research-article

Hardware-enhanced distributed access enforcement for role-based access control

Authors:

Rahul SimhaAuthors Info & Claims

SACMAT '14: Proceedings of the 19th ACM symposium on Access control models and technologies

Pages 5 - 16

https://doi.org/10.1145/2613087.2613096

Published: 25 June 2014 Publication History

Abstract

The protection of information in enterprise and cloud platforms is growing more important and complex with increasing numbers of users who need to access resources with distinct permissions. Role-based access control (RBAC) eases administrative complexity for large-scale access control, while a client-server model can ease performance bottlenecks by distributing access enforcement across multiple servers that consult the centralized access decision policy server as needed. In this paper, we propose a new approach to access enforcement using an existing associative array hardware data structure (HWDS) to cache authorizations in a distributed system using RBAC. This HWDS approach uses hardware that has previous been demonstrated as useful for several application domains including access control, network packet routing, and generic comparison-based integer search algorithms. We reproduce experiments from prior work on distributed access enforcement for RBAC systems, and we design and conduct new experiments to evaluate HWDS-based access enforcement. Experimental data show the HWDS cuts session initiation time by about a third compared to existing solutions, while achieving similar performance to authorize access requests. These results suggest that distributed systems using RBAC could use HWDS-based access enforcement to increase session throughput or to decrease the number of access enforcement servers without losing performance.

References

[1]

Fine grained authorization: Technical insights for using oracle entitlements server. Technical report, Oracle, 2012.

[2]

dist-rbac-eval - a platform for assessing approaches to distributed role-based access control (RBAC) enforcement https://code.google.com/p/dist-rbac-eval/, 2014.

[3]

D. S. Almeling, D. W. Snyder, M. Sapoznikow, W. E. McCollum, and J. Weader. A statistical analysis of trade secret litigation in federal courts. Gonzaga Law Review, 45(2):291--334, 2010.

[4]

N. Binkert, B. Beckmann, G. Black, S. K. Reinhardt, A. Saidi, A. Basu, J. Hestness, D. R. Hower, T. Krishna, S. Sardashti, R. Sen, K. Sewell, M. Shoaib, N. Vaish, M. D. Hill, and D. A. Wood. The gem5 simulator. SIGARCH Comput. Archit. News, 39(2):1--7, Aug. 2011.

Digital Library

[5]

G. Bloom. Operating System Support for Shared Hardware Data Structures. PhD thesis, The George Washington University, Jan. 2013.

Digital Library

[6]

G. Bloom, G. Parmer, B. Narahari, and R. Simha. Shared hardware data structures for hard real-time systems. In Proceedings of the tenth ACM international conference on Embedded software, EMSOFT '12, pages 133--142, Tampere, Finland, 2012. ACM.

Digital Library

[7]

K. Borders, X. Zhao, and A. Prakash. CPOL: high-performance policy evaluation. In Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS '05, pages 147--157, Alexandria, VA, 2005.

Digital Library

[8]

L. Breslau, P. Cao, L. Fan, G. Phillips, and S. Shenker. Web caching and zipf-like distributions: evidence and implications. In IEEE INFOCOM '99. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings, pages 126--134, New York, NY, Mar. 1999.

[9]

R. Chandra and O. Sinnen. Improving application performance with hardware data structures. In 2010 IEEE International Symposium on Parallel Distributed Processing, Workshops and Phd Forum (IPDPSW), pages 1--4, Atlanta, GA, USA, Apr. 2010.

[10]

J. Crampton, W. Leung, and K. Beznosov. The secondary and approximate authorization model and its application to bell-LaPadula policies. In Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies, SACMAT '06, pages 111--120, Lake Tahoe, CA, 2006.

Digital Library

[11]

D. F. Ferraiolo and D. R. Kuhn. Role-based access controls. pages 554--563, Baltimore, MD, Oct. 1992.

[12]

L. Fiorin, A. Ferrante, K. Padarnitsas, and F. Regazzoni. Security enhanced linux on embedded systems: A hardware-accelerated implementation. In Design Automation Conference (ASP-DAC), 2012 17th Asia and South Pacific, pages 29--34, Sydney, NSW, 2012.

[13]

A. Georges, D. Buytaert, and L. Eeckhout. Statistically rigorous java performance evaluation. In Proceedings of the 22Nd Annual ACM SIGPLAN Conference on Object-oriented Programming Systems and Applications, OOPSLA '07, pages 57--76, Montreal, Quebec, Canada, 2007. ACM.

Digital Library

[14]

Jim Boyle, Ron Cohen, David Durham, Raju Rajan, Shai Herzog, and Arun Sastry. The COPS (common open policy service) protocol. Technical Report 2748, IETF, Jan. 2000.

[15]

G. Karjoth. Access control with IBM tivoli access manager. ACM Trans. Inf. Syst. Secur., 6(2):232--257, May 2003.

Digital Library

[16]

Kire Terzievski, Steven Turvey, and Matt Tett. CA WAM solution hundred million user test. Technical Report 080202, Enex TestLab, Jan. 2009.

[17]

D. E. Knuth. The art of computer programming, volume 3: (2nd ed.) sorting and searching. Addison Wesley Longman Publishing Co., Inc., 1998.

Digital Library

[18]

M. Komlenovic, M. Tripunitara, and T. Zitouni. An empirical assessment of approaches to distributed enforcement in role-based access control (RBAC). In Proceedings of the first ACM conference on Data and application security and privacy, CODASPY '11, pages 121--132, San Antonio, TX, USA, 2011. ACM.

Digital Library

[19]

Laura DuBois and Natalya Yezhkova. Distinctions between SMB and enterprise requirements for protection, archiving, and recovery. Technical report, IDC, Framingham, MA, USA, Apr. 2009.

[20]

Y. A. Liu, C. Wang, M. Gorbovitski, T. Rothamel, Y. Cheng, Y. Zhao, and J. Zhang. Core role-based access control: Efficient implementations by transformations. In Proceedings of the 2006 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-based Program Manipulation, PEPM '06, pages 112--120, Charleston, South Carolina, USA, 2006. ACM.

Digital Library

[21]

K. Pagiamtzis and A. Sheikholeslami. Content-addressable memory (CAM) circuits and architectures: a tutorial and survey. IEEE Journal of Solid-State Circuits, 41(3):712--727, Mar. 2006.

[22]

Preeta M. Banerjee and Eric Openshaw. Democratizing technology: Crossing the "CASM" to serve small and medium businesses. Deloitte Review, (14), Jan. 2014.

[23]

J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, 1975.

[24]

R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. Computer, 29(2):38--47, 1996.

Digital Library

[25]

A. Schaad, J. Moffett, and J. Jacob. The role-based access control system of a european bank: A case study and discussion. In Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, SACMAT '01, pages 3--9, Chantilly, Virginia, USA, 2001. ACM.

Digital Library

[26]

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The flask security architecture: System support for diverse security policies. In Proceedings of the 8th Conference on USENIX Security Symposium - Volume 8, SSYM'99, pages 123--139, Washington, D.C., USA, 1999. USENIX Association.

Digital Library

[27]

M. V. Tripunitara and B. Carbunar. Efficient access enforcement in distributed role-based access control (RBAC) deployments. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT '09, pages 155--164, Stresa, Italy, 2009. ACM.

Digital Library

[28]

Q. Wei, J. Crampton, K. Beznosov, and M. Ripeanu. Authorization recycling in RBAC systems. In Proceedings of the 13th ACM symposium on Access control models and technologies, pages 63--72, Estes Park, CO, 2008. ACM.

Digital Library

[29]

Q. Wei, J. Crampton, K. Beznosov, and M. Ripeanu. Authorization recycling in hierarchical RBAC systems. ACM Trans. Inf. Syst. Secur., 14(1):3:1--3:29, June 2011.

Digital Library

Cited By

Seaton JHounsinou SWood TXu SBrown PBloom GDietrich SChowdhury OTakabi D(2022)Poster: Toward Zero-Trust Path-Aware Access ControlProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535036(267-269)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535036

Index Terms

Hardware-enhanced distributed access enforcement for role-based access control
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Efficient access enforcement in distributed role-based access control (RBAC) deployments
SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies

We address the distributed setting for enforcement of a centralized Role-Based Access Control (RBAC) protection state. We present a new approach for time- and space-efficient access enforcement. Underlying our approach is a data structure that we call a ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Domain Administration of Task-role Based Access Control for Process Collaboration Environments
IAS '09: Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 01

The fast evolving workflow technologies facilitate organizations to interact and cooperate with each other to achieve their business goals by process collaborations. Task-role based access control is an important security mechanism to protect data and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '14: Proceedings of the 19th ACM symposium on Access control models and technologies

June 2014

234 pages

ISBN:9781450329392

DOI:10.1145/2613087

General Chair:
Sylvia Osborn
University of Western Ontario, Canada
,
Program Chairs:
Mahesh V. Tripunitara
University of Waterloo, Canada
,
Ian M. Molloy
IBM Research, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 June 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Division of Computer and Network Systems

Conference

SACMAT '14

Sponsor:

SIGSAC

SACMAT '14: 19th ACM Symposium on Access Control Models and Technologies

June 25 - 27, 2014

Ontario, London, Canada

Acceptance Rates

SACMAT '14 Paper Acceptance Rate 17 of 58 submissions, 29%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
206
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Seaton JHounsinou SWood TXu SBrown PBloom GDietrich SChowdhury OTakabi D(2022)Poster: Toward Zero-Trust Path-Aware Access ControlProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535036(267-269)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535036

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents