XACML Policies Research Articles

Detecting conflict of heterogeneous access control policies

Policy conflicts may cause substantial economic losses. Although a large amount of effort has been spent on detecting intra-domain policy conflict, it can not detect conflicts of heterogeneous policies. In this paper, considering background knowledge, we propose a conflict detection mechanism to search and locate conflicts of heterogeneous policies. First, we propose a general access control model to describe authorization mechanisms of cloud service and a translation scheme designed to translate a cloud service policy to an Extensible Access Control Markup Language (XACML) policy. Then the scheme based on Multi-terminal Multi-data-type Interval Decision Diagram (MTMIDD) and Extended MTMIDD (X-MTMIDD) is designed to represent XACML policy and search the conflict among heterogeneous policies. To reduce the rate of false positives, the description logic is used to represent XACML policy and eliminate false conflicts. Experimental results show the efficiency of our scheme.

An Effective Naming Heterogeneity Resolution for XACML Policy Evaluation in a Distributed Environment

Policy evaluation is a process to determine whether a request submitted by a user satisfies the access control policies defined by an organization. Naming heterogeneity between the attribute values of a request and a policy is common due to syntactic variations and terminological variations, particularly among organizations of a distributed environment. Existing policy evaluation engines employ a simple string equal matching function in evaluating the similarity between the attribute values of a request and a policy, which are inaccurate, since only exact match is considered similar. This work proposes several matching functions which are not limited to the string equal matching function that aim to resolve various types of naming heterogeneity. Our proposed solution is also capable of supporting symmetrical architecture applications, in which the organization can negotiate with the users for the release of their resources and properties that raise privacy concerns. The effectiveness of the proposed matching functions on real XACML policies, designed for universities, conference management, and the health care domain, is evaluated. The results show that the proposed solution has successfully achieved higher percentages of Recall and F-measure compared with the standard Sun’s XACML implementation, with our improvement, these measures gained up to 70% and 57%, respectively.

Proposal for a Secure Data Sharing and Processing in Cloud Applications for Healthcare Domain

Information Technology (IT) services have become an inherent component in almost all sectors. Similarly, the health sector has been recently integrating IT to meet the growing demand for medical data exchange and storage. Currently, cloud has become a real hosting alternative for traditional on-permise software. In this model, not only do health organizations have access to a wide range of services but most importantly they are charged based on the usage of these cloud applications. However, especially in the healthcare domain, cloud computing deems challenging as to the sensitivity of health data. This work aims at improving access to medical data and securely sharing them across healthcare professionals, allowing real-time collaboration. From these perspectives, they propose a hybrid cryptosystem based on AES and Paillier to prevent the disclosure of confidential data, as well as computing encrypted data. Unlike most other solutions, the proposed framework adopts a proxy-based architecture to tackle some issues regarding privacy concerns and access control. Subsequently, this system typically guarantees that only authorized users can view or use specific resources in a computing environment. To this aim, they use eXtensible Access Control Markup Language (XACML) standard to properly design and manage access control policies. In this study, they opt for the (Abbreviated Language for Authorization) ALFA tool to easily formulate XACML policies and define complex rules. The simulation results show that the proposal offers simple and efficient mechanisms for the secure use of cloud services within the healthcare domain. Consequently, this framework is an appropriate method to support collaboration among all entities involved in medical information exchange.

An efficient policy evaluation engine for XACML policy management

In recent years, XACML (eXtensible Access Control Markup Language) has been widely used in the development of various applications, especially Web services. The evaluation time of a PDP (Policy Decision Point) grows significantly when the PDP loads a large-scale policy set coded in XACML. In order to improve the PDP evaluation performance, we propose an optimized policy evaluation engine, namely XDLEngine, and make the following contributions. First, XDLEngine has an advantage in the process of handling a large-scale policy set, and innovatively adopts the LDA (Latent Dirichlet Allocation) topic model to cluster policies. Second, according to the clustering results of the LDA model, we digitize and vectorize all rules in policy sets, which facilitates the rule matching. Third, the cosine similarity is introduced to classify the rules under each topic, which greatly reduces the number of comparisons in the process of rule matching and improves the matching efficiency of XDLEngine. Finally, due to the independence between different topics, we use a multi-threaded parallel search in the process of rule matching, which significantly lowers the evaluation time of XDLEngine. The experimental results show that when the number of requests reaches 20,000, the evaluation time of XDLEngine for a practical large-scale policy set with 120,000 rules is approximately 2.48%, 3.47% and 3.68% of that of the Sun PDP, XEngine and HPEngine, respectively.

Clustering and supervised response for XACML policy evaluation and management

To meet the increasingly complex requirements in access control using XACML (eXtensible Access Control Markup Language), it is necessary for a policy decision engine to deal with large-scale policy sets and intensively abundant requests efficiently. A practical policy evaluation engine, namely CSRM, is proposed to tackle this problem. The PDP (Policy Decision Point) in traditional policy decision engines is replaced by a new component ESPDP (Efficient Searching Policy Decision Point). CK-means algorithm is studied in this paper to perform clustering among all policies in a policy set. ESPDP is adopted to construct a virtual mapping table on the basis of the result of the CK-means algorithm. The virtual mapping table stores the relationship between subject attributes and policies, such that the irrelevant polices are excluded when rule search is carried out. Besides, the rules in every policy are merged according to particular principles, thus saving storage space and greatly speeding up rule search. When responding to intensive requests, a supervised response method is applied to determine an optimal rule search order by analyzing the response to the requests in a short period. The experimental results on four practical datasets demonstrate that our proposed CSRM outperforms some classic and state-of-the-art methods when dealing with large-scale policy sets. With high practicality and wide applicability, CSRM effectively eliminates the bottlenecks of improving PDP evaluation performance, and can respond to requests efficiently when handling large-scale policy sets.

A rewriting system for the assessment of XACML policies relationship

We propose in this paper a new approach to assess the relationship between XACML policies. Our approach spans over three steps. In the first one, the XACML policies are mapped to terms of a Boolean ring while taking into account XACML policy and rule combining algorithms. In the second step, the relationship problem between XACML policies is transformed into a validity problem in a Boolean ring. In the third step, the validity problem is resolved using a dedicated rewriting system. The convergence of the rewriting system is proved in this paper. Moreover, the approach is implemented and its performance is evaluated. The results show that our approach enjoys better performance and memory cost than the best so far published SMT based approach.

XACBench: a XACML policy benchmark

XACBench: a XACML policy benchmark

XACMET: XACML Testing & Modeling

In the context of access control systems, testing activity is among the most adopted means to assure that sensible information or resources are correctly accessed. In XACML-based access control systems, incoming access requests are transmitted to the policy decision point (PDP) that grants or denies the access based on the defined XACML policies. The criticality of a PDP component requires an intensive testing activity consisting in probing such a component with a set of requests and checking whether its responses grant or deny the requested access as specified in the policy. Existing approaches for improving manual derivation of test requests such as combinatorial ones do not consider policy function semantics and do not provide a verdict oracle. In this paper, we introduce XACMET, a novel approach for systematic generation of XACML requests as well as automated model-based oracle derivation. The main features of XACMET are as follows: (i) it defines a typed graph, called the XAC-Graph, that models the XACML policy evaluation; (ii) it derives a set of test requests via full-path coverage of this graph; (iii) it derives automatically the expected verdict of a specific request execution by executing the corresponding path in such graph; (iv) it allows us to measure coverage assessment of a given test suite. Our validation of the XACMET prototype implementation confirms the effectiveness of the proposed approach.

Establishment of rule dictionary for efficient XACML policy management

In order to improve the evaluation efficiency of the XACML policy, the storage principle of the rule dictionary is analyzed and the XACML policy evaluation engine XDPMOE is proposed. This is a new XACML policy management optimization scheme based on bitmap storage and HashMap. First of all, we acquire numeralization policy set, establish the rule dictionary based on the array sequential storage structure, and use the rule dictionary to quickly index the policy rules to improve the efficiency of the policy evaluation. Secondly, bitmaps are used to store policy set, which reduces the space complexity of the engine. By simulating the arrival of the access request, the experimental results show that (1) By reordering the policy set, the time spent by the policy set in storing the bitmap is greatly reduced, and that (2) The average evaluation efficiency of XDPMOE has significantly improved compared to the Sun PDP, HPEngine and XEngine. The hash matching algorithm based on bitmap storage not only takes up less storage space, but also can improve the matching efficiency to a great extent.

A blockchain based approach for the definition of auditable Access Control systems

This work proposes to exploit blockchain technology to define Access Control systems that guarantee the auditability of access control policies evaluation. The key idea of our proposal is to codify attribute-based Access Control policies as smart contracts and deploy them on a blockchain, hence transforming the policy evaluation process into a completely distributed smart contract execution. Not only the policies, but also the attributes required for their evaluation are managed by smart contracts deployed on the blockchain. The auditability property derives from the immutability and transparency properties of blockchain technology. This paper not only presents the proposed Access Control system in general, but also its application to the innovative reference scenario where the resources to be protected are themselves smart contracts. To prove the feasibility of our approach, we present a reference implementation exploiting XACML policies and Solidity written smart contracts deployed on the Ethereum blockchain. Finally, we evaluate the system performances through a set of experimental results, and we discuss the advantages and drawbacks of our proposal.

A Dynamic Access Control Model Using Authorising Workflow and Task-Role-Based Access Control

Access control is fundamental and prerequisite to govern and safeguard information assets within an organisation. Organisations generally use web enabled remote access coupled with applications access distributed on the various networks facing various challenges including increase operation burden, monitoring issues due to the dynamic and complex nature of security policies for access control. The increasingly dynamic nature of collaborations means that in one context a user should have access to sensitive information and not applicable for another context. The current access control models are static and lack of Dynamic Segregation of Duties (SoD), Task instance level of Segregation and decision making in real time. This paper addresses the limitations and supports access management in borderless network environment with dynamic SoD capability at real time access control decision making and policy enforcement. This research makes three contributions: i) Defining an Authorising Workflow Task Role Based Access Control using the existing task and workflow concepts. It integrates the dynamic SoD considering the task instance restriction to ensure overall access governance and accountability. It enhances the existing access control models such as RBAC by dynamically granting users access right and providing Access governance. ii) Extended the OASIS standard of XACML policy language to support the dynamic access control requirements and enforce the access control rules for real time decision making to mitigate risk relating to access control such as escalation of privilege in broken access control and insufficient logging and monitoring iii) The model is implemented using open source Balana policy engine to demonstrate its applicability to a real industrial use case from a financial institution. The results show that, AW-TRBAC is scalable consuming relatively large number of complex request and able to meet the requirements of dynamic access control characteristics.

On‐line tracing of XACML‐based policy coverage criteria

Currently, eXtensible Access Control Markup Language (XACML) has becoming the standard for implementing access control policies and consequently more attention is dedicated to testing the correctness of XACML policies. In particular, coverage measures can be adopted for assessing test strategy effectiveness in exercising the policy elements. This study introduces a set of XACML coverage criteria and describes the access control infrastructure, based on a monitor engine, enabling the coverage criterion selection and the on-line tracing of the testing activity. Examples of infrastructure usage and of assessment of different test strategies are provided.

Analyzing XACML policies using answer set programming

With the tremendous growth of Web applications and services, eXtensible Access Control Markup Language (XACML) has been broadly adopted to specify Web access control policies. However, when the policies are large or defined by multiple authorities, it has proved difficult to analyze errors and vulnerabilities in a manual fashion. Recent advances in the answer set programming (ASP) paradigm have provided a powerful problem-solving formalism that is capable of dealing with policy verification. In this paper, we employ ASP to analyze various properties of XACML policies. To this end, we first propose a structured mechanism to translate a XACML policy into an ASP program. Then, we leverage the features of off-the-shelf ASP solvers to specify and verify a wide range of properties of a XACML policy, including redundancy, conflicts, refinement, completeness, reachability, and usefulness. We present an empirical evaluation of the effectiveness and efficiency of a policy analysis tool implemented on top of the Clingo ASP solver. The evaluation results show that our approach is computationally more efficient compared with existing approaches.

XACML 정책 평가에 영향을 미치는 문맥적 요소 및 추가 정보의 효과적인 수집 방안

접근 제어 분야에서 정책 충돌 문제는 반드시 해결되어야 하는 이슈이며, 이를 위한 다양한 해결 방법들이 연구 및 개발되고 있다. 정책 충돌을 해결하기 위해서는 충돌 원인을 먼저 확인해야 하며, 이를 위한 최소한의 조건으로써 정책 평가 결정에 영향을 준 정책의 문맥적 요소를 탐지할 필요가 있다. XACML 정책 언어 명세에 이를 정의하는 기능이 있으나 정책 작성자가 모든 문맥적 요소마다 일일이 정의해야 하는 한계를 가진다. 또한, 정책 충돌의 원인 파악을 위해서는 문맥적 요소 이외에 다른 정책 조합알고리즘과 같은 추가적인 정보도 알아야 할 필요가 있다. 본 논문에서는 정책 충돌의 원인이 되는 문맥적 요소 및 추가 정보를 파악하기 위한 효과적인 방안을 제시한다.

Establishment of attribute bitmaps for efficient XACML policy evaluation

One of the primary challenges to apply the access control policy language XACML is the performance problem of the policy decision point (PDP), particularly when the PDP experience a great number of policies. The research on improving the PDP evaluation performance is of great significance. By combining with automaton theory an efficient policy decision engine is constructed in this paper, and attribute bitmaps are established statically for each subject, resource and action attribute of policies loaded by the policy decision engine. In evaluating access requests, the policy decision engine dynamically analyzes the requests and extracts the required attribute bitmaps to enforce the AND operation. According to the result of the AND operation, the policy decision engine matches the policies rapidly and gives out an authorization decision. The time that the policy decision engine takes to complete the evaluation of one access request is within 0.5 microsecond. This method not only greatly saves the storage space of policies, but also significantly reduces the time that the PDP takes to match the policies and evaluate access requests. Comparisons of the evaluation time taken by the policy decision engine with that taken by the Sun PDP, as well as XEngine and SBA-XACML, are made under different numbers of access requests. Experimental results show that the evaluation performance of the policy decision engine has a great improvement over that of the Sun PDP, XEngine and SBA-XACML.

Modeling XACML Security Policies Using Graph Databases

XACML is a precise and complete access control language that defines an architecture to deploy access control services in a fine-grained way. However, when the number and complexity of policies increases, XACML suffers from performance problems. This problem has been analyzed by the research community, and the solutions proposed in the literature aim toward changing how security policies are stored. Many solutions do this by representing XACML policies in a graph data structure. However, these solutions increase performance but drastically decrease functionality. With this in mind, the authors developed a way of modeling and storing XACML policies in a graph database. One of the most striking features of this database is the high performance offered in operations over the data. Therefore, even if security policies are included in this database, the performance property is assured automatically. Moreover, due to the power of the engines and connectors this database offers, all the functions defined by XACML are available. To show our proposals viability, we designed a prototype.

Formal analysis of XACML policies using SMT

The eXtensible Access Control Markup Language (XACML) has attracted significant attention from both industry and academia, and has become the de facto standard for the specification of access control policies. However, its XML-based verbose syntax and rich set of constructs make the authoring of XACML policies difficult and error-prone. Several automated tools have been proposed to analyze XACML policies before their actual deployment. However, most of the existing tools either cannot efficiently reason about non-Boolean attributes, which often appear in XACML policies, or restrict the analysis to a small set of properties. This work presents a policy analysis framework for the verification of XACML policies based on SAT modulo theories (SMT). We show how XACML policies can be encoded into SMT formulas, along with a query language able to express a variety of well-known security properties, for policy analysis. By being able to reason over non-Boolean attributes, our SMT-based policy analysis framework allows a fine-grained policy analysis while relieving policy authors of the burden of defining an appropriate level of granularity of the analysis. An evaluation of the framework shows that it is computationally efficient and requires less memory compared to existing approaches.

Formal specification and integration of distributed security policies

We propose in this paper the Security Policy Language (SePL), which is a formal language for capturing and integrating distributed security policies. The syntax of SePL includes several operators for the integration of policies and it is endowed with a denotational semantics that is a generic semantics, i.e., which is independent of any evaluation environment. We prove the completeness of SePL with respect to set theory. Furthermore, we provide a formalization of a large subset of the eXtensible Access Control Markup Language (XACML), which is the well-known standard informal specification language of Web security policies. We also provide a semantics for XACML policy combining algorithms.

Location attestation and access control for mobile devices using GeoXACML

Access control has been applied in various scenarios in the past for negotiating the best policy. Solutions with XACML for access control has been very well explored by research and have resulted in significant contributions to various sectors including healthcare. In controlling access to the sensitive data such as medical records, it is important to guarantee that the data is accessed by the right person for the right reason. Location of access requestor can be a good indication for his/her eligibility and reasons for accessing the data. To reason with geospatial information for access control, Geospatial XACML (eXtensible Access Control Markup Language) is proposed as a standard. However, there is no available implementation and architecture for reasoning with Geospatial XACML policies. This paper proposes to extend XACML with geohashing to implement geospatial policies. It also proposes an architecture for checking reliability of the geospatial information provided by clients. With a case study, we demonstrate how our framework can be used to control the privacy and data access of health service data in handheld devices.

Analysis and Verification of XACML Policies in a Medical Cloud Environment

The connectivity of devices, machines and people via Cloud infrastructure can support collaborations among doctors and specialists from different medical organisations. Such collaborations may lead to data sharing and joint tasks and activities. Hence, the collaborating organisations are responsible for managing and protecting data they share. Therefore, they should define a set of access control policies regulating the exchange of data they own. However, existing Cloud services do not offer tools to analyse these policies. In this paper, we propose a Cloud Policy Verification Service (CPVS) for the analysis and the verification of access control policies specified using XACML. The analysis process detects anomalies at two policy levels: a) intra-policy: detects discrepancies between rules within a single security policy (conflicting rules and redundancies), and b) inter-policies: detects anomalies between several security policies such as inconsistency and similarity. The verification process consists in verifying the completeness property which guarantees that each access request is either accepted or denied by the access control policy. In order to demonstrate the efficiency of our method, we also provide the time and space complexities. Finally, we present the implementation of our method and demonstrate how efficiently our approach can detect policy anomalies.