Using File-Correlation to Accelerate Decision-Making in a
Decentralized Cooperative Security Enforcement


To the best of our knowledge all runtime security enforcement systems
make decisions on the spot.  This means, whenever the program is about
to engage in a security critical action, the enforcement decides on how
the action shall be resolved.  The novel approach we take is to try to
make decisions ahead of time.  By doing so, communication and
computation for decision-making is already done when the security
critical action is about to occur.

We propose a decision-making algorithm to enforce Chinese wall policies
in a distributed storage system.  The algorithm builds on work by Hua,
Jiang, Zhu, Feng, and Xu (2014) to predict future file accesses. For
these, decisions will be made in advance.  Special care is taken to
assure soundness when the predicted system behavior differs from the
actual system behavior.  This assures the algorithm works as expected
even when system behavior is not predicted correctly.

We give an informal argument for the soundness and precision of the
proposed decision-making algorithm.  Additionally, we give a CSP
formalization of the algorithm which can be used to do a formal proof
for these properties in the future.

An extensive evaluation of our prototype implementation is made. The
evaluation uses a real world data trace from MSN storage servers to
evaluate the performance under realistic access patterns.  We compare
the performance of the proposed decision-making algorithm with the
decision-making algorithm proposed by Gay, Mantel, and Sprick (2012).
Our evaluation results show the proposed decision-making algorithm on
average takes 55.48% less time to make decisions.  This comes at the
expense of doing on average 4.2 times the amount of communication.
These are encouraging results which show that making decisions in
advance can be beneficial for performance.