Decision Diagrams for XACML Policy Evaluation and Management
Introduction
XACML (Extensible Access Control Mark-up Language) is an authorization policy language in XML format based on the Attribute-Based Access Control (ABAC) model. It composes policies from set of attribute criteria joined by logical operators to decide if authorization requests are granted. XACML is scalable in arranging policies in the hierarchical order in the repository. The policy language also supports delegations, obligations and advices, that makes it applicable in many areas such as networking, grids, clouds, enterprise organization and management. However, expansions of policies to address system scales will increase the complexity of the repository, which drops the policies evaluation performance.
XACML policies has complex structures containing a sophisticated logical model as follows:
- •
Policies are organized hierarchically in a policy-tree with rules, policies and policy-sets elements. The tree contains internal nodes and external nodes. An internal node can either be a policyset or a policy. Children of a policyset node can be other policysets or policies. Children of a policy are rules, which are external nodes. Because children can produce conflicting decisions, parent nodes can resolve them by predefined combining algorithms.
- •
Policy decisions are not only permit and deny, but also other intermediate values to handle error and un-matched situations such as not-applicable, indeterminate decisions (see Section 3). It means that operations on combining policies' decisions cannot be derived from binary logical operators. They should be defined in multi-valued logical domains.
- •
Not all attributes are processed equally, some of them are marked as critical (with the flag “MustBePresent = true”): during the evaluation, the missing of these attributes should yield indeterminate values rather than the not-applicable.
- •
Because policies have their own predicates to match with requests, attribute comparisons are scattered in the policy-tree. Thus, typical implementations discussed in Turkmen and Crispo (2008) often have redundancies in evaluations: an attribute may be compared multiple times in different policy nodes.
With these characteristics, there are challenges to propose high performance policy evaluation solutions or resolve policy analysis and management problems. We need practical mechanisms that not only can gather predicates and efficiently reduce them in aware of combining algorithms, but also guarantee multi-valued logical semantics of the XACML.
Motivated by the need of the high performance policy evaluation in designing access control systems for Clouds using XACML (Ngo et al., 2011) and related work on decision diagrams (Bryant, 1986, Strehl and Thiele, 2000, Christiansen and Fleury, 2004), policy evaluation approaches (Liu et al., 2011, Pina Ros et al., 2012) as well as implementations reviewed in Turkmen and Crispo (2008), we analyze the logic behind XACML standard and propose the Multi-data-type Interval Decision Diagram (MIDD) approach. Its data structures and operators can transform policies into decision trees which boosts the policy evaluation performance while they keep original semantics. We presented a preliminary work in Ngo et al. (2013) containing the basic formulation of MIDDs. However it still contains some drawbacks in logical analysis and related algorithms. In this paper, we improve and fix as follows:
- •
Analyze the logic of XACML components evaluation, which essentially is a many-valued logic system with equivalent operators on different domains. The related work analyzed for simple cases with partial error handling coverage (e.g. target expressions returned only either ‘matched’ or ‘unmatched’ without errors). Our algorithms in this paper are improved based on formulations from a complete logical analysis of XACML components. Section 3 will clarify this contribution.
- •
Based on the logical analysis, we classify the MIDD definition in the preliminary work (Ngo et al., 2013) into the MIDD for expressions having the VM as the target domain, and the X-MIDD for expressions having the target domain VR. They facilitate improvements of algorithms in Section 5.3.
- •
Algorithms in Section 6 support the flexible critical attribute settings in different match expressions. This is a drawback of Ngo et al. (2013).
The proposed mechanisms can also be applied to solve XACML policy management problems: transforming a complex policy tree into a unified decision tree which can facilitate to solve policy management problems, such as policy comparisons, policy redundancy detection, policy testings or authorization reverse queries.
The rest of the paper is organized as follows. Section 2 reviews the related work on policy analysis, management, integration and high performance evaluation. Section 3 analyzes XACML logic that provides the basis for the proposed solution. Section 4 formulates the approach to evaluate the complete logical expressions using interval decision diagrams. Section 5 defines fundamental operations to process intervals, partitions and decision diagrams. These materials are used in our solution to transform XACML policies in Section 6. The proposed mechanism is then analyzed and validated in Section 7. Finally Section 8 concludes our paper.
Section snippets
Related work
There are numerous prior works on access control policies that mainly focus on policy verification, analysis and testing to detect and remove redundancy (Fisler et al., 2005, Li and Tripunitara, 2006, Kolovski et al., 2007, Hu and Ahn, 2008). Fisler et al. (2005) used propositional logic in XACML to identify properties of given policies and analyze the change-impact of two policies to summarize their differences. The proposal was implemented in the Margrave project, using Multi-Terminal Binary
XACML abstractions
XACML elements (OASIS XACML, 2013) are organized in a hierarchical order, containing policysets, policies and rules. Each of them has a Target expression as the criteria for incoming requests. The returned decision is either defined in the rule's “effect” property, or combined decisions of children rules, policies or policysets.
The main XACML elements can be abstracted in Table 1, where our logical analysis focuses. More detail on the syntax of the XACML elements can be found in the OASIS XACML
Interval processing and MIDD operations
This section defines interval processing and MIDD composition operations, which are used to create MIDDs from XACML elements.
XACML transformations
In this section, by utilizing above defined operations, we solve the XACML evaluation problem by parsing and transforming XACML policies or policysets into X-MIDDs having equivalent evaluation semantics. Besides having much higher performance, our approach covers most of important XACML features missing from related work:
- •
Support complex comparison functions for continuous data-types: the MIDD mechanism allows us to transform policies with inequality comparisons as in Listing 1.
- •
Handle all
Features comparison
Based on the logical analysis in Section 3, our proposed mechanism covers most of missing XACML features from prior works (e.g in Liu et al. (2011) and Pina Ros et al. (2012)):
- •
We have succeeded to fully support XACML logical expressions analyzed in Section 3 with multiple data-types and comparison operators.
- •
Our work preserves original combining algorithms semantic in handling indeterminate and not-applicable states: prior work could handle simple Permit or Deny decisions, but could not for
Conclusion
In this paper, we analyzed the logic behind XACML and then presented mechanisms to transform XACML operations aiming to optimize the policy evaluation. It not only gains significant performance improvement but also preserves original evaluation semantics. The proposed approach can handle the complicated logical expressions defined in policies’ predicates, correctness of combining algorithms semantics, critical attribute setting, obligations and advices handling. Our tree structures can be used
Acknowledgments
This work is supported by the FP7 EU funded projects The Generalised Architecture for Dynamic Infrastructure Services (GEYSERS, FP7-ICT-248657), GN3plus and the Dutch national research program COMMIT.
Canh Ngo received the B.Eng. degree in Information Technology in 2006 from Hanoi University of Technology, Vietnam and MSc degree in Computer Engineering in 2008 from the Kyung Hee University, South Korea. Currently he is a PhD student of the System and Network Engineering (SNE) research group in the Faculty of Science at University of Amsterdam. His research interests include information security, access control, identity management systems, Cloud Computing and distributed systems.
References (27)
- et al.
The logic of XACML
Sci Comput Program
(2014) - et al.
An algebra for composing access control policies
ACM Trans Information Syst Secur (TISSEC)
(2002) - et al.
A simple and expressive semantic framework for policy composition in access control
Graph-based algorithms for boolean function manipulation
Comput IEEE Trans
(1986)- et al.
An mtidd based firewall
Telecommun Syst
(2004) - et al.
Verification and change-impact analysis of access-control policies
- et al.
Multi-terminal binary decision diagrams: an efficient data structure for matrix representation
Formal Methods Syst Des
(1997) GEYSERS - generalised architecture for dynamic infrastructure services
(2010)- et al.
Enabling verification and conformance testing for access control model
- et al.
Analyzing web access control policies
Security analysis in role-based access control
ACM Trans Information Syst Secur (TISSEC)
Xengine: a fast and scalable xacml policy evaluation engine
Designing fast and scalable xacml policy evaluation engines
Comput IEEE Trans
Cited by (30)
An efficient policy evaluation engine for XACML policy management
2021, Information SciencesClustering and supervised response for XACML policy evaluation and management
2020, Knowledge-Based SystemsCitation Excerpt :We make a discussion and analysis of the following three aspects: (1) elimination of conflicts and redundancies, (2) clustering and classification of policies or rules, and (3) reordering and distributed management. Ngo et al. [6] attempt to use a data interval partition aggregation to build a decision diagram, which can parse and transform complex logical expressions in policies into decision tree structures. The evaluation of requests will find the matching edge of policy nodes, which reduces the number of comparison and improves the PDP evaluation performance.
Establishment of attribute bitmaps for efficient XACML policy evaluation
2018, Knowledge-Based SystemsCitation Excerpt :The reason is that policies are separated from the implementation of the system, and that the system can have the ability of dynamic adaptation as long as we change the configuration without the need for rebuilding the system [3]. The XACML (eXtensible Access Control Markup Language) is a policy-making language implemented in the XML (eXtensible Markup Language) [4]. XACML policies, which are widely adopted for defining and controlling dynamic access among Web/cloud services, are becoming more complex in order to handle the significant growth in communication and cooperation between individuals and composed services [5].
Evaluation of intelligent green building policies in Taiwan – Using fuzzy analytic hierarchical process and fuzzy transformation matrix
2017, Energy and BuildingsCitation Excerpt :With the use of policy evaluation methodology, this research hopes to evaluate the intelligent green building policy promoted by Taiwan in a scientific, objective, systematic and experiential way; its evaluation emphasis is the goal-oriented efficacy focusing on outcomes, and its purpose is to analyze the valuable information obtained, provide the opportunity for policy makers or competent authorities to select, modify, keep, terminate policy program or redefine the policy [22–25]. The steps conducted by the evaluation of Taiwan intelligent green building policies are shown as follows, and their framework is shown in Fig. 1 [26–29]: Defining the objectives and intended outcomes: The policies related to Taiwan’s intelligent green building are evaluated to generate policy measures implementation effectiveness and its weight ranking;
A framework and risk assessment approaches for risk-based access control in the cloud
2016, Journal of Network and Computer ApplicationsCitation Excerpt :The main limitations of the proposal are the overhead from processing risk policies and especially the performance degradation when using remote quantification functions. Performance improvements could be obtained by using JSON for representing policies (OASIS, 2014), decision diagrams for XACML policy evaluation (Ngo et al., 2015), parallel processing of remote functions and caching of access decisions. As future work, we intend to integrate the access control model in a mature cloud federation project; implement other risk quantification methods to evaluate the need for new components; and develop a reference set of risk metrics for the cloud.
Multi-tenant attribute-based access control for cloud infrastructure services
2016, Journal of Information Security and ApplicationsCitation Excerpt :Their experiments did not mention on how complex the policies or random requests, which can significantly affect the evaluation performance. In Ngo et al. (2015), we have proposed a new mechanism called Multidatatype Interval Decision Diagram (MIDD) to solve such issues on the expressive attribute-based policies, which is proved to have performance advantage. In this section, we apply the MIDD mechanism to manage contexts of the MT-ABAC model.
Canh Ngo received the B.Eng. degree in Information Technology in 2006 from Hanoi University of Technology, Vietnam and MSc degree in Computer Engineering in 2008 from the Kyung Hee University, South Korea. Currently he is a PhD student of the System and Network Engineering (SNE) research group in the Faculty of Science at University of Amsterdam. His research interests include information security, access control, identity management systems, Cloud Computing and distributed systems.
Dr. Yuri Demchenko is a Senior Researcher at the System and Network Engineering of the University of Amsterdam. He is graduated and received his PhD from the National Technical University of Ukraine “Kiev Polytechnic Institute”. His main research areas include Cloud and Intercloud Architecture, Big Data Infrastructure, general security architectures and distributed access control infrastructure for cloud based services and data centric applications. Yuri is a IEEE member and actively contributing to IEEE Cloud Computing Initiatives projects and numerous conferences and workshops organization as co-chair and Program Committee member, e.g. conferences CloudCom2011-2014, CTS2007-2013, BDDAC2013–2014.
Prof. Cees de Laat chairs the System and Network Engineering (SNE) research group in the Faculty of Science at University of Amsterdam. Research ranges from optical and switched networking, workflows for big data processing in PetaScale e-Science applications, Semantic Web to describe e-infrastructure resources, information complexity, Authorization architectures, Systems Security & Privacy. Prof. de Laat serves on the Lawrence Berkeley Laboratory Policy Board on ESnet, is co-founder of the GLIF.is, GRIDforum.nl and founding member of CineGrid.org. His group is/was part of EU projects CYCLONE, EuroBrazil, Geysers, NOVI, etc. For more info: http://delaat.net/.