Refactoring access control policies for performance improvement

In order to facilitate managing authorization, access control architectures are designed to separate the business logic from an access control policy. To determine whether a user can access which resources, a request is formulated from a component, called a Policy Enforcement Point (PEP) located in application code. Given a request, a Policy Decision Point (PDP) evaluates the request against an access control policy and returns its access decision (i.e., permit or deny) to the PEP. With the growth of sensitive information for protection in an application, an access control policy consists of a larger number of rules, which often cause a performance bottleneck. To address this issue, we propose to refactor access control policies for performance improvement by splitting a policy (handled by a single PDP) into its corresponding multiple policies with a smaller number of rules (handled by multiple PDPs). We define seven attribute-set-based splitting criteria to facilitate splitting a policy. We have conducted an evaluation on three subjects of real-life Java systems, each of which interacts with access control policies. Our evaluation results show that (1) our approach preserves the initial architectural model in terms of interaction between the business logic and its corresponding rules in a policy, and (2) our approach enables to substantially reduce request evaluation time for most splitting criteria.

[1]  Yves Le Traon,et al.  A Model-Based Framework for Security Policy Specification, Deployment and Testing , 2008, MoDELS.

[2]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[3]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[4]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[5]  Yves Le Traon,et al.  Test-Driven Assessment of Access Control in Legacy Applications , 2008, 2008 1st International Conference on Software Testing, Verification, and Validation.

[6]  Tao Xie,et al.  Xengine: a fast and scalable XACML policy evaluation engine , 2008, SIGMETRICS '08.

[7]  Jorge Lobo,et al.  Policy decomposition for collaborative access control , 2008, SACMAT '08.

[8]  Philip Miseldine,et al.  Automated xacml policy reconfiguration for evaluation optimisation , 2008, SESS '08.

[9]  Carl A. Gunter,et al.  MyABDAC: compiling XACML policies for attribute-based database access control , 2011, CODASPY '11.

[10]  Jong-Deok Choi,et al.  Finding and Removing Performance Bottlenecks in Large Systems , 2004, ECOOP.

[11]  Yves Le Traon,et al.  Transforming and Selecting Functional Test Cases for Security Policy Testing , 2009, 2009 International Conference on Software Testing Verification and Validation.

[12]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[13]  Anna Cinzia Squicciarini,et al.  Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[14]  Roch Guérin,et al.  A Framework for Policy-based Admission Control , 2000, RFC.

[15]  Tao Xie,et al.  Defining and Measuring Policy Coverage in Testing Access Control Policies , 2006, ICICS.