperative Secondary Authorization Recycling SDP Discovery SDP Service each SDP serves only its own PEP! SDP all SDPs cooperate to serve all PEPs 5 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  6. A Simplified Example new request allow Alice’s subject (an approximate response) SDP id= Alice role= preferred customer Discovery SDP Service previous request allow SDP Bob’s subject id= Bob role= customer 6 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  7. Contributions SDP � Proposed • the concept of Discovery SDP Service cooperative secondary authorization recycling • system architecture & SDP detailed design � Evaluated • availability • performance 7 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  8. Key Design Features 8 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  9. Consistency: Support Critical Policy Changes Critical (t) Policy Store Policy Changes Security SDP Administrator Policy Change Detect Manager SDP propagate policy changes to affected 1. find affected SDPs SDPs immediately 2. find affected caches SDP 9 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  10. Consistency : Support Time-sensitive Policy Changes Time-sensitive Policy Store Policy Changes Security SDP Administrator Policy Change A TTL approach: Detect Manager delete expired SDP responses periodically SDP 10 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  11. Support Untrusted Remote SDPs Trusts Trusts Trusted by PDP PEP SDP all SDPs Verify responses made by Does NOT remote SDPs Trust 1. verify the authenticity and integrity Malicious SDP SDP SDP 2. verify the correctness of inference 11 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  12. Configurability � Three decision points • local SDP & remote SDPs & the PDP � To reduce network traffic & PDP’s load • sequential authorization 1 2 remote PEP SDP PDP SDPs 3 � To reduce the response time • concurrent authorization 1 1 remote PEP SDP PDP SDPs 1 12 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  13. Evaluation Results via simulation & prototype implementation 13 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  14. Simulation-based Evaluation � Metrics • cache hit rate training set � Methodology simulation engine testing set � Affecting factors |cached requests without replacement| • cache warmness = |total possible requests| • number of cooperating SDPs SDP1 SDP2 |R 12 | • overlap rate O 12 = |R 1 | R – resource space 14 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  15. Hit Rate Dependence on Cache Warmness 5 SDPs High hit rate is achieved even when cache warmness is low 15 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  16. Hit Rate Dependence on Number of SDPs 10% cache warmness at each SDP Increasing the number of cooperating SDPs leads to higher hit rates Additional SDPs provide diminishing returns 16 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  17. Prototype-based Evaluation � Metrics • average client-perceived response time • hit rate PEP SDP � Methodology JAVA RMI discovery PDP test service driver � Affecting factors PEP SDP • number of requests • response verification • frequency of policy change 17 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  18. Response Time Dependence on Number of Requests 4 SDPs (CSAR), 100% overlap, 40ms RTT between PDP and each SDP 1. Cooperation can contribute to reduced response time 2. The impact of response verification is small 18 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  19. How will regular policy changes affect hit rate? 1 SDP 2. Cumulative effect of policy changes is significant 1. Hit-rate drop caused by each policy change is small 2. More frequent policy changes lead to lower hit rates 1. The hit rates stabilize after the knee 19 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  20. How does cooperation help? 100% overlap, policy changes at 100 requests/change Cooperation improves hit rates when policy changes 20 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  21. Related Work Collaborative security CSAR ( Locasto et al. 2006, Costa et al. 2005 ) Secondary and Approximate Collaborative Authorization Model (SAAM) web caching ( Crampton et al. 2006, Beznosov 2005 ) ( Lyer et al. 2002, Wolman et al. 1999, Chankhunthod et al. 1996 ) Authorization recycling ( Bauer et al. 2005, Borders et al. 2005 ) 21 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  22. Summary SDP PE P reduced availability reduced Discovery PD SDP Service scalability P PE P PE SDP P 22 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

  23. lersse.ece.ubc.ca 23 Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Energy Efficient Authentication and Authorization for Multi-node Cooperative Connectivity and

Energy Efficient Authentication and Authorization for Multi-node Cooperative Connectivity and

Energy Efficient Authentication and Authorization for Multi-node Cooperative Connectivity and Reliability PhD Candidate Vandana Rohokale (vmr@es.aau.dk) Supervisor Prof. Ramjee Prasad CTIF, Aalborg, Denmark Co-supervisors Assoc. Prof. Horia

372 views • 13 slides
In partnership with Weymouth DPW South Shore Recycling Cooperative Tri Town Alliance WPS has a

In partnership with Weymouth DPW South Shore Recycling Cooperative Tri Town Alliance WPS has a

In partnership with Weymouth DPW South Shore Recycling Cooperative Tri Town Alliance WPS has a School-Community Partnership Program WPS Demographics Proceeds benefit our goal of infusing 21 st Century Skills through supplemental support Need :

535 views • 21 slides
Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching

Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching

Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching Previous work has shown that hit rate increases with population size [Duska et al. 97, Breslau et al. 98] However, single proxy caches have practical limits

868 views • 53 slides
Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without authorization Authorization in Oxford Advanced Learner's Dictionary Object-oriented Databases authorization is the concept of allowing

70 views • 6 slides
Cooperative Choice Cooperative and non-cooperative motives and their consequences via Mark

Cooperative Choice Cooperative and non-cooperative motives and their consequences via Mark

Cooperative Choice Cooperative and non-cooperative motives and their consequences via Mark L oczy Livia.Markoczy@ucr.edu Gary A. Anderson Graduate School of Management University of California, Riverside Cooperative Choice p.1/26

413 views • 26 slides
How Recycling Works in Massachusetts Where does your recycling go? Dos and Dont of

How Recycling Works in Massachusetts Where does your recycling go? Dos and Dont of

How Recycling Works in Massachusetts Where does your recycling go? Dos and Dont of Single Stream Recycling Why wishcycling is harmful? ASK the experts can I recycle this? 1 Introduction Suzanne Wood, LEED AP

449 views • 11 slides
Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably Authorization answers the question who is allowed to do what ? A first step in the development of an access control system is the

651 views • 53 slides
1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel Expense 4. Travel Regulations 2 Travel Authorization (See Next Slide for Detailed Steps) 2. Trip Information goes here 1. Budgetary Coding goes

319 views • 11 slides
TOXIC RECYCLING How to Avoid Poisoning the Recycling Chain? The BIR World Recycling Convent ion

TOXIC RECYCLING How to Avoid Poisoning the Recycling Chain? The BIR World Recycling Convent ion

TOXIC RECYCLING How to Avoid Poisoning the Recycling Chain? The BIR World Recycling Convent ion in Prague, 27 10- 2015 Jindrich Petrlik IPEN Dioxin, PCBs and Waste WG co-chair Executive director of Arnika - Toxics and Waste Programme

174 views • 15 slides
Recycling Challenge Recycling Challenge Background The average Canadian recycles 112 kg of

Recycling Challenge Recycling Challenge Background The average Canadian recycles 112 kg of

Separating Mixtures Recycling Challenge Recycling Challenge Background The average Canadian recycles 112 kg of material per year. In Ontario, we recycle 1.5 million tonnes of recycling a year. Problem Recycling facilities are

502 views • 7 slides
Agenda 1. Overview 2. Organics Recycling in the US Georgia Recycling Coalition 3. Organics

Agenda 1. Overview 2. Organics Recycling in the US Georgia Recycling Coalition 3. Organics

Agenda 1. Overview 2. Organics Recycling in the US Georgia Recycling Coalition 3. Organics Recycling in Georgia September 19, 2017 4. Challenges Ryan Cooper Sustainability Specialist Organics Recycling 5. Solutions Rubicon

787 views • 19 slides
Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It

Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It

Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It is designed to : Assist in benefit determination Prevent unanticipated denials of coverage Create a collaborative approach to

187 views • 18 slides
COOPERATIVE EDUCATION INVENTORY STUDY Association of Cooperative Christina Clamp, PhD.

COOPERATIVE EDUCATION INVENTORY STUDY Association of Cooperative Christina Clamp, PhD.

COOPERATIVE EDUCATION INVENTORY STUDY Association of Cooperative Christina Clamp, PhD. Educators Austin, Texas Eklou Amendah, PhD. July 14, 2014 AGENDA 1. Introduction Deficiencies in research on Cooperative Education Cooperative

181 views • 17 slides
Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents https://cametoolbox.fnal.gov/Project/WADReports?ProjectName=HL-L... Work Authorization Documents Work Authorization Document Control Account Information Control Account Manager: 10629N Nobrega, Fred Control

56 views • 5 slides
Tennessee Recycling Symposium Providing total recycling and waste solutions to meet your

Tennessee Recycling Symposium Providing total recycling and waste solutions to meet your

Tennessee Recycling Symposium Providing total recycling and waste solutions to meet your sustainability goals Dawn Gaines Sales Manager Non-Fiber 1 RockTenn Recycling Content RockTenn Corporate Overview RockTenn Recycling

287 views • 9 slides
Medicaid Fee-For-Service PA Department Contact Information Cooperative Managed Care Services, LLC

Medicaid Fee-For-Service PA Department Contact Information Cooperative Managed Care Services, LLC

2017 IHCP Annual Provider Seminar: Prior Authorization for Medicaid Fee-For-Service PA Department Contact Information Cooperative Managed Care Services, LLC Medicaid FFS PA 1-800-269-5720 CMCS adjudicates Medicaid Fee-for-Service (FFS) PA

637 views • 16 slides
P r i v a c y b y D e f a u l t . P G P / G P G P G P P r e t t

P r i v a c y b y D e f a u l t . P G P / G P G P G P P r e t t

p r e t t y E a s y p r i v a c y s v a @p E p . f o u n d a t i o n h t t p s : / / p E p . f o u n d a t i o n t w i t t e r @s v a t w i t t e r @p E p f o u n d

1.21k views • 93 slides
T h e B l a c k M a g i c o f P y t h o n Wh e e l s E l a n a H a

T h e B l a c k M a g i c o f P y t h o n Wh e e l s E l a n a H a

T h e B l a c k M a g i c o f P y t h o n Wh e e l s E l a n a H a s h ma n P y t h o n P a c k a g i n g A u t h o r i t y P y C o n U S 2 0 1 9 C l e v e l a n d

581 views • 37 slides
through the PEP From September 2018 Any year group Current Attainment Emerging Exceeding

through the PEP From September 2018 Any year group Current Attainment Emerging Exceeding

Showing current Attainment through the PEP From September 2018 Any year group Current Attainment Emerging Exceeding Expected Current Attainment - detail Expected + Expected Expected - Any year group- 9 pots, the full picture Attitude to

321 views • 10 slides
Understanding the Revenue Cycle Under PDGM Presented By: David Hoover Vice President, Revenue

Understanding the Revenue Cycle Under PDGM Presented By: David Hoover Vice President, Revenue

Understanding the Revenue Cycle Under PDGM Presented By: David Hoover Vice President, Revenue Cycle Management, Axxess Jennifer Osburn, RN, HCS-D, ICD-10-CM, COS-C Senior Clinical Consultant, Axxess Objectives Understand the how PDGM

643 views • 25 slides
XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS Workshop on Secure Web Services and e-Commerce XACML and RBAC/Introduction Jason Crampton Programme Examine the XACML standard and the XACML RBAC

499 views • 32 slides
Solar Neutrinos with Borexino Low Background Lessons for the JinPing Laboratory Frank Calaprice

Solar Neutrinos with Borexino Low Background Lessons for the JinPing Laboratory Frank Calaprice

Solar Neutrinos with Borexino Low Background Lessons for the JinPing Laboratory Frank Calaprice and Jingke Xu Department of Physics Princeton University 4/10/2014 1 Solar Neutrinos at Jin Ping Solar Neutrinos with Borexino First

485 views • 33 slides
Private Equity Fellows Program 2015-16 Information Session: Prospective Applicants April 15, 2015

Private Equity Fellows Program 2015-16 Information Session: Prospective Applicants April 15, 2015

Columbia Business School Private Equity Fellows Program 2015-16 Information Session: Prospective Applicants April 15, 2015 Margaret Cannella, Adjunct Professor and Administrative Director, Private Equity Program Greta Larson, Associate

303 views • 17 slides
A Framework for Managing and Analyzing Changes of Security Policies Achim D. Brucker Helmut

A Framework for Managing and Analyzing Changes of Security Policies Achim D. Brucker Helmut

A Framework for Managing and Analyzing Changes of Security Policies Achim D. Brucker Helmut Petritsch { achim.brucker, helmut.petritsch } @sap.com SAP Research Karlsruhe Germany IEEE International Symposium on Policies for Distributed Systems

662 views • 17 slides

More recommend