Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies

https://doi.org/10.1016/j.compeleceng.2014.12.012Get rights and content

Highlights

  • We provide policy analysis scheme to detect access contradictions among web services.

  • We propose semantic-based policy analysis through deductive logic and inference rules.

  • We present flaw, conflict and redundancy detection algorithms for XACML policy analysis.

  • We show through experiments that SBA-XACML provides efficient detection mechanisms.

Abstract

XACML (eXtensible Access Control Markup Language) policies, which are widely adopted for defining and controlling dynamic access among Web/cloud services, are becoming more complex in order to handle the significant growth in communication and cooperation between individuals and composed services. However, the large size and complexity of these policies raise many concerns related to their correctness in terms of flaws, conflicts and redundancies presence. This paper addresses this problem through introducing a novel set and semantics based scheme that provides accurate and efficient analysis of XACML policies. First, our approach resolves the complexity of policies by elaborating an intermediate set-based representation to which the elements of XACML are automatically converted. Second, it allows to detect flaws, conflicts and redundancies between rules by offering new mechanisms to analyze the meaning of policy rules through semantics verification by inference rule structure and deductive logic. All the approach components and algorithms realizing the proposed analysis semantics have been implemented in one development framework. Experiments carried out on synthetic and real-life XACML policies explore the relevance of our analysis algorithms with acceptable overhead. Please visit http://www.azzammourad.org/#projects to download the framework.

Introduction

The heavy reliance on Web services as one of the primary methods for data exchange between partners and distributed systems still faces the risk of exploitation as a result of their infinite accessibility over the Internet [1], [2]. In addition, services with critical data such as banking and other financial businesses are emerging, which increase security challenges [3]. In this regard, policy-based computing [4], [5], [6] is taking an increasing role in governing the systematic interaction among distributed services. Particularly, access control is the most challenging aspect of Web service security to determine which partner can access which service [7]. Currently, an increasing trend is to declare policies in a standardized specification language such as XACML, the OASIS standard eXtensible Access Control Markup Language [8]. Many vendors are adopting XACML for controlling access to their services.

Before stating the addressed problems and contributions of our work, we depict in the sequel a brief introduction about XACML [8], which has a policy structure divided into three layers. The top layer consists of a policy set, the middle layer consists of policies and the lower layer consists of rules. Each layer contains a target element which is used to define the subjects, resources and actions. The policy set contains a set of policies, a set of obligations and a policy combining algorithm used to break the tie between its policies. Each policy has a set of rules, a set of obligations and a rule combining algorithm used to break the tie between its rules. A rule consists of a set of conditions and a rule effect. The obligations at the policy set and policy level are carried out when the final decision is reached to either permit or deny. The illustrative policy set example in Fig. 1, which will be used and explained in the case study (Section 5), depicts the policy structure.

Nowadays, mid and large size online systems may embed several distributed services heavily interacting and composed together to provide features satisfying the clients’ needs. This may require policies with hundreds and even thousands of rules to control access and enforce business behaviors. As a result, policies used as means of protection can be a source of weaknesses due to the presence of flaws and conflicts between their rules. For instance, considering the example in Fig. 1, rules R3 and R4 lead to an access flaw because both rules have no targets, both rules have the same effect Permit, R3 precedes in order R4 and R4 is more restricted than R3. With the current XACML decision mechanism, the generic rule R3 will always take precedence and be evaluated before the restricted rule R4. Therefore the response will always be given by R3 that grants access to any subject, while R4 that limits the access to subject Joe will be disregarded. In this context, the true objective of access control is to give higher priority to more restricted rules. Current XACML tools give major role to security administrators to resolve some tie/conflict decisions through policies/rules modifications and/or combining algorithms (e.g. Permit-overrides and First-Applicable). Although manual corrections may seem practical for small size policies, it is doubtful if not impossible for large ones within the complex structure of XACML. The problem grows more when integrating and composing different policies [9], [2], [7], [10], [6], [5], where contradictions between combining algorithms are apparent. In this regard, some approaches have been proposed addressing XACML policy composition and analysis [11], [12], [13], [14], [15], [16], [17], [18]. However, these propositions did not address the presence of access flaws, conflicts and redundancies between policies, and did not consider the logical meaning of rules that reflect the objectives of a policy.

In this paper, we tackle the aforementioned problems by elaborating a set-based scheme that provides formal specification of policies and semantics-based detection built on top of it to efficiently perform analysis tasks. The main contributions of this paper are two folds: (1) Addressing the complex constructs of XACML through an abstract set-based syntax (SBA-XACML), while maintaining a similar policy structure that covers all its elements and sub elements and (2) offering novel detection mechanisms that analyze the meaning of policy rules through semantics verification by inference rule structure and deductive logic. All the approach components and algorithms have been implemented in one development framework that accepts XACML policies as inputs, converts them automatically to SBA-XACML constructs, and produces a list of access flaws, conflicts and redundancies between rules. The provided experiments conducted on real-life and synthetic XACML policies explore the relevance and efficiency of our analysis approach with acceptable overhead.

The rest of the paper is organized as follows. Section 2 covers for the approach overview and architecture. Section 3 presents the semantics rules for policy and rule analysis. Section 4 illustrates the analysis algorithms. Section 5 depicts the case study and semantics-based detection. Section 6 focuses on the experiments and performance analysis. Section 7 summarizes the related work. Finally, Section 8 presents the conclusion.

Section snippets

Approach Overview

The overall architecture of our approach is illustrated in Fig. 2 with all its components, i.e. SBA-XACML Language, Compiler and Analysis Module. Using the framework, the user can analyse the policies for access flaws, conflicts and redundancies and get the corresponding analysis report using the module embedding the analysis algorithms.

Semantics-based analysis

The structural operational semantics used in this paper is an approach proposed to give logical means in defining operational semantics [20], [21]. It defines the behavior of a process in terms of the behavior of its parts. Computation is represented by means of deductive logic that turn the abstract machine into a system of logical inferences. This allows to apply formal analysis on the behavior of processes. The behavior of a process is defined in terms of a set of transition relations. Such

Policy analysis algorithms

In this section, we present the algorithms realizing the SBA-XACML policy analysis semantics. The analysis module is divided into three algorithms: (1) the rule analysis algorithm is presented in Algorithm 1, (2 the policy analysis algorithm in Algorithm 2 and (3) policy set analysis algorithm in Algorithm 3.

Case study: Semantics-based policy analysis

In this section, we present a case study illustrating the practicality of SBA-XACML policy analysis process through semantics rules. Listing 1 contains the generated SBA-XACML based policy corresponding to the XACML policy example presented in Fig. 1.

Line 1 is the policy set PS. The policy set ID is PS1. It has two policies P1 and P2. P1 is ordered before P2. The policy combining algorithm is permit-overrides. PS1 has no reference to other policies. It has no obligations to perform and the

Discussion and experimental results

In this section, we examine the results of our experiments for analyzing policies for access flaws, conflicts and redundancies. The SBA-XACML framework is implemented in PHP. The experiments were carried out on a notebook running Windows XP SP3 with 3.50 GB of memory and dual core 2.8 GHz Intel processor. The tests were conducted on both real world and synthetic policies to show the scalability and performance whether small or large. The real policies utilized in the experiments are small and

Related work

In this section, we provide an overview of the related work in the literature addressing XACML policy analysis, in addition to some policy evaluation approaches. In this regard, Kolovski et al. [11] proposed a formalization of XACML using description logics (DL), which are a decidable fragment of First-Order logic. They perform policy verification by using the existing DL verifiers. Their analysis service can discover redundancies at the rule level. However, they do not address access flaws and

Conclusion and future work

The proposed approach addressed the problem of flaws, conflicts and redundancies presence between the rules of large-size and complex XACML policies. In this context, the contribution of this work is the elaboration of a set-based scheme that provides formal specification of XACML policies and semantics-based detection built on top of it to efficiently perform analysis tasks. Our approach improves the related literature in two different aspects. First, it offers an abstract set-based language

Acknowledgment

This work is supported by the Lebanese American University (LAU) and CNRS, Lebanon.

Hussein Jebbaoui received his M.Sc. degree in Computer Science from the Lebanese American University. The topics of his research activities are Web services security and XACML policy evaluatin and analysis.

References (25)

  • E. Karakoc et al.

    Composing semantic web services under constraints

    Expert Syst Appl

    (2009)
  • Bhalla N, Kazerooni S. Web services vulnerabilities, 2007....
  • Mourad A, Ayoubi S, Yahyaoui H, Otrok H. New approach for the dynamic enforcement of Web Services Security. In:...
  • Atkinson B, et al. Web services security (WS-Security), 2006....
  • H. Yahyaoui et al.

    A synergy between context-aware and AOP to achieve highly adaptable Web services

    J Serv Orient Comput

    (2012)
  • H. Tout et al.

    XrML-RBLicensing approach adopted to the BPEL process of composite web services

    J Serv Orient Comput

    (2013)
  • S. Ayoubi et al.

    New XACML-AspectBPEL approach for composite web services security

    Int J Web Grid Serv

    (2013)
  • A. Mourad et al.

    A novel aspect-oriented BPEL framework for the dynamic enforcement of web services security

    Int J Web Grid Serv

    (2012)
  • Moses T. OASIS eXtensible Access Control Markup Language(XACML), OASIS Standard 2.0., 2011....
  • Mizouni R, Abdel Serhani M, Dssouli R, Benharref A, Taleb I. Performance evaluation of mobile web services. In:...
  • Kolovski V, Hendler J, Parsia B. Analyzing web access control policies. In: Proceedings of the 16th international...
  • Li N, Hwang J, Xie J. Multiple-implementation testing for XACML implementations. In: Proceedings of the 2008 workshop...
  • Cited by (0)

    Hussein Jebbaoui received his M.Sc. degree in Computer Science from the Lebanese American University. The topics of his research activities are Web services security and XACML policy evaluatin and analysis.

    Azzam Mourad is an assistant professor of Computer Science at the Lebanese American University. He holds a Ph.D. in ECE from Concordia University and M.Sc. degree in Computer Science from Laval University. He is currently working on information security, web services, vehicular networks, and formal semantics. He is serving as TPC and reviewers of several prestigious conferences and journals.

    Hadi Otrok holds an associate professor position in the Department of ECE at Khalifa University. He received his Ph.D. in ECE from Concordia University. He works on network and computer security, game theory and mechanism design. He chaired several security-related conferences. Moreover, he is a TPC member of several prestigious conferences and reviewer of several IEEE and Elsevier journals.

    Ramzi A. Haraty is an associate professor in the Department of Computer Science and Mathematics at the Lebanese American University. His research interests include database management systems, artificial intelligence, and multilevel secure systems engineering. He has well over 110 books, book chapters, and journal and conference paper publications.

    Reviews processed and recommended for publication to the Editor-in-Chief by Associate Editor Dr. Srinivasan Rajavelu.

    View full text