ACM CCS 2005 CPOL: High-Performance Policy Evaluation Kevin Borders Xin Zhao Atul Prakash University of Michigan

ACM CCS 2005

CPOL: High-Performance Policy Evaluation

Kevin Borders

Xin Zhao

Atul Prakash

University of Michigan

ACM CCS 2005

Overview

• Motivation: Why High-Performance?

• Current Solutions

• CPOL Design

• Evaluation of CPOL vs. Other Solutions

• Conclusion and Future Work

ACM CCS 2005

Motivation: Why High-Performance?

• Applications are emerging that require high-throughput policy evaluation– Example: Enforcing privacy policies for

location-aware services• Large number of subscribers• Alice may want to give Bob access to her location

only Monday through Friday 9 AM – 5 PM when she is in the computer science building

– Example: Text messaging• Control who can send you information depending

on the time and your location

ACM CCS 2005

Current Policy Evaluation Solutions

• KeyNote Trust Management System– Delegation chains are used to grant trust– Not designed with performance in mind – very

slow

• SQL Database– More scalable than KeyNote, but throughput

is still not good enough – approx. 2000 queries/second

Kevin

Originally designed for distributed policy enforcement, KeyNote is inefficient when evaluating a large number of policies in a central location

Kevin

One problem with KeyNote is that you cannot prevent someone from delegating permissions that they have to others. For example, Alice may want to give Bob access to her information, but she may not want Bob to give others that same level of access.

Kevin

Think about handling requests from 1000 active users. They may query the locations of up to 50 friends at the same time, and may make these queries every second. An SQL server running on one computer would probably break down after much more than 100 users.

Kevin

Just how slow? We will see later on in the performance evaluation section

ACM CCS 2005

CPOL Design Goals

• Have expressiveness comparable to KeyNote– Express almost everything KeyNote can and

some things that KeyNote cannot

• Be able to handle a large volume of requests a single machine– Hundreds of thousands of requests/second

Kevin

Both allow delegation, access conditions. KeyNote can require arbitrary combinations of requesters (i.e. bob and (alice or joe or charlie) ), but CPOL can only do a conjunction. In CPOL, delegation can be controlled separately from normal access rights. Also, CPOL has roles/groups and KeyNote does not.

Kevin

It turns out that with a cache hit rate of 90% a computer with reasonable resources (512 MB ram, 2 GHz processor) can process a sustained throughput of approximately 1,000,000 requests per second.

ACM CCS 2005

CPOL Policies

CPOL Policy Fields

Owner: The owner is the entity whose resources are controlled by this

rule.Licensee(s): The licensee is the entity or group that will receive privileges.

Access token: The access token contains information about the rights assigned by this rule.Condition: CPOL verifies that the condition

is true before granting the access token to the licensee(s).

Sample Policy

Owner: AliceLicensee: BobAccessToken { LocationResolution = RoomLevel IdentityResolution = Name DelegationPrivileges = None}Condition { AfterTime = 9 AM BeforeTime = 5 PM InBuilding = {Library, CS} NotInRoom = {ConferenceRoom 1010 CS}}

Kevin

If multiple licensees are specified, then all licensees must request access together for the rule to apply.

Kevin

Delegation is contained in the access token.

Kevin

Could be time of day, target's location, or any arbitrary expression.

Kevin

Note that Bob here is not allowed to delegate to others.

ACM CCS 2005

CPOL Design Overview

• CPOL takes advantage of the trend that the domain of policies for a particular application is usually fairly small– Instead of presenting a highly expressive

interface at runtime, restrict the domain of policies at compile-time

• Define access token and condition objects

• CPOL also exploits caching to improve performance

ACM CCS 2005

Defining CPOL for an Application

• Access Token– Define data members– Define Boolean AddAccess(newToken) –

does this token have sufficient delegation privileges to add a new rule with newToken?

• Condition– Define data members– Define Boolean Test(state) – is the condition

true given an input state?

Kevin

There are other functions that must be defined as well, but not all of them are covered here.

Kevin

Data members are also defined for state. In the case of location-aware privacy enforcement, state contains the owner's location and the current time.

ACM CCS 2005

Caching

• Correct invalidation is done using cache conditions– Cache Condition = Sum(Conditions)– Cache Condition is more compact than

condition• Example: Calculate time-to-live and highest

resolution of location conditions

– Invalidated when Boolean StillGood(oldState, newState) is false

Kevin

Cache conditions are a single 16-bit field in the location-aware privacy enforcement system.

Kevin

For example, if the highest resolution in one of the conditions is room-level, the entry will be invalidated when the room changes.

Kevin

This function is defined for the specific application and should be able to be evaluated very quickly.

Kevin

The sum function is defined for the application as well. There is also a subtract function for policies that are currently false but may become true, invalidating the condition.

ACM CCS 2005

Testing Methodology

• CPOL, KeyNote, and a MySQL database were all set up to evaluate privacy policies

• Three experiments– Single request processing time (CPOL,

KeyNote, MySQL)– Memory consumption (CPOL)– Simulated privacy request workload in a

university environment (CPOL, MySQL)

Kevin

Note: Keynote was unable to handle queries for even a hundred uses in realtime, so it was omitted form this comparison.

ACM CCS 2005

Single Request Processing Time

• CPOL and MySQL have O(1) processing time with respect to number of policies

• KeyNote takes much longer to evaluate one policy with more policies in the system

Kevin

With a cache hit rate of 90%, a computer with reasonable resources should be able to process a sustained request load of 1,000,000 requests per second.

ACM CCS 2005

Memory Usage

• Important because CPOL is in memory system

• Memory usage is per user, role, role membership, policy (rule), and cache entry

• CPOL can store information for approximately 500,000 users with a 2,000,000 entry cache in 500 MB of memory

Kevin

Role membership overhead is high because a two-way mapping is kept. User -> roles is used during evaluation, role -> user is used for managing role membership. This could be optimized by flushing role -> user mapping to disk since it is not used as often.

ACM CCS 2005

Simulated Privacy Workload

• Movement data was generated using custom schedule-based generator for different numbers of users

• Users’ privacy policies were created using information collected by surveying 30 potential users

• Varying update frequency from one to thirty seconds

Kevin

Users were given schedules with a certain number of credits and these users entered a building and went to their classes at the appropriate times. Some users queried locations on everyone else in the same room as them, some queried locations of friends, and some queried locations of everyone (using requester roles, only O(n), not O(n^2)).

Kevin

Friends, family members and professors were surveyed. Most of the friends and family members were EECS students

Kevin

With a thirty-second update rate, CPOL could handle approximately 300,000 users and MySQL could handle 5000.

ACM CCS 2005

Future Work

• Distribute CPOL over multiple servers to further enhance scalability– Minimize state replication between servers

• Deploy CPOL in a real location-aware environment– New computer science building at University of

Michigan will use CPOL for privacy policy enforcement

• Use CPOL in other application domains such as mobile messaging

ACM CCS 2005

Conclusion

• Applications are emerging that require high-performance policy evaluation

• Current solutions (KeyNote and database server) are not efficient enough to handle a large workload

• CPOL takes advantage of caching and compiled object attributes to deliver better performance

• With 500 users and 5000 policies, CPOL is five to six orders of magnitude faster than KeyNote and two to three orders of magnitude faster than a MySQL implementation, depending on cache hit rate

ACM CCS 2005

Questions?

• Please contact me if you wish to obtain source code for CPOL or for the schedule-based movement generator – source code will be available online soon!

• E-mail: [email protected]

Documents

ACM CCS 2005 CPOL: High-Performance Policy Evaluation Kevin Borders Xin Zhao Atul Prakash University of Michigan