Recycling Authorizations: Toward Secondary and Approximate Authorizations Model (SAAM) Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering lersse.ece.ubc.ca Copyright © 2005 Konstantin Beznosov
outline the problem the approach summary context target environment limitations of point-to-point architectures the approach summary
Copyright © 2005 Konstantin Beznosov the problem Copyright © 2005 Konstantin Beznosov
context processor time virtually free human time/attention expensive commodity computing most cost-effective
target environments with 0.5M of commodity computing systems 0.5--1.5M application instances with MTTF of 1 year 1,300--4,000 fail every day with availability of 99.9% 500--1,500 unavailable at any given moment
request-response paradigm Application space Application Object Decision Function Enforcement Function “Middleware” Space Security Subsystem Enforcement Function Access Request
enables decision function reuse EF EF EF EF DF EF EF EF EF
results in point-to-point architectures EF EF EF EF policy engine EF EF policy engine EF policy engine policy engine EF policy engine EF EF fragile policy engine EF EF policy engine DF EF EF EF EF policy engine policy engine EF policy engine EF policy engine policy engine EF policy engine EF policy engine EF policy engine DF EF inefficient EF EF EF EF policy engine policy engine EF EF policy engine EF policy engine EF policy engine policy engine policy engine EF EF DF EF
the problem addressed point-to-point authorization architectures at massive scale become too fragile, requiring costly human attention, and fail to reduce latency by exploiting the virtually free CPU resources and high network bandwidth
Copyright © 2005 Konstantin Beznosov the approach Copyright © 2005 Konstantin Beznosov
ideas for addressing the problem decouple EF from DF with publish-subscribe architecture(s) recycle policy decisions
publish-subscribe for policy decisions policy engine policy engine policy engine policy engine policy engine policy engine policy engine DF policy engine policy engine Two-way request/response bus policy engine policy engine policy engine policy engine policy engine policy engine DF policy engine less fragile more resilient to failures allows speculative authorizations promotes authorization recycling policy engine policy engine policy engine policy engine policy engine policy engine DF
requests and authorizations request r = <s, o, p, e, i> s -- subject o -- object p -- permission e -- environment i -- request identity authorization a = <r, d> r -- request d -- decision
recycling authorizations secondary authorizations re-using decisions made for other, but equivalent, requests example <s1,o1, p1, e1, i1> <s1,o1, p1, e1, i2> approximate authorizations re-using decisions made for other, but similar, requests examples <s1,o1, p1, e1, i1> <s3,o1, p1, e1, i2> s1 ≥ s2 <s1,o1, p1, e1, i1> <s2,o2, p1, e1, i2> o1 ≤ o2 <s1,o1, p1, e1, i1> <s2,o1, p2, e1, i2> p1 ≤ p2
summary problem approach context and assumptions target environments human time/attention is too expensive CPU resources are virtually free commodity computing is most cost effective target environments massive-scale enterprises with 105 machines limitations of point-to-point architectures too fragile and high latency approach decouple EF and DF with publish-subscribe authorization (flooding and) recycling secondary and approximate authorization model (SAAM)