The Community for Technology Leaders
RSS Icon
Issue No.02 - February (2009 vol.20)
pp: 275-288
Matei Ripeanu , University of British Columbia, Vancouver
Konstantin Beznosov , University of British Columbia, Vancouver
As enterprise systems, Grids, and other distributed applications scale up and become increasingly complex, their authorization infrastructures--based predominantly on the request-response paradigm--are facing the challenges of fragility and poor scalability. We propose an approach where each application server recycles previously received authorizations and shares them with other application servers to mask authorization server failures and network delays. This paper presents the design of our cooperative secondary authorization recycling system and its evaluation using simulation and prototype implementation. The results demonstrate that our approach improves the availability and performance of authorization infrastructures. Specifically, by sharing authorizations, the cache hit rate--an indirect metric of availability--can reach 70 percent, even when only 10 percent of authorizations are cached. Depending on the deployment scenario, the average time for authorizing an application request can be reduced by up to a factor of two compared with systems that do not employ cooperation.
Access control, authorization recycling, cooperative secondary authorization recycling, cooperation.
Matei Ripeanu, Konstantin Beznosov, "Cooperative Secondary Authorization Recycling", IEEE Transactions on Parallel & Distributed Systems, vol.20, no. 2, pp. 275-288, February 2009, doi:10.1109/TPDS.2008.80
[1] G. Karjoth, “Access Control with IBM Tivoli Access Manager,” ACM Trans. Information and Systems Security, vol. 6, no. 2, pp. 232-257, 2003.
[2] Entrust, “GetAccess Design and Administration Guide,” technical report, Entrust, Sept. 1999.
[3] Netegrity, “Siteminder Concepts Guide,” technical report, Netegrity, 2000.
[4] OMG, Common Object Services Specification, Security Service Specification V1.8, 2002.
[5] L.G. DeMichiel, L.Ü. Yalçinalp, and S. Krishnan, Enterprise JavaBeans Specification Version 2.0, Sun Microsystems, 2001.
[6] B. Johnson, “An Introduction to the Design and Analysis of Fault-Tolerant Systems,” Fault-Tolerant Computer System Design. pp. 1-87, Prentice Hall, 1996.
[7] Z. Kalbarczyk, R.K. Lyer, and L. Wang, “Application Fault Tolerance with Armor Middleware,” IEEE Internet Computing, vol. 9, no. 2, pp. 28-38, 2005.
[8] W. Vogels, “How Wrong Can You Be? Getting Lost on the Road to Massive Scalability,” Proc. Fifth Int'l Middleware Conf. (Middleware '04), keynote address, Oct. 2004.
[9] P. Strong, “How eBay Scales with Networks and the Challenges,” Proc. 16th IEEE Int'l Symp. High-Performance Distributed Computing (HPDC '07), invited talk, 2007.
[10] V. Nicomette and Y. Deswarte, “An Authorization Scheme for Distributed Object Systems,” Proc. IEEE Symp. Security and Privacy (S&P '97), pp. 21-30, 1997.
[11] J. Crampton, W. Leung, and K. Beznosov, “Secondary and Approximate Authorizations Model and Its Application to Bell-LaPadula Policies,” Proc. 11th ACM Symp. Access Control Models and Technologies (SACMAT '06), pp. 111-120, June 2006.
[12] D.E. Bell and L.J. LaPadula, “Secure Computer Systems: Mathematical Foundations,” Technical Report ESD-TR-74-244, MITRE, Mar. 1973.
[13] E.A. Brewer, “Towards Robust Distributed Systems,” Proc. ACM Symp. Principles of Distributed Computing (PODC '00), invited talk, 2000.
[14] S. Gilbert and N. Lynch, “Brewer's Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services,” SIGACT News, vol. 33, no. 2, pp. 51-59, 2002.
[15] L. Fan, P. Cao, J. Almeida, and A.Z. Broder, “Summary Cache: AScalable Wide-Area Web Cache Sharing Protocol,” IEEE/ACM Trans. Networking, vol. 8, no. 3, pp. 281-293, 2000.
[16] XACML, OASIS eXtensible Access Control Markup Language (XACML) Version 2.0, OASIS Standard, Feb. 2005.
[17] L. Breslau, P. Cao, L. Fan, G. Phillips, and S. Shenker, “Web Caching and Zipf-Like Distributions: Evidence and Implications,” Proc. IEEE INFOCOM '99, pp. 126-134, 1999.
[18] TPC-W: Transactional Web Benchmark Version 1.8, http://www.tpc.orgtpcw/, 2002.
[19] Q. Wei, M. Ripeanu, and K. Beznosov, “Cooperative Secondary Authorization Recycling,” Technical Report LERSSE-TR-2008-02, Laboratory for Education and Research in Secure Systems Eng., Univ. of British Columbia, Apr. 2008.
[20] L. Bauer, S. Garriss, and M.K. Reiter, “Distributed Proving in Access-Control Systems,” Proc. IEEE Symp. Security and Privacy (S&P '05), pp. 81-95, 2005.
[21] K. Borders, X. Zhao, and A. Prakash, “CPOL: High-Performance Policy Evaluation,” Proc. 12th ACM Conf. Computer and Comm. Security (CCS '05), pp. 147-157, 2005.
[22] K. Beznosov, “Flooding and Recycling Authorizations,” Proc. New Security Paradigms Workshop (NSPW '05), pp. 67-72, Sept. 2005.
[23] K. Beznosov, Y. Deng, B. Blakley, C. Burt, and J. Barkley, “A Resource Access Decision Service for CORBA-Based Distributed Systems,” Proc. Ann. Computer Security Applications Conf. (ACSAC '99), pp. 310-319, 1999.
[24] G.H. Stowe, “A Secure Network Node Approach to the Policy Decision Point in Distributed Access Control,” technical report, Computer Science, Dartmouth College, June 2004.
[25] P.J. Mazzuca, “Access Control in a Distributed Decentralized Network: An XML Approach to Network Security Using XACML and SAML,” technical report, Computer Science, Dartmouth College, Spring 2004.
[26] M. Locasto, S. Sidiroglou, and A.D. Keromytis, “Software Self-Healing Using Collaborative Application Communities,” Proc. Network and Distributed System Security Symp. (NDSS '06), pp. 95-106, 2006.
[27] M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham, “Vigilante: End-to-End Containment of Internet Worms,” Proc. ACM Symp. Operating Systems Principles (SOSP), 2005.
[28] J. Wang, “A Survey of Web Caching Schemes for the Internet,” SIGCOMM Computer Comm. Rev., vol. 29, no. 5, pp. 36-46, 1999.
17 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool