ACM CCS 2005 CPOL: High-Performance Policy Evaluation Kevin Borders Xin Zhao Atul Prakash University of Michigan.

Slides:

Advertisements

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Advertisements

ONE STOP THE TOTAL SERVICE SOLUTION FOR REMOTE DEVICE MANAGMENT.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Lesson 17: Configuring Security Policies

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

Ant Colonies As Logistic Processes Optimizers

Online Magazine Bryan Ng. Goal of the Project Product Dynamic Content Easy Administration Development Layered Architecture Object Oriented Adaptive to.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.

Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.

M1G Introduction to Database Development 1. Databases and Database Design.

PRIAM: PRivate Information Access Management on Outsourced Storage Service Providers Mark Shaneck Karthikeyan Mahadevan Jeff Yongdae Kim.

1/25/2000 Active Names: Flexible Location and Transport of Wide-Area Resources Luis Rivera.

Security Management.

 MODERN DATABASE MANAGEMENT SYSTEMS OVERVIEW BY ENGINEER BILAL AHMAD

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

N-Tier Architecture.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Requirements Engineering

Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.

These materials are prepared only for the students enrolled in the course Distributed Software Development (DSD) at the Department of Computer.

Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.

Presentation on Facilities / Assets Management by Satyam Computers Services Ltd.

Module 6: Designing Active Directory Security in Windows Server 2008.

Chapter 7: WORKING WITH GROUPS

Introduction and Overview Questions answered in this lecture: What is an operating system? How have operating systems evolved? Why study operating systems?

Application-Layer Anycasting By Samarat Bhattacharjee et al. Presented by Matt Miller September 30, 2002.

JIT in webkit. What’s JIT See time_compilation for more info. time_compilation.

Designing Group Security Designing security groups Designing user rights.

9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.

Utilities, Customers & SMS Rudi Leitner. Who in this room has a mobile phone? Who in this room has ever sent a text (SMS) message?

Object Oriented Design Jerry KotubaSYST Object Oriented Methodologies1.

1 Wenguang WangRichard B. Bunt Department of Computer Science University of Saskatchewan November 14, 2000 Simulating DB2 Buffer Pool Management.

1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

COMU114: Introduction to Database Development 1. Databases and Database Design.

SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.

LDAP/TIO implementations -2- Overview of TIO-index implementations Henny Bekker The DAG, GIDS and Desire TIO/LDAP index servers.

Module 4: Managing Recipients. Overview Introduction to Exchange Recipients Creating, Deleting, and Modifying Users and Contacts Managing Mailboxes Managing.

® IBM Software Group © 2007 IBM Corporation Best Practices for Session Management

Kaleidoscope – Adding Colors to Kademlia Gil Einziger, Roy Friedman, Eyal Kibbar Computer Science, Technion 1.

Windows Role-Based Access Control Longhorn Update

VGreen: A System for Energy Efficient Manager in Virtualized Environments G. Dhiman, G Marchetti, T Rosing ISLPED 2009.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Five Managing Addresses.

1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.

A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

Distributed Systems CS Consistency and Replication – Part IV Lecture 13, Oct 23, 2013 Mohammad Hammoud.

Chapter 1 Revealed Distributed Objects Design Concepts CSLA.

ESG-CET Meeting, Boulder, CO, April 2008 Gateway Implementation 4/30/2008.

The Hierarchical Trust Model. PGP Certificate Server details Fast, efficient key repository –LDAP, HTTP interfaces Secure remote administration –“Pending”

CS 425/ECE 428 Distributed Systems Nitin Vaidya. T.A.s – Persia Aziz – Frederick Douglas – Su Du – Yixiao Lin.

Transforming Policies into Mechanisms with Infokernel Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau, Nathan C. Burnett, Timothy E. Denehy, Thomas J.

Newcastle uopn Tyne, September 2002 V. Ghini, G. Lodi, N. Mezzetti, F. Panzieri Department of Computer Science University of Bologna.

The Context Fabric: An Infrastructure for Context-Aware Computing Jason I. Hong Group for User Interface Research, Computer Science Division University.

INTE 290 Summer 2015.

Project Management: Messages

Lan Zhou, Vijay Varadharajan, and Michael Hitchens

Distributed Shared Memory

Database Performance Tuning and Query Optimization

CS & CS Capstone Project & Software Development Project

Get Updated Free Microsoft MB2-716 Exam Questions | Dumps4download.in

ExaO: Software Defined Data Distribution for Exascale Sciences

Autonomous Aggregate Data Analytics in Untrusted Cloud

Trustworthy Distributed Search and Retrieval over the Internet

Presentation transcript:

ACM CCS 2005 CPOL: High-Performance Policy Evaluation Kevin Borders Xin Zhao Atul Prakash University of Michigan

ACM CCS 2005 Overview Motivation: Why High-Performance? Current Solutions CPOL Design Evaluation of CPOL vs. Other Solutions Conclusion and Future Work

ACM CCS 2005 Motivation: Why High-Performance? Applications are emerging that require high-throughput policy evaluation –Example: Enforcing privacy policies for location-aware services Large number of subscribers Alice may want to give Bob access to her location only Monday through Friday 9 AM – 5 PM when she is in the computer science building –Example: Text messaging Control who can send you information depending on the time and your location

ACM CCS 2005 Current Policy Evaluation Solutions KeyNote Trust Management System –Delegation chains are used to grant trust –Not designed with performance in mind – very slow SQL Database –More scalable than KeyNote, but throughput is still not good enough – approx queries/second

ACM CCS 2005 CPOL Design Goals Have expressiveness comparable to KeyNote –Express almost everything KeyNote can and some things that KeyNote cannot Be able to handle a large volume of requests a single machine –Hundreds of thousands of requests/second

ACM CCS 2005 CPOL Policies CPOL Policy Fields Owner: The owner is the entitywhose resources are controlled by this rule. Licensee(s): The licensee is the entity or group that will receive privileges. Access token: The access token contains information about the rights assigned by this rule. Condition: CPOL verifies that the condition is true before granting the access token to the licensee(s). Sample Policy Owner: Alice Licensee: Bob AccessToken { LocationResolution = RoomLevel IdentityResolution = Name DelegationPrivileges = None } Condition { AfterTime = 9 AM BeforeTime = 5 PM InBuilding = {Library, CS} NotInRoom = {ConferenceRoom 1010 CS} }

ACM CCS 2005 CPOL Design Overview CPOL takes advantage of the trend that the domain of policies for a particular application is usually fairly small –Instead of presenting a highly expressive interface at runtime, restrict the domain of policies at compile-time Define access token and condition objects CPOL also exploits caching to improve performance

ACM CCS 2005 Defining CPOL for an Application Access Token –Define data members –Define Boolean AddAccess(newToken) – does this token have sufficient delegation privileges to add a new rule with newToken? Condition –Define data members –Define Boolean Test(state) – is the condition true given an input state?

ACM CCS 2005 Caching Correct invalidation is done using cache conditions –Cache Condition = Sum(Conditions) –Cache Condition is more compact than condition Example: Calculate time-to-live and highest resolution of location conditions –Invalidated when Boolean StillGood(oldState, newState) is false

ACM CCS 2005 Testing Methodology CPOL, KeyNote, and a MySQL database were all set up to evaluate privacy policies Three experiments –Single request processing time (CPOL, KeyNote, MySQL) –Memory consumption (CPOL) –Simulated privacy request workload in a university environment (CPOL, MySQL)

ACM CCS 2005 Single Request Processing Time CPOL and MySQL have O(1) processing time with respect to number of policies KeyNote takes much longer to evaluate one policy with more policies in the system

ACM CCS 2005 Memory Usage Important because CPOL is in memory system Memory usage is per user, role, role membership, policy (rule), and cache entry CPOL can store information for approximately 500,000 users with a 2,000,000 entry cache in 500 MB of memory

ACM CCS 2005 Simulated Privacy Workload Movement data was generated using custom schedule-based generator for different numbers of users Users’ privacy policies were created using information collected by surveying 30 potential users Varying update frequency from one to thirty seconds

ACM CCS 2005 Future Work Distribute CPOL over multiple servers to further enhance scalability –Minimize state replication between servers Deploy CPOL in a real location-aware environment –New computer science building at University of Michigan will use CPOL for privacy policy enforcement Use CPOL in other application domains such as mobile messaging

ACM CCS 2005 Conclusion Applications are emerging that require high- performance policy evaluation Current solutions (KeyNote and database server) are not efficient enough to handle a large workload CPOL takes advantage of caching and compiled object attributes to deliver better performance With 500 users and 5000 policies, CPOL is five to six orders of magnitude faster than KeyNote and two to three orders of magnitude faster than a MySQL implementation, depending on cache hit rate

ACM CCS 2005 Questions? Please contact me if you wish to obtain source code for CPOL or for the schedule- based movement generator – source code will be available online soon!