policy based access control for weakly consistent
play

Policy-based Access Control for Weakly Consistent Replication Based - PowerPoint PPT Presentation

Aug 18, 2022 •616 likes •978 views

Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted Webber, Thomas L. Rodeheffer and Douglas B. Terry Outline Whats the problem? Definitions System design Operation on data Updating

  1. Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted Webber, Thomas L. Rodeheffer and Douglas B. Terry

  2. Outline • What’s the problem? • Definitions • System design – Operation on data – Updating policies – Mantaining weak consistency • Summary • Questions

  3. What’s the problem? • Suppose we have small network • We want to share resources between devices • All devices should have different access rights

  4. What’s the problem? • We want to grant limited access to resource for every replica according to the policy • Replicas are not uniformly trusted • Data can change • Data can be divided into categories • Policy can change • State must be (eventually) consistent

  5. That’s not so easy! • Each replica has its policy P and dataset U P’ U’ T 0 T 1 P, U P, U P’, U P, U’ A B A B T 2 T 3 U’ P’ P’, U P, U’ P’, U P’, U’ A B A B

  6. Definitions • Collection is a dataset to replicate – e.g. FS subtree, SQL database, personal contacts... • Collections consist of items , which are atomic • Collections appear in whole or in part on replicas

  7. Assumptions • The network is consistent – All updates will reach eventually all authorized replicas • All updates take place in either of two ways – Through direct invocation – By helper application, like FS watcher • Replicas synchronize periodically • Only weak consistency is guaranteed

  8. Observations • Updates can arrive out of order • There can occur replication conflict – concurrent update of the same item • Local view of policy can vary between replicas

  9. System design • Items access and update by particular replicas • Policy access and update • Providing eventual consistency

  10. Operations on items Let’s specify three primitive operations: • Write – When a replica receives an item during synchronization • Read – When a replica is considering wether to send an item during synchronization • Sync – When a replica receives protocol-specific metadata required for performance or correctness

  11. Operation on items And two additional, administrative rights: • Control – Means that the replica can grant rights to read and write to other replicas • Own – Means that the replica can grant any rights to other replicas, including own and control

  12. Example

  13. Example Replica Read Write Sync Control Own HomePC All All All All All Laptop All All All Contacts Contacts MediaPlayer Photos - - - - Cloud All - All - - Work Contacts Contacts - - - Mobile Contacts Contacts - Contacts - SpouseMobile Contacts - - - -

  14. Replicas • Every replica has its own set of rights to different types of items • Every replica has unique public key • Update is signed with author’s public key to determine the authorship • We have three special replicas – Local Authority (LA) – Annonymous – Collection Manager (CM)

  15. Labels • Due to performance issues, the policy is not defined for every single item • Items are divided into classes represented by labels • Labels are immutuable • Can be structured in hierarchcal namespace • In the example we have two labels: contacts and photos

  16. Items • Items are bound to certain label • It is impossible to change item’s label • Item’s identifier is of the form uniqueId$hash , where hash is cryptographic hash of the corresponding label • By signing an item, a replica declares that it has write permissions on the assosiated label. What if replica is bogus?

  17. Policies • Policy is set of claims • Claims are used to prove target assertions • In the described protocol authors use SecPAL evaluator which operates on XML objects

  18. Claims • Claim is a statement made by replica about a fact „A says B can write contacts” OR „A says B can write contacts if B can write photos” • Facts come in four forms: – „A says B can ...” – „A says B can say ...” – „A says B revokes ...” – „A says B can revoke ...”

  19. Special Replicas Let’s remind that we introduced three special replicas: • Local Authority (LA) – Any direct claim made by LA is believed – All such claims are hard-coded as policy axioms • Anonymous – Means „everybody” – All claims refering to Anonymous refers to anybody • Collection Manager (CM) – Has all rights to all resources – Holds only replicated policy

  20. Policy axioms • Policy axioms are hard-coded as LA claims: „LA says P can say Q can { read, write } L if P can control L ” „LA says P can { read, write, sync, control } L if P can own L ” „LA says P can say Q can { own, read, write, sync, control } L if P can own L” „ LA says CM can own all ”

  21. Target assertion • Target assertion is a final claim that we want to prove • Supose we want to check if Mobile can write contacts The target assertion takes form of: „LA says Mobile can write contacts ” Proof proceeds with using claims made by authorized replicas

  22. Delegating specific rights • In order to make a target assertion provable we have to add more claims • Continuing the example from slides 12-13 we create new claim „CM says HomePC can own all ” • Policy claims are signed by their issuers

  23. Delegating specific rights • HomePC creates replicas for Cloud and MediaPlayer and creates following claims: „HomePC says Laptop can { read, write, sync } all ” „HomePC says Laptop can own contacts ” „HomePC says Cloud can { read, sync } all ” „HomePC says MediaPlayer can read photos ” • Afterwards Laptop creates replicas for Work and Mobile , and so on...

  24. Policy representation • Policy claims are encoded as XML files and stored in collection items called policy items • These are regular items, so we bind them to label policy and we add two more claims „CM says Anonymous can read policy ” „ HomePC says Laptop can write policy.homepc.laptop”

  25. Example of proof LA says SpouseMobile can read "contacts" | | | +-LA says P can say Q | | | | | can own R if P can own R +-LA says Laptop can say SpouseMobile | | | | | | can read "contacts" | | | +-LA says CM can own "contacts" | | | | | | | +-LA says P can say Q can read R if | | | +-LA says CM can own "" | | P can own R | | | | | | | +-CM says HomePC can own "contacts" | +-LA says Laptop can own "contacts" | | | | | | | +-CM says HomePC can own "" | +-LA says HomePC can say Laptop | | | | | can own "contacts" | +-HomePC says Laptop can own "contacts" | | | | | | | +-LA says P can say Q can own R if | +-HomePC says Laptop can own "contacts" | | | P can own R | | | | +-Laptop says SpouseMobile can read "contacts" | | +-LA says HomePC can own "contacts" | | | | +-Laptop says Mobile can say SpouseMobile | | +-LA says CM can say HomePC | | can read "contacts" | | | | can own "contacts" | | | +-Laptop says Mobile can say | P can read "contacts" | +-Mobile says SpouseMobile can read "contacts"

  26. Revocation • Revocation claims are more less the same as normal policy update „ Laptop says Laptop revokes write contacts from Mobile ” • May result in invalidation of previously valid items! • It is impossible to revoke revocation or revocation right

  27. Revocation conflict • There are two ways to deal with revocation conflict – Invalidate all affected items – Honor historical claims and disallow only new dependencies on revoked claims • In the solution proposed by authors the second option is implemented (with one exception)

  28. Summary of design • Policy is encoded in a logical language • Authority flows from a single root (CM) • Access control checks are performed within the operations that implement data replication • Encoded policy is replicated as data

  29. Mantaining consistency • There are separate items for any claims uttered by a given replica – Allows simultaneous policy updates • Read access controls do not apply to policy items – Replica cannot prevent policy from propagating

  30. Difficult example Let’s remind example from slide 5, how the system sould behave? P’ U’ T 0 T 1 P, U P, U P’, U P, U’ A B A B T 2 T 3 U’ P’ P’, U P, U’ P’, U P’, U’ A B A B

  31. Difficult example - answer • If U’ is not authorized at authoring replica, then the update will not be admitted • If U’ is not authorized at receiving replica, then transmission of U’ is retried periodically until P’ arrives a the destination • If U’ was inappropriately authorized before receiving P’, the replica must reevaluate all previously received items

  32. Design - summary • Single root of authority • Identity determined with public key • Updating after checking the policy • Policy as normal items • Limitations on revoking claims • Binding of labels and data

  33. Questions

  34. References • T. Wobber, T. L. Rodeheffer, D. B. Terry. Policy-based Access Control for Weakly Consistent Replication in EuroSys Conference, Paris, France, pages 293-306, 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Introduction Insiders and Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control Help? Trust and Trustworthi- ness Access Control and Trustwor- Jason Crampton 1 Michael Huth 2 thiness 1 Information

470 views • 25 slides
Proving Weakly Consistent Applications Correct Alexey Gotsman IMDEA Software Institute, Madrid,

Proving Weakly Consistent Applications Correct Alexey Gotsman IMDEA Software Institute, Madrid,

Proving Weakly Consistent Applications Correct Alexey Gotsman IMDEA Software Institute, Madrid, Spain Joint work with Hongseok Yang (Oxford), Carla Ferreira (U Nova Lisboa), Mahsa Najafzadeh, Marc Shapiro (INRIA) Eventually consistent

967 views • 51 slides
Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody {ab374,km}@cl.cam.ac.uk University of Cambridge, Computer Laboratory, OPERA Policy 2002 1 Outline Role-Based Access Control OASIS

480 views • 14 slides
Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

667 views • 23 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11 December 2007 1 Why? Maintaining state allows for decisions to be made based on runtime conditions. State based policy can be more concise

576 views • 18 slides
Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT

Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT

Effective and Efficient Compromise Recovery for Weakly Consistent Replication Prince Mahajan (UT Austin), Ramakrishna Kotla, Cathy Marshall, Venugopalan Rama Ramasubramanian, Tom Rodeheffer, Doug Terry, Ted Wobber (Microsoft Research

1.34k views • 85 slides
Access Control Enforcement Access Control Enforcement for Conversation- -based based for

Access Control Enforcement Access Control Enforcement for Conversation- -based based for

The Cyber Center The Cyber Center Access Control Enforcement Access Control Enforcement for Conversation- -based based for Conversation Web Services Web Services Massimo Mecella * Mourad Ouzzani Univ. Roma LA SAPIENZA, Italy Purdue

375 views • 26 slides
MAINTAINING SQL INVARIANTS IN WEAKLY CONSISTENT DATABASES Nuno Preguia (NOVA LINCS,

MAINTAINING SQL INVARIANTS IN WEAKLY CONSISTENT DATABASES Nuno Preguia (NOVA LINCS,

MAINTAINING SQL INVARIANTS IN WEAKLY CONSISTENT DATABASES Nuno Preguia (NOVA LINCS, FCT/Universidade NOVA de Lisboa) Joint work with: Valter Balegas, Cheng Li (MPI, now Oracle), Joo Sousa, David Lopes, Srgio Duarte, Carla Ferreira, Joo

890 views • 49 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of security administration p y y For large number of subjects and objects, the number of authorizations can become extremely large For dynamic

536 views • 51 slides
Enumerated Authorization Policy Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of

Enumerated Authorization Policy Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of

Institute for Cyber Security Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of Texas at San Antonio 1 st Workshop on Attribute Based Access Control (ABAC

469 views • 26 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Electronic Access Control Policy Presented by Thomas Sonoff, Director of College Safety What is

Electronic Access Control Policy Presented by Thomas Sonoff, Director of College Safety What is

Electronic Access Control Policy Presented by Thomas Sonoff, Director of College Safety What is Access Control The ability to regulate or restrict building access via a centralized electronic control system Electronic Access Control System

292 views • 4 slides
Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based access control Propagated access control lists May 31, 2005 ECS 235, Computer and Information Slide #1 Security Access Control Lists Columns

1.24k views • 80 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Presentation to analysts and investors at Leonora Operations Attached is a presentation to

Presentation to analysts and investors at Leonora Operations Attached is a presentation to

ASX Release / 15 May 2018 Presentation to analysts and investors at Leonora Operations Attached is a presentation to analysts and investors attending a site visit this week at Leonora Operations, Western Australia. Investor Relations Mr Rowan

829 views • 54 slides
Co Corp rpor orat ate e Ove verv rview iew Corporate Presentation NASDAQ:SMTX AU AUGUST

Co Corp rpor orat ate e Ove verv rview iew Corporate Presentation NASDAQ:SMTX AU AUGUST

Co Corp rpor orat ate e Ove verv rview iew Corporate Presentation NASDAQ:SMTX AU AUGUST UST 20 20, 20 , 2018 18 FORWARD FO WARD-LO LOOKING OKING ST STAT ATEM EMENT ENT This presentation contains forward-looking statements

288 views • 15 slides
LCCMR ID: 040-B Project Title: Nutrient Retention by Vegetation in Southeast Minnesota Streams

LCCMR ID: 040-B Project Title: Nutrient Retention by Vegetation in Southeast Minnesota Streams

Environment and Natural Resources Trust Fund 2011-2012 Request for Proposals (RFP) LCCMR ID: 040-B Project Title: Nutrient Retention by Vegetation in Southeast Minnesota Streams Category: B. Water Resources Total Project Budget: $ $436,000

458 views • 6 slides
Working Paper A Microsimulation Approach for Modelling the Future Human Capital of EU28 Member

Working Paper A Microsimulation Approach for Modelling the Future Human Capital of EU28 Member

International Institute for Tel: +43 2236 807 342 Applied Systems Analysis Fax: +43 2236 71313 Schlossplatz 1 E-mail: repository@iiasa.ac.at A-2361 Laxenburg, Austria Web: www.iiasa.ac.at Working Paper A Microsimulation Approach for

560 views • 41 slides
Environment and Natural Resources Trust Fund 2012-2013 Request for Proposals (RFP) 138-H ENRTF

Environment and Natural Resources Trust Fund 2012-2013 Request for Proposals (RFP) 138-H ENRTF

Environment and Natural Resources Trust Fund 2012-2013 Request for Proposals (RFP) 138-H ENRTF ID: Project Title: School of Environmental Studies - Wind Jet 50kW H. Renewable Energy Topic Area: Total Project Budget: $ 163,000 Proposed

449 views • 6 slides
JADE C O L L E C T I O N Te in store counter display system is a vitally important part of your

JADE C O L L E C T I O N Te in store counter display system is a vitally important part of your

JADE C O L L E C T I O N Te in store counter display system is a vitally important part of your store. To help you achieve maximum sales of your merchandise we have developed a flexible display range that For full details and specification of

386 views • 4 slides
MINEBEA New FDBs for HDD Spindle Motors ROF Type May 20, 2004 0 Table of Contents 1.

MINEBEA New FDBs for HDD Spindle Motors ROF Type May 20, 2004 0 Table of Contents 1.

MINEBEA New FDBs for HDD Spindle Motors ROF Type May 20, 2004 0 Table of Contents 1. Basic Development Concept 2. Characteristics 3. Structure of ROF Type FDB Unit 4. Sleeve 5. Structural Comparison with Conventional FDB 6.

492 views • 14 slides
LICENSED BATHTUB RACE ACTIVITY AREA Special Event Park Board Committee Meeting November 20,

LICENSED BATHTUB RACE ACTIVITY AREA Special Event Park Board Committee Meeting November 20,

KITSFEST 2018 LICENSED BATHTUB RACE ACTIVITY AREA Special Event Park Board Committee Meeting November 20, 2017 Purpose of Presentation Present and review proposal from the organizers of KitsFest for a new bathtub race activity area at

315 views • 10 slides

More recommend