The Design and Demonstration of an Actor-Based, Application-Aware Access Control Evaluation Framework

TL;DR

This paper introduces an application-aware framework for evaluating access control schemes, focusing on their suitability for specific workloads through formal analysis and cost assessment, with practical validation on messaging workloads.

Contribution

It formalizes the suitability analysis problem, develops a mathematical framework, and identifies auxiliary machines to enhance scheme expressiveness without compromising safety.

Findings

Framework effectively assesses scheme suitability and costs.

Formal analysis demonstrates efficiency and accuracy.

Auxiliary machines improve expressiveness safely.

Abstract

To date, most work regarding the formal analysis of access control schemes has focused on quantifying and comparing the expressive power of a set of schemes. Although expressive power is important, it is a property that exists in an absolute sense, detached from the application-specific context within which an access control scheme will ultimately be deployed. In this paper, by contrast, we formalize the access control suitability analysis problem, which seeks to evaluate the degree to which a set of candidate access control schemes can meet the needs of an application-specific workload. This process involves both reductions to assess whether a scheme is capable of implementing a workload, as well as cost analysis using ordered measures to quantify the overheads of using each candidate scheme to service the workload. We develop a mathematical framework for analyzing instances of the suitability analysis problem, and evaluate this framework both formally (by quantifying its efficiency and accuracy properties) and practically (by exploring a group-based messaging workload from the literature). An ancillary contribution of our work is the identification of auxiliary machines, which are a useful class of modifications that can be made to enhance the expressive power of an access control scheme without negatively impacting the safety properties of the scheme.