Rule Dependencies in Access Control Lists
نویسندگان
چکیده
This paper considers the effects of dependencies between rules in Access Control Lists (ACLs). Dependent rules may not be reordered in an ACL if the policies of the list are to be preserved. This is an obstacle to the optimisation of rule order intended to reduce the time taken matching packets against rules. In this paper, the concept of rule dependency is defined in relation to the problem of minimising processing latency. The concepts of dependence and possible dependence are introduced and the relationship between them considered. Two measures of dependency, the dependency index and the fragmented dependency index are defined and formulated and an upper bound for each is derived. Examples of real-world ACLs are studied and the implications for practical optimisation discussed.
منابع مشابه
Access Control Policy Analysis and Visualization Tools for Security Professionals
Managing large sets of access-control rules is a complex task for security administrators. Each addition, deletion or modification of a rule causes many potential and unknown side effects ranging from rule conflicts to security breaches. Security researchers have attempted to alleviate this problem by proposing algorithms and tools which analyze lists of rules and provide administrators with th...
متن کاملP Erformance C Haracteristics of Bdd - B Ased
Packet filters are security devices that connect multiple packet-based networks and provide access control between them. The security policy enforced by a packet filter is specified as a set of rules, called an access list, that describes what types of network packets should be allowed to pass from one network to another, and what types should be discarded. These rules are expressed in terms of...
متن کاملTowards Formal Semantics for ODRL Policies
Most policy-based access control frameworks explicitly model whether execution of certain actions (read, write, etc.) on certain assets should be permitted or denied and usually assume that such actions are disjoint from each other, i.e. there does not exist any explicit or implicit dependency between actions of the domain. This in turn means, that conflicts among rules or policies can only occ...
متن کاملModelling And Inferring On Role-Based Access Control Policies Using Data Dependencies
Role-based access control (RBAC) models are becoming a de facto standard, greatly simplifying management and administration tasks. Organizational constraints were introduced (e.g.: mutually exclusive roles, cardinality, prerequisite roles) to reflect peculiarities of organizations. Thus, the number of rules is increasing and policies are becoming more and more complex: understanding and analyzi...
متن کاملModeling and Inferring on Role-Based Access Control Policies Using Data Dependencies
Role-Based Access Control (RBAC) models are becoming a de facto standard, greatly simplifying management and administration tasks. Organizational constraints were introduced (e.g.: mutually exclusive roles, cardinality, prerequisite roles) to reflect peculiarities of organizations. Thus, the number of rules is increasing and policies are becoming more and more complex: understanding and analyzi...
متن کامل