{"title":"带隐子树的分布式证明的一致性","authors":"Adam J. Lee, Kazuhiro Minami, M. Winslett","doi":"10.1145/1805974.1805981","DOIUrl":null,"url":null,"abstract":"Previous work has shown that distributed authorization systems that fail to sample a consistent snapshot of the underlying system during policy evaluation are vulnerable to a number of attacks. Unfortuantely, the consistency enforcement solutions presented in previous work were designed for systems in which only CA-certified evidence is used during the decision-making process, all of which is available to the decision-making node at runtime. In this article, we generalize previous results and present light-weight mechanisms through which consistency constraints can be enforced in proof systems in which the full details of a proof may be unavailable to the querier due to information release policies, and the existence of certificate authorities for certifying evidence is unlikely; these types of distributed proof systems are likely candidates for use in pervasive computing and sensor network environments. We present modifications to one such distributed proof system that enable three types of consistency constraints to be enforced while still respecting the same confidentiality and integrity policies as the original proof system. We then discuss how these techniques can be adapted and applied to other, less restrictive, distributed proof systems. Further, we detail a performance analysis that illustrates the modest overheads of our consistency enforcement schemes.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"17 1","pages":"25:1-25:32"},"PeriodicalIF":0.0000,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"On the consistency of distributed proofs with hidden subtrees\",\"authors\":\"Adam J. Lee, Kazuhiro Minami, M. Winslett\",\"doi\":\"10.1145/1805974.1805981\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Previous work has shown that distributed authorization systems that fail to sample a consistent snapshot of the underlying system during policy evaluation are vulnerable to a number of attacks. Unfortuantely, the consistency enforcement solutions presented in previous work were designed for systems in which only CA-certified evidence is used during the decision-making process, all of which is available to the decision-making node at runtime. In this article, we generalize previous results and present light-weight mechanisms through which consistency constraints can be enforced in proof systems in which the full details of a proof may be unavailable to the querier due to information release policies, and the existence of certificate authorities for certifying evidence is unlikely; these types of distributed proof systems are likely candidates for use in pervasive computing and sensor network environments. We present modifications to one such distributed proof system that enable three types of consistency constraints to be enforced while still respecting the same confidentiality and integrity policies as the original proof system. We then discuss how these techniques can be adapted and applied to other, less restrictive, distributed proof systems. Further, we detail a performance analysis that illustrates the modest overheads of our consistency enforcement schemes.\",\"PeriodicalId\":50912,\"journal\":{\"name\":\"ACM Transactions on Information and System Security\",\"volume\":\"17 1\",\"pages\":\"25:1-25:32\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2010-07-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ACM Transactions on Information and System Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/1805974.1805981\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q\",\"JCRName\":\"Engineering\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1805974.1805981","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}
On the consistency of distributed proofs with hidden subtrees
Previous work has shown that distributed authorization systems that fail to sample a consistent snapshot of the underlying system during policy evaluation are vulnerable to a number of attacks. Unfortuantely, the consistency enforcement solutions presented in previous work were designed for systems in which only CA-certified evidence is used during the decision-making process, all of which is available to the decision-making node at runtime. In this article, we generalize previous results and present light-weight mechanisms through which consistency constraints can be enforced in proof systems in which the full details of a proof may be unavailable to the querier due to information release policies, and the existence of certificate authorities for certifying evidence is unlikely; these types of distributed proof systems are likely candidates for use in pervasive computing and sensor network environments. We present modifications to one such distributed proof system that enable three types of consistency constraints to be enforced while still respecting the same confidentiality and integrity policies as the original proof system. We then discuss how these techniques can be adapted and applied to other, less restrictive, distributed proof systems. Further, we detail a performance analysis that illustrates the modest overheads of our consistency enforcement schemes.
期刊介绍:
ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.