skip to main content
10.1145/2295136.2295153acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

Graph-based XACML evaluation

Published: 20 June 2012 Publication History

Abstract

The amount of private information in the Internet is constantly increasing with the explosive growth of cloud computing and social networks. XACML is one of the most important standards for specifying access control policies for web services. The number of XACML policies grows really fast and evaluation processing time becomes longer. The XEngine approach proposes to rearrange the matching tree according to the attributes used in the target sections, but for speed reasons they only support equality of attribute values. For a fast termination the combining algorithms are transformed into a first applicable policy, which does not support obligations correctly.
In our approach all comparison functions defined in XACML as well as obligations are supported. In this paper we propose an optimization for XACML policies evaluation based on two tree structures. The first one, called Matching Tree, is created for a fast searching of applicable rules. The second one, called Combining Tree, is used for the evaluation of the applicable rules. Finally, we propose an exploring method for the Matching Tree based on the binary search algorithm. The experimental results show that our approach is orders of magnitude better than Sun PDP.

References

[1]
Dhiah Diehn I. Abou-Tair, Stefan Berlik, and Udo Kelter. Enforcing Privacy by Means of an Ontology Driven XACML Framework. In Proceedings of the Third International Symposium on Information Assurance and Security, pages 279--284, Manchester, United Kingdom, 2007. IEEE Computer Society.
[2]
Randal E Bryant. Graph-Based Algorithms for Boolean Function Manipulation. IEEE Transactions on Computers, C-35(8):677--691, 1986.
[3]
M. Fujita, P. C. McGeer, and J. C.-Y. Yang. Multi-terminal binary decision diagrams: An efficient datastructure for matrix representation. Form. Methods Syst. Des., 10(2-3):149--169, April 1997.
[4]
Dan Lin, Prathima Rao, Elisa Bertino, and Jorge Lobo. An approach to evaluate policy similarity. Proceedings of the 12th ACM symposium on Access control models and technologies SACMAT 07, page 1, 2007.
[5]
Alex X. Liu, Fei Chen, JeeHyun Hwang, and Tao Xie. Designing Fast and Scalable XACML Policy Evaluation Engines. IEEE Transactions on Computers, 60(12):1802--1817, December 2011.
[6]
A. X. Liu, F. Chen, J. H. Hwang, and T. Xie. XEngine: A fast and scalable xacml policy evaluation engine. In ACM SIGMETRICS Performance Evaluation Review, volume 36, pages 265--276. ACM, 2008.
[7]
Said Marouf, Mohamed Shehab, Anna Squicciarini, and Smitha Sundareswaran. Adaptive Reordering & Clustering Based Framework for Efficient XACML Policy Evaluation. IEEE Transactions on Services Computing, 4(4):300--313, October 2011.
[8]
Pietro Mazzoleni, Bruno Crispo, Swaminathan Sivasubramanian, and Elisa Bertino. XACML Policy Integration Algorithms. ACM Transactions on Information and System Security, 11(1):1--29, 2008.
[9]
Shin-ichi Minato. Zero-suppressed bdds for set manipulation in combinatorial problems. In Proceedings of the 30th international Design Automation Conference, DAC '93, pages 272--277, New York, NY, USA, 1993. ACM.
[10]
Philip L Miseldine. Automated xacml policy reconfiguration for evaluation optimisation. Proceedings of the fourth international workshop on Software engineering for secure systems SESS 08, pages 1--8, 2008.
[11]
OASIS. eXtensible Access Control Markup Language (XACML) Version 2.0, February 2005.
[12]
OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0, April 2009. Comittee Draft 1.
[13]
Shariq Rizvi, Alberto Mendelzon, S. Sudarshan, and Roy Pollock. Extending query rewriting techniques for fine-grained access control. In Proceedings of the International Conference on Management of Data, pages 551--562, 2004.
[14]
Fatih Turkmen and Bruno Crispo. Performance evaluation of XACML PDP implementations. Proceedings of the 2008 ACM workshop on Secure Web Services, pages 37--44, 2008.

Cited By

View all
  • (2024)Vinia: Voice-enabled intent-based networking for industrial automationComputer Science and Information Systems10.2298/CSIS230213002B21:1(395-418)Online publication date: 2024
  • (2024)Research on Authorization Model of Attribute Access Control Based on Knowledge GraphUbiquitous Security10.1007/978-981-97-1274-8_23(348-359)Online publication date: 13-Mar-2024
  • (2022)ANNPDP: An Efficient and Stable Evaluation Engine for Large-Scale Policy SetsIEEE Transactions on Services Computing10.1109/TSC.2020.302613815:4(1926-1939)Online publication date: 1-Jul-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SACMAT '12: Proceedings of the 17th ACM symposium on Access Control Models and Technologies
June 2012
242 pages
ISBN:9781450312950
DOI:10.1145/2295136
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 June 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. evaluation
  2. xacml

Qualifiers

  • Research-article

Conference

SACMAT '12
Sponsor:

Acceptance Rates

SACMAT '12 Paper Acceptance Rate 19 of 73 submissions, 26%;
Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)6
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Vinia: Voice-enabled intent-based networking for industrial automationComputer Science and Information Systems10.2298/CSIS230213002B21:1(395-418)Online publication date: 2024
  • (2024)Research on Authorization Model of Attribute Access Control Based on Knowledge GraphUbiquitous Security10.1007/978-981-97-1274-8_23(348-359)Online publication date: 13-Mar-2024
  • (2022)ANNPDP: An Efficient and Stable Evaluation Engine for Large-Scale Policy SetsIEEE Transactions on Services Computing10.1109/TSC.2020.302613815:4(1926-1939)Online publication date: 1-Jul-2022
  • (2022)An efficient density peak cluster algorithm for improving policy evaluation performanceScientific Reports10.1038/s41598-022-08637-812:1Online publication date: 23-Mar-2022
  • (2021)Demo: Attribute-Stream-Based Access Control (ASBAC) with the Streaming Attribute Policy Language (SAPL)Proceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3464397(95-97)Online publication date: 11-Jun-2021
  • (2021)In-Memory Policy Indexing for Policy Retrieval Points in Attribute-Based Access ControlProceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3463562(59-70)Online publication date: 11-Jun-2021
  • (2021)ProFact: A Provenance-Based Analytics Framework for Access Control PoliciesIEEE Transactions on Services Computing10.1109/TSC.2019.290064114:6(1914-1928)Online publication date: 1-Nov-2021
  • (2020)Policy Evaluation and Dynamic Management Based on Matching Tree for XACML2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00209(1530-1535)Online publication date: Dec-2020
  • (2020)XACBench: a XACML policy benchmarkSoft Computing10.1007/s00500-020-04925-5Online publication date: 21-Apr-2020
  • (2019)An Access Control Implementation Targeting Resource-constrained Environments2019 15th International Conference on Network and Service Management (CNSM)10.23919/CNSM46954.2019.9012689(1-6)Online publication date: Oct-2019
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media