Elsevier

Computers & Security

Volume 49, March 2015, Pages 1-16
Computers & Security

Decision Diagrams for XACML Policy Evaluation and Management

https://doi.org/10.1016/j.cose.2014.11.003Get rights and content

Abstract

One of the primary challenges to apply the XACML access control policy language in applications is the performance problem of policy evaluation engines, particularly when they experience a great number of policies. Some existing works attempted to solve this problem, but only for some particular use-cases: either supporting simple policies with equality comparisons or predefined attribute values. Due to the lack of carefully checking the XACML model, they did not have original policy evaluation semantics. Therefore, they cannot handle errors containing indeterminate decisions, or ignore the critical attribute setting that leads to potential missing attribute attacks. In this paper, we build up the XACML logical model and propose a decision diagram approach using the data interval partition aggregation. It can parse and transform complex logical expressions in policies into decision tree structures, which efficiently improve the policy evaluation performance. Our approach can also be applied to solve other policy management problems such as policy redundancy detection, policy testings and comparisons, or authorization reverse queries.

Introduction

XACML (Extensible Access Control Mark-up Language) is an authorization policy language in XML format based on the Attribute-Based Access Control (ABAC) model. It composes policies from set of attribute criteria joined by logical operators to decide if authorization requests are granted. XACML is scalable in arranging policies in the hierarchical order in the repository. The policy language also supports delegations, obligations and advices, that makes it applicable in many areas such as networking, grids, clouds, enterprise organization and management. However, expansions of policies to address system scales will increase the complexity of the repository, which drops the policies evaluation performance.

XACML policies has complex structures containing a sophisticated logical model as follows:

  • Policies are organized hierarchically in a policy-tree with rules, policies and policy-sets elements. The tree contains internal nodes and external nodes. An internal node can either be a policyset or a policy. Children of a policyset node can be other policysets or policies. Children of a policy are rules, which are external nodes. Because children can produce conflicting decisions, parent nodes can resolve them by predefined combining algorithms.

  • Policy decisions are not only permit and deny, but also other intermediate values to handle error and un-matched situations such as not-applicable, indeterminate decisions (see Section 3). It means that operations on combining policies' decisions cannot be derived from binary logical operators. They should be defined in multi-valued logical domains.

  • Not all attributes are processed equally, some of them are marked as critical (with the flag “MustBePresent = true”): during the evaluation, the missing of these attributes should yield indeterminate values rather than the not-applicable.

  • Because policies have their own predicates to match with requests, attribute comparisons are scattered in the policy-tree. Thus, typical implementations discussed in Turkmen and Crispo (2008) often have redundancies in evaluations: an attribute may be compared multiple times in different policy nodes.

With these characteristics, there are challenges to propose high performance policy evaluation solutions or resolve policy analysis and management problems. We need practical mechanisms that not only can gather predicates and efficiently reduce them in aware of combining algorithms, but also guarantee multi-valued logical semantics of the XACML.

Motivated by the need of the high performance policy evaluation in designing access control systems for Clouds using XACML (Ngo et al., 2011) and related work on decision diagrams (Bryant, 1986, Strehl and Thiele, 2000, Christiansen and Fleury, 2004), policy evaluation approaches (Liu et al., 2011, Pina Ros et al., 2012) as well as implementations reviewed in Turkmen and Crispo (2008), we analyze the logic behind XACML standard and propose the Multi-data-type Interval Decision Diagram (MIDD) approach. Its data structures and operators can transform policies into decision trees which boosts the policy evaluation performance while they keep original semantics. We presented a preliminary work in Ngo et al. (2013) containing the basic formulation of MIDDs. However it still contains some drawbacks in logical analysis and related algorithms. In this paper, we improve and fix as follows:

  • Analyze the logic of XACML components evaluation, which essentially is a many-valued logic system with equivalent operators on different domains. The related work analyzed for simple cases with partial error handling coverage (e.g. target expressions returned only either ‘matched’ or ‘unmatched’ without errors). Our algorithms in this paper are improved based on formulations from a complete logical analysis of XACML components. Section 3 will clarify this contribution.

  • Based on the logical analysis, we classify the MIDD definition in the preliminary work (Ngo et al., 2013) into the MIDD for expressions having the VM as the target domain, and the X-MIDD for expressions having the target domain VR. They facilitate improvements of algorithms in Section 5.3.

  • Algorithms in Section 6 support the flexible critical attribute settings in different match expressions. This is a drawback of Ngo et al. (2013).

The proposed mechanisms can also be applied to solve XACML policy management problems: transforming a complex policy tree into a unified decision tree which can facilitate to solve policy management problems, such as policy comparisons, policy redundancy detection, policy testings or authorization reverse queries.

The rest of the paper is organized as follows. Section 2 reviews the related work on policy analysis, management, integration and high performance evaluation. Section 3 analyzes XACML logic that provides the basis for the proposed solution. Section 4 formulates the approach to evaluate the complete logical expressions using interval decision diagrams. Section 5 defines fundamental operations to process intervals, partitions and decision diagrams. These materials are used in our solution to transform XACML policies in Section 6. The proposed mechanism is then analyzed and validated in Section 7. Finally Section 8 concludes our paper.

Section snippets

Related work

There are numerous prior works on access control policies that mainly focus on policy verification, analysis and testing to detect and remove redundancy (Fisler et al., 2005, Li and Tripunitara, 2006, Kolovski et al., 2007, Hu and Ahn, 2008). Fisler et al. (2005) used propositional logic in XACML to identify properties of given policies and analyze the change-impact of two policies to summarize their differences. The proposal was implemented in the Margrave project, using Multi-Terminal Binary

XACML abstractions

XACML elements (OASIS XACML, 2013) are organized in a hierarchical order, containing policysets, policies and rules. Each of them has a Target expression as the criteria for incoming requests. The returned decision is either defined in the rule's “effect” property, or combined decisions of children rules, policies or policysets.

The main XACML elements can be abstracted in Table 1, where our logical analysis focuses. More detail on the syntax of the XACML elements can be found in the OASIS XACML

Interval processing and MIDD operations

This section defines interval processing and MIDD composition operations, which are used to create MIDDs from XACML elements.

XACML transformations

In this section, by utilizing above defined operations, we solve the XACML evaluation problem by parsing and transforming XACML policies or policysets into X-MIDDs having equivalent evaluation semantics. Besides having much higher performance, our approach covers most of important XACML features missing from related work:

  • Support complex comparison functions for continuous data-types: the MIDD mechanism allows us to transform policies with inequality comparisons as in Listing 1.

  • Handle all

Features comparison

Based on the logical analysis in Section 3, our proposed mechanism covers most of missing XACML features from prior works (e.g in Liu et al. (2011) and Pina Ros et al. (2012)):

  • We have succeeded to fully support XACML logical expressions analyzed in Section 3 with multiple data-types and comparison operators.

  • Our work preserves original combining algorithms semantic in handling indeterminate and not-applicable states: prior work could handle simple Permit or Deny decisions, but could not for

Conclusion

In this paper, we analyzed the logic behind XACML and then presented mechanisms to transform XACML operations aiming to optimize the policy evaluation. It not only gains significant performance improvement but also preserves original evaluation semantics. The proposed approach can handle the complicated logical expressions defined in policies’ predicates, correctness of combining algorithms semantics, critical attribute setting, obligations and advices handling. Our tree structures can be used

Acknowledgments

This work is supported by the FP7 EU funded projects The Generalised Architecture for Dynamic Infrastructure Services (GEYSERS, FP7-ICT-248657), GN3plus and the Dutch national research program COMMIT.

Canh Ngo received the B.Eng. degree in Information Technology in 2006 from Hanoi University of Technology, Vietnam and MSc degree in Computer Engineering in 2008 from the Kyung Hee University, South Korea. Currently he is a PhD student of the System and Network Engineering (SNE) research group in the Faculty of Science at University of Amsterdam. His research interests include information security, access control, identity management systems, Cloud Computing and distributed systems.

References (27)

  • C.D.P.K. Ramli et al.

    The logic of XACML

    Sci Comput Program

    (2014)
  • P. Bonatti et al.

    An algebra for composing access control policies

    ACM Trans Information Syst Secur (TISSEC)

    (2002)
  • G. Bruns et al.

    A simple and expressive semantic framework for policy composition in access control

  • R. Bryant

    Graph-based algorithms for boolean function manipulation

    Comput IEEE Trans

    (1986)
  • M. Christiansen et al.

    An mtidd based firewall

    Telecommun Syst

    (2004)
  • K. Fisler et al.

    Verification and change-impact analysis of access-control policies

  • M. Fujita et al.

    Multi-terminal binary decision diagrams: an efficient data structure for matrix representation

    Formal Methods Syst Des

    (1997)
  • GEYSERS

    GEYSERS - generalised architecture for dynamic infrastructure services

    (2010)
  • H. Hu et al.

    Enabling verification and conformance testing for access control model

  • V. Kolovski et al.

    Analyzing web access control policies

  • N. Li et al.

    Security analysis in role-based access control

    ACM Trans Information Syst Secur (TISSEC)

    (2006)
  • A.X. Liu et al.

    Xengine: a fast and scalable xacml policy evaluation engine

  • A.X. Liu et al.

    Designing fast and scalable xacml policy evaluation engines

    Comput IEEE Trans

    (2011)
  • Cited by (30)

    • Clustering and supervised response for XACML policy evaluation and management

      2020, Knowledge-Based Systems
      Citation Excerpt :

      We make a discussion and analysis of the following three aspects: (1) elimination of conflicts and redundancies, (2) clustering and classification of policies or rules, and (3) reordering and distributed management. Ngo et al. [6] attempt to use a data interval partition aggregation to build a decision diagram, which can parse and transform complex logical expressions in policies into decision tree structures. The evaluation of requests will find the matching edge of policy nodes, which reduces the number of comparison and improves the PDP evaluation performance.

    • Establishment of attribute bitmaps for efficient XACML policy evaluation

      2018, Knowledge-Based Systems
      Citation Excerpt :

      The reason is that policies are separated from the implementation of the system, and that the system can have the ability of dynamic adaptation as long as we change the configuration without the need for rebuilding the system [3]. The XACML (eXtensible Access Control Markup Language) is a policy-making language implemented in the XML (eXtensible Markup Language) [4]. XACML policies, which are widely adopted for defining and controlling dynamic access among Web/cloud services, are becoming more complex in order to handle the significant growth in communication and cooperation between individuals and composed services [5].

    • Evaluation of intelligent green building policies in Taiwan – Using fuzzy analytic hierarchical process and fuzzy transformation matrix

      2017, Energy and Buildings
      Citation Excerpt :

      With the use of policy evaluation methodology, this research hopes to evaluate the intelligent green building policy promoted by Taiwan in a scientific, objective, systematic and experiential way; its evaluation emphasis is the goal-oriented efficacy focusing on outcomes, and its purpose is to analyze the valuable information obtained, provide the opportunity for policy makers or competent authorities to select, modify, keep, terminate policy program or redefine the policy [22–25]. The steps conducted by the evaluation of Taiwan intelligent green building policies are shown as follows, and their framework is shown in Fig. 1 [26–29]: Defining the objectives and intended outcomes: The policies related to Taiwan’s intelligent green building are evaluated to generate policy measures implementation effectiveness and its weight ranking;

    • A framework and risk assessment approaches for risk-based access control in the cloud

      2016, Journal of Network and Computer Applications
      Citation Excerpt :

      The main limitations of the proposal are the overhead from processing risk policies and especially the performance degradation when using remote quantification functions. Performance improvements could be obtained by using JSON for representing policies (OASIS, 2014), decision diagrams for XACML policy evaluation (Ngo et al., 2015), parallel processing of remote functions and caching of access decisions. As future work, we intend to integrate the access control model in a mature cloud federation project; implement other risk quantification methods to evaluate the need for new components; and develop a reference set of risk metrics for the cloud.

    • Multi-tenant attribute-based access control for cloud infrastructure services

      2016, Journal of Information Security and Applications
      Citation Excerpt :

      Their experiments did not mention on how complex the policies or random requests, which can significantly affect the evaluation performance. In Ngo et al. (2015), we have proposed a new mechanism called Multidatatype Interval Decision Diagram (MIDD) to solve such issues on the expressive attribute-based policies, which is proved to have performance advantage. In this section, we apply the MIDD mechanism to manage contexts of the MT-ABAC model.

    View all citing articles on Scopus

    Canh Ngo received the B.Eng. degree in Information Technology in 2006 from Hanoi University of Technology, Vietnam and MSc degree in Computer Engineering in 2008 from the Kyung Hee University, South Korea. Currently he is a PhD student of the System and Network Engineering (SNE) research group in the Faculty of Science at University of Amsterdam. His research interests include information security, access control, identity management systems, Cloud Computing and distributed systems.

    Dr. Yuri Demchenko is a Senior Researcher at the System and Network Engineering of the University of Amsterdam. He is graduated and received his PhD from the National Technical University of Ukraine “Kiev Polytechnic Institute”. His main research areas include Cloud and Intercloud Architecture, Big Data Infrastructure, general security architectures and distributed access control infrastructure for cloud based services and data centric applications. Yuri is a IEEE member and actively contributing to IEEE Cloud Computing Initiatives projects and numerous conferences and workshops organization as co-chair and Program Committee member, e.g. conferences CloudCom2011-2014, CTS2007-2013, BDDAC2013–2014.

    Prof. Cees de Laat chairs the System and Network Engineering (SNE) research group in the Faculty of Science at University of Amsterdam. Research ranges from optical and switched networking, workflows for big data processing in PetaScale e-Science applications, Semantic Web to describe e-infrastructure resources, information complexity, Authorization architectures, Systems Security & Privacy. Prof. de Laat serves on the Lawrence Berkeley Laboratory Policy Board on ESnet, is co-founder of the GLIF.is, GRIDforum.nl and founding member of CineGrid.org. His group is/was part of EU projects CYCLONE, EuroBrazil, Geysers, NOVI, etc. For more info: http://delaat.net/.

    View full text