Scalable and secure concurrent evaluation of history-based access control policies

Presentation pdf 815KB

Many of today's applications are deployed on large-scale distributed infrastructures to handle large amounts of users concurrently. When applying access control to such applications, the access control policies must be evaluated concurrently as well. However, for certain classes of policies such as history-based policies one access decision depends on the previous ones. As a result, concurrency can be exploited to achieve incorrect access decisions and privilege escalation. Moreover, general techniques for concurrency control are not able to scale to the size of current applications and at the same time provide the full consistency required for security. Therefore, we present an efficient concurrency control scheme specifically for access control. By leveraging the specific structure of a policy evaluation, this scheme is able to prevent incorrect decisions due to concurrency and at the same time scale to a large number of machines while incurring only a limited and bounded latency overhead. As such, this work facilitates the adoption of policy-based access control in realistic and large-scale applications.

Author(s):

Maarten Decat    
iMinds-DistriNet, KU Leuven
Belgium

Bert Lagaisse    
iMinds-DistriNet, KU Leuven
Belgium

Wouter Joosen    
iMinds-DistriNet, KU Leuven
Belgium