working set based access control for based access control
play

Working Set- -Based Access Control for Based Access Control for - PowerPoint PPT Presentation

Oct 04, 2022 •430 likes •667 views

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

  1. Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University of New Jersey { smaldone, vinodg, iftode }@cs.rutgers.edu

  2. Mobile Access to Network File Systems Increasing Mobile Access to Network File Systems Increasing Corporate Intranet Alice @Trusted Alice @Untrusted Personal Device VPN File Server Accesses VPN Firewall Internet Network File Servers 5/19/2007 Rutgers WINLAB IAB Meeting 2

  3. WSBAC: Working Set- -Based Access Control Based Access Control WSBAC: Working Set Process Alice’s Active Working Set File Set Process Alice’s File Set Virtual Memory 5/19/2007 Rutgers WINLAB IAB Meeting 3

  4. Outline Outline • Introduction • WSBAC Design – POLEX and POLEN Design • WSBAC Implementation – Background: FileWall – POLEX and POLEN Implementations – Policy View Namespace (PVN) • Related Work • Conclusions and Future Work 5/19/2007 Rutgers WINLAB IAB Meeting 4

  5. WSBAC Overview WSBAC Overview Trusted Network Domain (Corporate Intranet) 1 1 File Server 1 Trusted POLEX Devices 2 Working Sets Untrusted Devices 3 2 POLEN POLEN Vault Area 3 5/19/2007 Rutgers WINLAB IAB Meeting 5

  6. POLEX: POL POLicy icy EX EXtraction traction for Network File Systems for Network File Systems POLEX: Trusted Devices Switch Policy View File Server POLEX Namespace (PVN) Administrator Working Sets 5/19/2007 Rutgers WINLAB IAB Meeting 6

  7. Policy View Namespace (PVN) Policy View Namespace (PVN) PVN Root PVN1 Control Shadow • Start / Stop Collection • Modify Collection Parameters Shadow File Contents • Modify View Parameters FILE METADATA EFFECTIVE AC Mirrored FS Namespace 5/19/2007 Rutgers WINLAB IAB Meeting 7

  8. POLEN: POL POLicy icy EN ENforcement forcement for Network File for Network File POLEN: Systems Systems WSBAC Virtual Untrusted Namespace Devices POLEN File Server Working Reliable Sets Secondary Authentication Mechanism 5/19/2007 Rutgers WINLAB IAB Meeting 8

  9. Background: FileWall FileWall Background: Scheduler Request Handler File Server … FS Client Forwarder Response Access Handler Context FileWall Policy FileWall: A Firewall for Network File System, S. Smaldone, A. Bohra, and L. Iftode. In the Proceedings of the 3rd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'07). 5/19/2007 Rutgers WINLAB IAB Meeting 9

  10. The POLEX Implementation The POLEX Implementation Scheduler Network Extraction File System Handler Stream Forwarder View Access Handlers Context Policy Administrator Working Set Definition Summaries (Bloom Filters) 5/19/2007 Rutgers WINLAB IAB Meeting 10

  11. Outline Outline • Introduction • WSBAC Design • WSBAC Implementation • Evaluation and Results • Related Work • Conclusions 5/19/2007 Rutgers WINLAB IAB Meeting 11

  12. Evaluation Evaluation • Goals – Measure accuracy of a working set extraction: w.r.t. errors and over-estimations – Measure overheads imposed network file system access – See paper for full evaluation and results • Setup – Systems: Dell systems, Dual 2.4 GHz CPUs, 3 GB RAM, running Linux 2.6 – Perform offline analysis using Harvard File System Traces [Ellard’03] – OpenSSH compilation as application performance benchmark 5/19/2007 Rutgers WINLAB IAB Meeting 12

  13. Evaluation: POLEX Accuracy Evaluation: POLEX Accuracy Average Error Rate Over-Estimation Rate Run 1 1.08% 31.6% Run 2 0.76% 41.2% Run 3 1.02% 42.5% Run 4 0.79% 36.5% Run 5 0.97% 42.9% Average 0.92% 38.9% 5/19/2007 Rutgers WINLAB IAB Meeting 13

  14. Evaluation: POLEN Application Benchmark Evaluation: POLEN Application Benchmark 70 60 50 Time (sec) 40 NFS POLEN 30 20 10 0 untar configure compile install remove Benchmark Phase 5/19/2007 Rutgers WINLAB IAB Meeting 14

  15. Related Work Related Work • Policy Extraction and Inference – RBAC Role Mining [Kuhlmann’03, Schlegelmilch’05] – XACML AC Property Inference [Anderson’04, Martin’06] – Firewall Policy Inference [Golnabi’06, Tongaonkar’07] – Gray-Box Systems [Arpaci-Dusseau’01] • Context-Aware Access Control – Secure Collaborations in Mobile Computing [Toninelli’06] – Ubiquitous Services [Corradi’04, Yokotama’06] – Ad-Hoc Networks [Saidane’07] – Web Services [Bhatti’05, Kapsalis’06] 5/19/2007 Rutgers WINLAB IAB Meeting 15

  16. Conclusions Conclusions • WSBAC: Working Set-Based Access Control for Network File Systems – Access control technique that estimates per-user working sets to formulate access control policy for accesses from untrusted devices – Prototype design and implementation of POLEX and POLEN – Empirical evaluation suggests that WSBAC is highly effective, exhibiting low error rates • Conference Paper – Working Set-Based Access Control for Network File Systems, S. Smaldone, V. Ganapathy, and L. Iftode To appear in the Proceedings of the 14 th ACM Symposium on Access Control Models and Technologies (SACMAT 2009), June 2009. 5/19/2007 Rutgers WINLAB IAB Meeting 16

  17. Thank You! Thank You! http://discolab.rutgers.edu

  18. Evaluation: POLEX Time and Storage Requirements Evaluation: POLEX Time and Storage Requirements Size of Trace Time to Analyze State Size 1 Day (~3.3 GB - 6,308,023 Req/Res Pairs) 52 min 154MB 1 Hour (~140 MB - 262,834 Req/Res Pairs) 2.49 min 154MB 5/19/2007 Rutgers WINLAB IAB Meeting 18

  19. Evaluation: POLEX Sensitivity Evaluation: POLEX Sensitivity Day 1 Day 2 Day 3 Day 4 Day 5 User 1 0.26% 0.03% 0.02% 0.01% 0.01% User 2 0.31% 4.4% 0.0% 3.3% 0.27% User 3 0.37% 0.36% 0.82% 2.5% 0.61% User 4 0.48% 1.8% 0.55% 0.66% 0.11% User 5 0.18% 0.28% 0.18% 0.34% 0.27% Average 0.32% 1.4% 0.31% 1.4% 0.27% 5/19/2007 Rutgers WINLAB IAB Meeting 19

  20. Evaluation: Speculation Rates Evaluation: Speculation Rates Average Min Max 1.4% 2.4% 0.028% • For Heavy Users (~500 rqst/day): Average Min Max 7 speculative rqst/day 12 speculative rqst/day >1 speculative rqst/day 5/19/2007 Rutgers WINLAB IAB Meeting 20

  21. Evaluation: POLEN Performance Microbenchmark Microbenchmark Evaluation: POLEN Performance 700 600 Response Latency (usec) 500 NFS-minimal 400 POLEN-minimal NFS-LAN 300 POLEN-LAN 200 100 0 getattr lookup access read write create NFS Operation 5/19/2007 Rutgers WINLAB IAB Meeting 21

  22. Contributions Contributions Add after slide 4 5/19/2007 Rutgers WINLAB IAB Meeting 22

  23. The POLEN Implementation The POLEN Implementation Add after slide 11 5/19/2007 Rutgers WINLAB IAB Meeting 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control Enforcement Access Control Enforcement for Conversation- -based based for

Access Control Enforcement Access Control Enforcement for Conversation- -based based for

The Cyber Center The Cyber Center Access Control Enforcement Access Control Enforcement for Conversation- -based based for Conversation Web Services Web Services Massimo Mecella * Mourad Ouzzani Univ. Roma LA SAPIENZA, Italy Purdue

375 views • 26 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of security administration p y y For large number of subjects and objects, the number of authorizations can become extremely large For dynamic

536 views • 51 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based access control Propagated access control lists May 31, 2005 ECS 235, Computer and Information Slide #1 Security Access Control Lists Columns

1.24k views • 80 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System Evaluation Criteria (TCSEC) Background MAC Mandatory Access Control Firm security levels DAC Discretionary Access Control Access

240 views • 6 slides
Outline Multilevel and mandatory access control CSci 5271 Capability-based access control

Outline Multilevel and mandatory access control CSci 5271 Capability-based access control

Outline Multilevel and mandatory access control CSci 5271 Capability-based access control Introduction to Computer Security Announcements intermission Day 11: OS security: higher assurance Stephen McCamant OS trust and assurance University

303 views • 9 slides
Language-Based Access Control and Safety Language-based access control is impossible in a

Language-Based Access Control and Safety Language-based access control is impossible in a

Language-Based Access Control and Safety Language-based access control is impossible in a programming language that is not memory safe. Without memory safety, there is no way to guarantee separation of memory used by different program

413 views • 30 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody {ab374,km}@cl.cam.ac.uk University of Cambridge, Computer Laboratory, OPERA Policy 2002 1 Outline Role-Based Access Control OASIS

480 views • 14 slides
A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004 A Distributed Calculus for Role-Based Access Control p.1/18 RBAC Why: Role-Based Access

613 views • 36 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is

Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is

Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is access control? Access control is the part of security that constrains the actions that are performed in a system based on access control rules .

1.4k views • 113 slides
Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Introduction Insiders and Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control Help? Trust and Trustworthi- ness Access Control and Trustwor- Jason Crampton 1 Michael Huth 2 thiness 1 Information

470 views • 25 slides
Modeling, Control, and Modeling, Control, and Reachability Analysis of Analysis of Reachability

Modeling, Control, and Modeling, Control, and Reachability Analysis of Analysis of Reachability

Modeling, Control, and Modeling, Control, and Reachability Analysis of Analysis of Reachability Discrete- -Time Hybrid Systems Time Hybrid Systems Discrete Alberto Bemporad Alberto Bempora Alberto Bempora Alberto Bemporad DISC Course on

753 views • 72 slides
Documentation Generators Steven J Zeil March 3, 2013 Documentation Generators Outline

Documentation Generators Steven J Zeil March 3, 2013 Documentation Generators Outline

Documentation Generators Documentation Generators Steven J Zeil March 3, 2013 Documentation Generators Outline Source Code (API) Documentation 1 javadoc doxygen Other Tools Project Reports 2 Project Websites 3

435 views • 21 slides
Multiple Sensor Target Tracking: Basic Idea Iterative updating of conditional probability

Multiple Sensor Target Tracking: Basic Idea Iterative updating of conditional probability

Multiple Sensor Target Tracking: Basic Idea Iterative updating of conditional probability densities! kinematic target state x k at time t k , accumulated sensor data Z k a priori knowledge: target dynamics models, sensor model dynamics model p ( x

541 views • 25 slides
FY21 21 st Century Community Learning Centers Tracking and Monitoring System Training November

FY21 21 st Century Community Learning Centers Tracking and Monitoring System Training November

FY21 21 st Century Community Learning Centers Tracking and Monitoring System Training November 2020 Welcome and Overview Charmaine Davis-Bey, M.Ed., EdPsyc 21 st CCLC Education Program Specialist Compliance/Monitoring System Lead Regional

908 views • 63 slides
EECS 373 Design of Microprocessor-Based Systems Prabal Dutta University of Michigan Lecture 7:

EECS 373 Design of Microprocessor-Based Systems Prabal Dutta University of Michigan Lecture 7:

EECS 373 Design of Microprocessor-Based Systems Prabal Dutta University of Michigan Lecture 7: Interrupts (2) September 23, 2014 Some slides prepared by Mark Brehob 1 Announcements Homework 2 due now. Homework 3 will be posted later

1k views • 41 slides
Spectral Sequence Training Montage, Day 1 Arun Debray and Richard Wong Summer Minicourses 2020

Spectral Sequence Training Montage, Day 1 Arun Debray and Richard Wong Summer Minicourses 2020

Motivations The Serre Spectral Sequence Spectral Sequence Training Montage, Day 1 Arun Debray and Richard Wong Summer Minicourses 2020 Slides, exercises, and video recordings can be found at https://web.ma.utexas.edu/SMC/2020/Resources.html

521 views • 26 slides
Runtime Behavior via Deep Sequence Learning Stephen Zekany Daniel Rings Nathan Harada Michael

Runtime Behavior via Deep Sequence Learning Stephen Zekany Daniel Rings Nathan Harada Michael

CrystalBall: Statically Analyzing Runtime Behavior via Deep Sequence Learning Stephen Zekany Daniel Rings Nathan Harada Michael A. Laurenzano Lingjia Tang Jason Mars Introduction Why analyze runtime behavior? How to analyze it for

494 views • 17 slides
Hidden Markov Models Training Selecting model parameters What we know The terminology and

Hidden Markov Models Training Selecting model parameters What we know The terminology and

Hidden Markov Models Training Selecting model parameters What we know The terminology and notation of hidden Markov models ( HMMs ) The forward- and backward-algorithms for determining the likelihood p ( X ) of a sequence of

1.02k views • 60 slides

More recommend