LERSSE-REPORT-2006-017 |
Kyle Zeeuwen ; Konstantin Beznosov
21 July 2006
Abstract: Request response access control systems that use Policy Decision Points have their reliability and latency bounded by network communication. We propose the use of a secondary decision point that combines previously computed authorizations with knowledge of the security model to infer the result of authorization requests. We demonstrate that this approximate recycling approach increases the reliability of a system to a greater extent than existing precise authorization recycling solutions. A simulation is described that compares system reliability while using both precise recycling and approximate recycling in a system that uses the Bell LaPadula model. Results show that an approximate recycling component is a much as 28\% more likely to produce a valid response than a precise recycling component. It is also shown that increasing the number of subjects and objects managed by a system increases the hit rate improvement offered by approximate recycling, that the ratio between subjects and objects in the system affects the behavior of an approximate recycling component, and that the use of narrower Bell LaPadula security lattices result in greater hit rate gains than wider lattices under the same circumstances.
Keyword(s): SAAM ; BLP ; Bell LaPadula ; SDP ; Simulation
Published in: Kyle Zeeuwen, Konstantin Beznosov, "Evaluation of SAAM_BLP" LERSSE Technical Report LERSSE-TR-2006-01, July 21, 2006.:
The record appears in these collections:
Technical Reports