Establishment of attribute bitmaps for efficient XACML policy evaluation

Abstract One of the primary challenges to apply the access control policy language XACML is the performance problem of the policy decision point (PDP), particularly when the PDP experience a great number of policies. The research on improving the PDP evaluation performance is of great significance. By combining with automaton theory an efficient policy decision engine is constructed in this paper, and attribute bitmaps are established statically for each subject, resource and action attribute of policies loaded by the policy decision engine. In evaluating access requests, the policy decision engine dynamically analyzes the requests and extracts the required attribute bitmaps to enforce the AND operation. According to the result of the AND operation, the policy decision engine matches the policies rapidly and gives out an authorization decision. The time that the policy decision engine takes to complete the evaluation of one access request is within 0.5 microsecond. This method not only greatly saves the storage space of policies, but also significantly reduces the time that the PDP takes to match the policies and evaluate access requests. Comparisons of the evaluation time taken by the policy decision engine with that taken by the Sun PDP, as well as XEngine and SBA-XACML, are made under different numbers of access requests. Experimental results show that the evaluation performance of the policy decision engine has a great improvement over that of the Sun PDP, XEngine and SBA-XACML.

[1]  Yves Le Traon,et al.  Transforming and Selecting Functional Test Cases for Security Policy Testing , 2009, 2009 International Conference on Software Testing Verification and Validation.

[2]  Cees T. A. M. de Laat,et al.  Decision Diagrams for XACML Policy Evaluation and Management , 2015, Comput. Secur..

[3]  Jorge Lobo,et al.  Privacy-aware role-based access control , 2010 .

[4]  Tao Xie,et al.  Designing Fast and Scalable XACML Policy Evaluation Engines , 2011, IEEE Transactions on Computers.

[5]  Anna Cinzia Squicciarini,et al.  Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy Evaluation , 2011, IEEE Transactions on Services Computing.

[6]  Wang Ya,et al.  XACML Policy Evaluation Engine Based on Multi-Level Optimization Technology , 2011 .

[7]  Tao Xie,et al.  Xengine: a fast and scalable XACML policy evaluation engine , 2008, SIGMETRICS '08.

[8]  Evan Martin,et al.  Automated test generation for access control policies , 2006, OOPSLA '06.

[9]  Azzam Mourad,et al.  SBA-XACML: Set-based approach providing efficient policy decision process for accessing Web services , 2015, Expert Syst. Appl..

[10]  Félix Gómez Mármol,et al.  Graph-based XACML evaluation , 2012, SACMAT '12.

[11]  Xu Wei-min Study of XACML Policy Based on Description Logic , 2013 .

[12]  Flemming Nielson,et al.  The Logic of XACML , 2011, FACS.

[13]  Francesco Tiezzi,et al.  Formalisation and Implementation of the XACML Access Control Mechanism , 2012, ESSoS.

[14]  Yves Le Traon,et al.  A Model-Based Framework for Security Policy Specification, Deployment and Testing , 2008, MoDELS.

[15]  Charles V. Wright,et al.  Uncovering Spoken Phrases in Encrypted Voice over IP Conversations , 2010, TSEC.

[16]  Ramzi A. Haraty,et al.  Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies , 2015, Comput. Electr. Eng..

[17]  Yves Le Traon,et al.  Test-Driven Assessment of Access Control in Legacy Applications , 2008, 2008 1st International Conference on Software Testing, Verification, and Validation.

[18]  Yuri Demchenko,et al.  On the Use of SMT Solving for XACML Policy Evaluation , 2016, 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom).

[19]  Azzam Mourad,et al.  New XACML-AspectBPEL approach for composite web services security , 2013, Int. J. Web Grid Serv..

[20]  Tong Liu,et al.  Beyond Scale: An Efficient Framework for Evaluating Web Access Control Policies in the Era of Big Data , 2015, IWSEC.

[21]  Yves Le Traon,et al.  Refactoring access control policies for performance improvement , 2012, ICPE '12.

[22]  Bhavani M. Thuraisingham,et al.  Role-Based Integrated Access Control and Data Provenance for SOA Based Net-Centric Systems , 2011, IEEE Transactions on Services Computing.