Anomaly discovery and resolution in web access control policies

The advent of emerging technologies such as Web services, service-oriented architecture, and cloud computing has enabled us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by unauthorized actions in business services while providing more convenient services to Internet users through such a cutting-edge technological growth. Furthermore, designing and managing Web access control policies are often error-prone due to the lack of effective analysis mechanisms and tools. In this paper, we represent an innovative policy anomaly analysis approach for Web access control policies. We focus on XACML (eXtensible Access Control Markup Language) policy since XACML has become the de facto standard for specifying and enforcing access control policies for various Web-based applications and services. We introduce a policy-based segmentation technique to accurately identify policy anomalies and derive effective anomaly resolutions. We also discuss a proof-of-concept implementation of our method called XAnalyzer and demonstrate how efficiently our approach can discover and resolve policy anomalies.

[1]  Jeremy Bryans,et al.  Reasoning about XACML policies using CSP , 2005, SWS '05.

[2]  Jorge Lobo,et al.  Access control policy combining: theory meets practice , 2009, SACMAT '09.

[3]  Jorge Lobo,et al.  D-algebra for composing access control policy decisions , 2009, ASIACCS '09.

[4]  Elisa Bertino,et al.  An algebra for fine-grained integration of XACML policies , 2009, SACMAT '09.

[5]  Anna Cinzia Squicciarini,et al.  Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[6]  Ivan Herman,et al.  Graph Visualization and Navigation in Information Visualization: A Survey , 2000, IEEE Trans. Vis. Comput. Graph..

[7]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[8]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[9]  Gail-Joon Ahn,et al.  Representing and Reasoning about Web Access Control Policies , 2010, 2010 IEEE 34th Annual Computer Software and Applications Conference.

[10]  Elisa Bertino,et al.  XACML Policy Integration Algorithms , 2008, TSEC.

[11]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[12]  George Varghese,et al.  Fast and scalable conflict detection for packet classifiers , 2003, Comput. Networks.

[13]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[14]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[15]  Liviu Iftode,et al.  Enforcing authorization policies using transactional memory introspection , 2008, CCS.

[16]  Maarten Marx,et al.  Specifying access control policies for XML documents with XPath , 2004, SACMAT '04.

[17]  Tevfik Bultan,et al.  Automated Verification of Access Control Policies , 2004 .

[18]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[19]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[20]  Tao Xie,et al.  Xengine: a fast and scalable XACML policy evaluation engine , 2008, SIGMETRICS '08.

[21]  James A. Hendler,et al.  Analyzing web access control policies , 2007, WWW '07.

[22]  Jorge Lobo,et al.  Policy ratification , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[23]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).