Skip to main content
SpringerLink
Log in

Analyzing XACML policies using answer set programming

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

With the tremendous growth of Web applications and services, eXtensible Access Control Markup Language (XACML) has been broadly adopted to specify Web access control policies. However, when the policies are large or defined by multiple authorities, it has proved difficult to analyze errors and vulnerabilities in a manual fashion. Recent advances in the answer set programming (ASP) paradigm have provided a powerful problem-solving formalism that is capable of dealing with policy verification. In this paper, we employ ASP to analyze various properties of XACML policies. To this end, we first propose a structured mechanism to translate a XACML policy into an ASP program. Then, we leverage the features of off-the-shelf ASP solvers to specify and verify a wide range of properties of a XACML policy, including redundancy, conflicts, refinement, completeness, reachability, and usefulness. We present an empirical evaluation of the effectiveness and efficiency of a policy analysis tool implemented on top of the Clingo ASP solver. The evaluation results show that our approach is computationally more efficient compared with existing approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. In this paper, the term policy refers to a security policy specified by XACML. Also terms “policy,” “security policy,” and “XACML policy” are used interchangeably.

  2. http://www.cs.uni-potsdam.de/clasp/.

  3. http://www.tcs.hut.fi/Software/smodels/.

  4. The combining algorithms are more complex, as described in [1], and we simplified them to show the main parts of our specifications.

  5. https://jaxb.java.net/.

  6. http://leonardi.unsw.wikispaces.net/.

  7. http://reasoning.eas.asu.edu/xacml2asp/.

References

  1. eXtensible Access Control Markup Language (XACML) Version 3.0 (2013). http://docs.oasis-open.org/xacml/30/xacml-30-core-spec-os-enpdf. Accessed Sept 2018

  2. AU2EU: Authentication and authorisation for entrusted unions (2015). http://www.au2eu.eu/. Accessed Sept 2018

  3. WSO2 balana: The open source XACML 3.0 implementation (2015). http://xacmlinfo.org/category/balana/. Accessed Sept 2018

  4. Ahn, G.J., Hu, H., Lee, J., Meng, Y.: Representing and reasoning about web access control policies. In: Proceedings of the 2010 IEEE 34th Annual Computer Software and Applications Conference, COMPSAC ’10, pp. 137–146 (2010)

  5. Al-Shaer, E.S., Hamed, H.H.: Discovery of policy anomalies in distributed firewalls. In: INFOCOM 2004. Twenty-third Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 4, pp. 2605–2616 (2004)

  6. Arkoudas, K., Chadha, R., Chiang, J.: Sophisticated access control via SMT and logical frameworks. ACM Trans. Inf. Syst. Secur. 16(4), 17:1–17:31 (2014)

    Article  Google Scholar 

  7. Ayed, D., Lepareux, M.N., Martins, C.: Analysis of XACML policies with ASP. In: 7th International Conference on New Technologies, Mobility and Security (NTMS) (2015)

  8. Basile, C., Cappadonia, A., Lioy, A.: Geometric interpretation of policy specification. In: Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks, POLICY ’08, pp. 78–81 (2008)

  9. Basile, C., Cappadonia, A., Lioy, A.: Network-level access control policy analysis and transformation. IEEE/ACM Trans. Netw. 20(4), 985–998 (2012)

    Article  Google Scholar 

  10. Bauer, L., Garriss, S., Reiter, M.K.: Detecting and resolving policy misconfigurations in access-control systems. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(1), 2 (2011)

    Article  Google Scholar 

  11. Brewka, G., Eiter, T., Truszczyński, M.: Answer set programming at a glance. Commun. ACM 54(12), 92–103 (2011)

    Article  Google Scholar 

  12. Crampton, J., Morisset, C.: PTaCL: a language for attribute-based access control in open systems. In: International Conference on Principles of Security and Trust, pp. 390–409. Springer (2012)

  13. Eiter, T., Ianni, G., Krennwallner, T.: Answer set programming: a primer. In: Reasoning Web. Semantic Technologies for Information Systems, Lecture Notes in Computer Science, vol. 5689, pp. 40–110 (2009)

  14. Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th International Conference on Software Engineering, ICSE ’05, pp. 196–205 (2005)

  15. Gebser, M., Kaminski, R., Kaufmann, B., Schaub, T.: Answer Set Solving in Practice. Synthesis Lectures on Artificial Intelligence and Machine Learning. Morgan and Claypool Publishers, San Francisco (2012)

    Google Scholar 

  16. Gebser, M., Kaminski, R., Kaufmann, B., Schaub, T.: Clingo = ASP + control: Preliminary report. CoRR arXiv:1405.3694 (2014)

  17. Griffin, L., Butler, B., de Leastar E, Jennings, B., Botvich, D.: On the performance of access control policy evaluation. In: 2012 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 25–32 (2012)

  18. Hu, H., Ahn, G.J., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secur. Comput. 9(3), 318–331 (2012)

    Article  Google Scholar 

  19. Hu, H., Ahn, G.J., Kulkarni, K.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Dependable Secur. Comput. 10(6), 341–354 (2013)

    Article  Google Scholar 

  20. Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transf. 10(6), 503–520 (2008)

    Article  Google Scholar 

  21. Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW ’07, pp. 677–686 (2007)

  22. Lee, J., Wang, Y., Zhang, Y.: Automated reasoning about xacml 3.0 delegation using answer set programming. In: CEUR Workshop Proceedings, CEUR-WS, vol. 1433 (2015)

  23. Lifschitz, V.: What is answer set programming? In: Proceedings of the 23rd National Conference on Artificial Intelligence, vol. 3, pp. 1594–1597 (2008)

  24. Lin, D., Rao, P., Bertino, E., Li, N., Lobo, J.: EXAM: a comprehensive environment for the analysis of access control policies. Int. J. Inf. Secur. 9(4), 253–273 (2010)

    Article  Google Scholar 

  25. Liu, A.X., Chen, F., Hwang, J., Xie, T.: XEngine: a fast and scalable XACML policy evaluation engine. SIGMETRICS ’08, 265–276 (2008)

    Article  Google Scholar 

  26. Margheri, A., Masi, M., Pugliese, R., Tiezzi, F.: A rigorous framework for specification, analysis and enforcement of access control policies. IEEE Trans. Softw. Eng. 99, 1–1 (2017)

    Google Scholar 

  27. Mejri, M., Yahyaoui, H.: Formal specification and integration of distributed security policies. Comput. Lang. Syst. Struct. 49, 1–35 (2017)

    Google Scholar 

  28. Ramli, C.D.P.K.: Detecting incompleteness, conflicting and unreachability XACML policies using answer set programming. CoRR, arXiv:1503.02732 (2015)

  29. Ramli, C.D.P.K., Nielson, H., Nielson, F.: XACML 3.0 in answer set programming. In: Logic-Based Program Synthesis and Transformation, Lecture Notes in Computer Science, vol. 7844, pp. 89–105 (2013)

  30. Rezvani, M., Aryan, R.: Analyzing and resolving anomalies in firewall security policies based on propositional logic. In: IEEE 13th International Multi Topic Conference, INMIC (2009)

  31. Rezvani, M., Ignjatovic, A., Pagnucco, M., Jha, S.: Anomaly-free policy composition in software-defined networks. In: IFIP Networking 2016 Conference (Networking 2016), Vienna, Austria (2016)

  32. Tschantz, M.C., Krishnamurthi, S.: Towards reasonability properties for access-control policy languages. In: Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies, SACMAT ’06, pp. 160–169 (2006)

  33. Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Formal analysis of XACML policies using SMT. Comput. Secur. 66(Supplement C), 185–203 (2017)

    Article  Google Scholar 

  34. Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.N., Mohapatra, P.: FIREMAN: a toolkit for firewall modeling and analysis. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 199–213 (2006)

Download references

Author information

Authors and Affiliations

  1. Faculty of Computer Engineering, Shahrood University of Technology, Shahrood, Iran

    Mohsen Rezvani

  2. School of Computer Science and Engineering, University of New South Wales, Sydney, Australia

    David Rajaratnam, Aleksandar Ignjatovic, Maurice Pagnucco & Sanjay Jha

Authors
  1. Mohsen Rezvani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Rajaratnam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aleksandar Ignjatovic
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Maurice Pagnucco
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sanjay Jha
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohsen Rezvani.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rezvani, M., Rajaratnam, D., Ignjatovic, A. et al. Analyzing XACML policies using answer set programming. Int. J. Inf. Secur. 18, 465–479 (2019). https://doi.org/10.1007/s10207-018-0421-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-018-0421-5

Keywords

Search

Navigation