Constructing cascade bloom filters for efficient access enforcement

Abstract We address access enforcement — the process of determining whether a request for access to a resource by a principal should be granted. While access enforcement is essential to security, it must not unduly impact performance. Consequently, we address the issue of time- and space-efficient access enforcement, and in particular, study a particular data structure, the Cascade Bloom filter, in this context. The Cascade Bloom filter is a generalization of the well-known Bloom filter, which is used for time- and space-efficient membership-checking in a set, while allowing for a non-zero probability of false positives. We consider the problems, in practice, of constructing Bloom, and Cascade Bloom filters, with our particular application, access enforcement, in mind. We identify the computational complexity of the underlying problems, and propose concrete algorithms to construct instances of the data structures. We have implemented our algorithms, and conducted empirical assessments, which also we discuss in this paper. Our code is available for public download. As such, our work is a contribution to efficient access enforcement.

[1]  Mohammed Alreshoodi,et al.  Toward secure packet delivery in future internet communications , 2018, 2018 IEEE International Conference on Consumer Electronics (ICCE).

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[4]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[5]  Michael Mitzenmacher,et al.  Compressed bloom filters , 2002, TNET.

[6]  Yanhong A. Liu,et al.  Core role-based access control: efficient implementations by transformations , 2006, PEPM '06.

[7]  Marko Komlenovic,et al.  An empirical assessment of approaches to distributed enforcement in role-based access control (RBAC) , 2011, CODASPY '11.

[8]  Sanjay Kumar Singh,et al.  Providing robust security measures to Bloom filter based biometric template protection schemes , 2017, Comput. Secur..

[9]  Nima Mousavi,et al.  Mitigating the Intractability of the User Authorization Query Problem in Role-Based Access Control (RBAC) , 2012, NSS.

[10]  Ju Wan Kim,et al.  A whitelist-based countermeasure scheme using a Bloom filter against SIP flooding attacks , 2013, Comput. Secur..

[11]  Zhiwei Xu,et al.  Towards efficient detection of sybil attacks in location-based social networks , 2017, 2017 IEEE Symposium Series on Computational Intelligence (SSCI).

[12]  Christoph Busch,et al.  Cancelable multi-biometrics: Mixing iris-codes based on adaptive bloom filters , 2014, Comput. Secur..

[13]  Bogdan Carbunar,et al.  Efficient access enforcement in distributed role-based access control (RBAC) deployments , 2009, SACMAT '09.

[14]  Kevin Borders,et al.  CPOL: high-performance policy evaluation , 2005, CCS '05.

[15]  Marek Klonowski,et al.  Light-weight and secure aggregation protocols based on Bloom filters✰ , 2018, Comput. Secur..

[16]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[17]  Shuhui Chen,et al.  Multiple Bloom filters , 2017, ICNCC 2017.

[18]  Bernard Chazelle,et al.  The Bloomier filter: an efficient data structure for static support lookup tables , 2004, SODA '04.

[19]  Jason Crampton,et al.  Authorization recycling in RBAC systems , 2008, SACMAT '08.

[20]  Yossi Matias,et al.  Spectral bloom filters , 2003, SIGMOD '03.

[21]  Carsten Sinz,et al.  Towards an Optimal CNF Encoding of Boolean Cardinality Constraints , 2005, CP.