{"title":"Dominator-tree analysis for distributed authorization","authors":"M. Mowbray, A. Lain","doi":"10.1145/1375696.1375709","DOIUrl":null,"url":null,"abstract":"Practical analysis tools for distributed authorization need to answer quickly and accurately the question: who can access this resource? DAP (Delegation with Acyclic Paths) is a distributed authorization framework (introduced in [17]) that tries to inter-operate better with standard PKI mechanisms while retaining some of the benefits of new trust management schemes. DAP has an acyclicity requirement which makes it more difficult to answer the question quickly. In this paper we use a technique borrowed from compiler optimization, dominator-tree problem decomposition, to overcome this limitation of DAP with a fast heuristic. We show through simulation the heuristic's performance in a realistic federated resource management scenario.\n We also show how this heuristic can be complemented by clone-analysis techniques that exploit similarities between principals to further improve performance. We are currently using the heuristic and clone-analysis in practice in a design/analysis security tool.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"2015 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Workshop on Programming Languages and Analysis for Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1375696.1375709","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3
Abstract
Practical analysis tools for distributed authorization need to answer quickly and accurately the question: who can access this resource? DAP (Delegation with Acyclic Paths) is a distributed authorization framework (introduced in [17]) that tries to inter-operate better with standard PKI mechanisms while retaining some of the benefits of new trust management schemes. DAP has an acyclicity requirement which makes it more difficult to answer the question quickly. In this paper we use a technique borrowed from compiler optimization, dominator-tree problem decomposition, to overcome this limitation of DAP with a fast heuristic. We show through simulation the heuristic's performance in a realistic federated resource management scenario.
We also show how this heuristic can be complemented by clone-analysis techniques that exploit similarities between principals to further improve performance. We are currently using the heuristic and clone-analysis in practice in a design/analysis security tool.
用于分布式授权的实用分析工具需要快速准确地回答以下问题:谁可以访问此资源?DAP (Delegation with Acyclic Paths)是一种分布式授权框架(在[17]中引入),它试图与标准PKI机制更好地互操作,同时保留了新信任管理方案的一些好处。DAP具有非周期性要求,这使得快速回答问题变得更加困难。本文借用编译器优化中的一种技术,即支配树问题分解,通过快速的启发式方法来克服DAP的这一局限性。我们通过模拟在现实的联邦资源管理场景中展示了启发式算法的性能。我们还展示了如何利用克隆分析技术来补充这种启发式方法,克隆分析技术利用主体之间的相似性来进一步提高性能。我们目前在设计/分析安全工具中实际使用启发式和克隆分析。
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
