CPOL

Abstract

Policy enforcement is an integral part of many applications. Policies are often used to control access to sensitive information. Current policy specification languages give users fine-grained control over when and how information can be accessed, and are flexible enough to be used in a variety of applications. Evaluation of these policies, however, is not optimized for performance. Emerging applications, such as real-time enforcement of privacy policies in a sensor network or location-aware computing environment, require high throughput. Our experiments indicate that current policy enforcement solutions are unable to deliver the level of performance needed for such systems, and limit their overall scalability. To deal with the need for high-throughput evaluation, we propose CPOL, a flexible C++ framework for policy evaluation. CPOL is designed to evaluate policies as efficiently as possible, and still maintain a level of expressiveness comparable to current policy languages. CPOL achieves its performance goals by efficiently evaluating policies and caching query results (while still preserving correctness). To evaluate CPOL, we ran a simulated workload of users making privacy queries in a location-sensing infrastructure. CPOL was able to handle policy evaluation requests two to six orders of magnitude faster than a MySql implementation and an existing policy evaluation system. We present the design and implementation of CPOL, a high-performance policy evaluation engine, along with our testing methodology and experimental results.