1. Recycling Authorizations: Toward Secondary and Approximate Authorizations Model (SAAM)
Konstantin Beznosov
Laboratory for Education and Research in Secure Systems Engineering
lersse.ece.ubc.ca
Copyright © 2005 Konstantin Beznosov

2. outline the problem the approach summary context target environment
limitations of point-to-point architectures
the approach
summary

3. Copyright © 2005 Konstantin Beznosov
the problem
Copyright © 2005 Konstantin Beznosov

4. context processor time virtually free human time/attention expensive
commodity computing most cost-effective

5. target environments with 0.5M of commodity computing systems
M application instances
with MTTF of 1 year
1,300--4,000 fail every day
with availability of 99.9%
500--1,500 unavailable at any given moment

6. request-response paradigm
Application space
Application
Object
Decision Function
Enforcement Function
“Middleware” Space
Security Subsystem
Enforcement Function
Access
Request

7. enables decision function reuseEF EF EF EF DF EF EF EF EF

8. results in point-to-point architecturesEF EF EF EF
policy engine EF EF
policy engine EF
policy engine
policy engine EF
policy engine EF EF
fragile
policy engine EF EF
policy engine DF EF EF EF EF
policy engine
policy engine EF
policy engine EF
policy engine
policy engine EF
policy engine EF
policy engine EF
policy engine DF EF
inefficient EF EF EF EF
policy engine
policy engine EF EF
policy engine EF
policy engine EF
policy engine
policy engine
policy engine EF EF DF EF

9. the problem addressed
point-to-point authorization architectures at massive scale
become too fragile, requiring costly human attention, and
fail to reduce latency by exploiting the virtually free CPU resources and high network bandwidth

10. Copyright © 2005 Konstantin Beznosov
the approach
Copyright © 2005 Konstantin Beznosov

11. ideas for addressing the problem
decouple EF from DF with publish-subscribe architecture(s)
recycle policy decisions

12. publish-subscribe for policy decisions
policy engine
policy engine
policy engine
policy engine
policy engine
policy engine
policy engine DF
policy engine
policy engine
Two-way request/response bus
policy engine
policy engine
policy engine
policy engine
policy engine
policy engine DF
policy engine
less fragile
more resilient to failures
allows speculative authorizations
promotes authorization recycling
policy engine
policy engine
policy engine
policy engine
policy engine
policy engine DF

13. requests and authorizations
request r = <s, o, p, e, i>
s -- subject
o -- object
p -- permission
e -- environment
i -- request identity
authorization a = <r, d>
r -- request
d -- decision

14. recycling authorizations
secondary authorizations
re-using decisions made for other, but equivalent, requests
example <s1,o1, p1, e1, i1> <s1,o1, p1, e1, i2>
approximate authorizations
re-using decisions made for other, but similar, requests
examples
<s1,o1, p1, e1, i1> <s3,o1, p1, e1, i2> s1 ≥ s2
<s1,o1, p1, e1, i1> <s2,o2, p1, e1, i2> o1 ≤ o2
<s1,o1, p1, e1, i1> <s2,o1, p2, e1, i2> p1 ≤ p2

15. summary problem approach context and assumptions target environments
human time/attention is too expensive
CPU resources are virtually free
commodity computing is most cost effective
target environments
massive-scale enterprises with 105 machines
limitations of point-to-point architectures
too fragile and high latency
approach
decouple EF and DF with publish-subscribe
authorization (flooding and) recycling
secondary and approximate authorization model (SAAM)