Multi-data-types Interval Decision Diagrams for XACML Evaluation Engine
1. Multi-data-types Interval Decision Diagrams
for XACML Evaluation Engine
Canh Ngo, Marc X. Makkes,
Yuri Demchenko, Cees de Laat
System and Network Engineering Group,
University of Amsterdam
PST 2013
July 12, 2013
5. PST 2013, Tarragona, July 12, 2013
XACML: Architecture
XACML Overview
Access Requester PEP
Obligation
service
Context handler
3.Req 12. Resp
PDP
4. Req
5. attr query
10. attrs
11. Resp
PAP
1. Policies
PIP
6. attr query 8. attributes
2. Request 13. Obligations
Resource
Subjects
Environment
9. Res content
7b. Env attrs
7a. Subj attrs
7c. Res attrs
5/25
6. PST 2013, Tarragona, July 12, 2013
Motivation
• XACML policy analysis and evaluation
– High performance evaluation
– Solve Indeterminate states handling
– Complex XACML logic expressions
– Support XACML analysis and verification.
[*] Multiple Indeterminate states: Indeterminate , Indeterminate (D), Indeterminate(P), Indeterminate(DP) in XACML 3.0
6/25
7. PST 2013, Tarragona, July 12, 2013
Related work
• Current implementations:
– Mechanisms: brute-force search, caching decisions
– SunXACML [1]: XACML 2.0 standard implementation: 100-200 req/s
– Enterprise-XACML [2]: XACML 2.0, caching optimizations
• Policy verification and managements
– XACML verification with binary decision diagrams [3].
– Redundancy detection & optimization policies using description logic [4].
– Policy integration algebra with binary decision diagrams [5].
1. http://sunxacml.sourceforge.net/:
2. http://code.google.com/p/enterprise-java-xacml/
3. K. Fisler et. al. Verification and change-impact analysis of access-control policies. (ICSE '05)
4. V. Kolovski et. al. Analyzing web access control policies. (WWW '07)
5. P. Rao et. al. “An algebra for fine-grained integration of XACML policies” (SACMAT’09)
7/25
8. PST 2013, Tarragona, July 12, 2013
XACML policy evaluation
• Marouf et. al. [6]:
– Using statistics to cluster high frequent evaluated rules/policies to top
levels
• Liu et. Al. [7]: XEngine
– Mechanism: using firewall decision diagram to transform XACML policies into
flat policies; numericalize predefined values.
– Pros: very high performance
– Cons: only support “=” operators, fixed #attribute values; incorrect
Indeterminate states processing
Related work
6. S. Marouf et.al , “Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation,” 2009
7. A. Liu et. al. “Designing Fast and Scalable XACML Policy Evaluation Engines.” IEEE Transactions on Computers , 2011
8/25
9. PST 2013, Tarragona, July 12, 2013
XACML policy evaluation
• Ros et. al. [8]: Graph-based XACML evaluation
– Mechanism: improved [6] with more comparable operators
– Cons: support a subset of XACML policies
• Ignore XACML Indeterminate states(*)
• “MustBePresent” (**) property: handle missing attributes in requests
• Data interval processing: handle simple forms of Target logic expressions
Related work
8. S. Ros et. al. Graph-based XACML evaluation. (SACMAT '12).
(*) XACML 3.0 has multi-decisions values: Permit (P), Deny (D), NotApplicable (NA), Indeterminate states (INDP, IND, INP)
R(, data, r)
DO(NA, P, NA) =P
PDP
R(, data, r)
DO(IND, P, INP)=INDP
PDP*
CombiningAlgo="Deny-overrides"
PolicyId=’P0'
(resId=“data”) ^
(action=“r”)
RuleId=‘R2’
Permit
(role=“guests”)
RuleId=‘R1’
Deny
(role=“manager”
^ (resId=“data”)
^ (action=“w”)
RuleId=‘R3’
Permit
9/25
10. PST 2013, Tarragona, July 12, 2013
Attribute logic expressions
• Target Expression
– AllOf expression: mkk
– AnyOf expression: mkkj
XACML Analysis
T(X) = mk
kji
Request: X = {x1,x2..,xn}
Match expression: mk:= (x, f, v)
• Matching rule logic condition path
Ti(X)
i∈{P0..,Pk,r}
→ true
A sample policy tree
PS0
PS PS1 P
R
P P P P2
R RR R R R
10/25
11. PST 2013, Tarragona, July 12, 2013
XACML Combining Algorithms
• Specifications: XACML 2.0, 3.0
• DFA representation:
– States: Q= {P, D, INP, IND, INDP, NA}
– Input symbols: Q
– Start states: NA
– Accept states: Q
– Transition function: 𝛿: 𝑄 × 𝑄 → 𝑄
XACML Analysis
Combining algorithms(*)
Permit-overrides
Deny-overrides
First-applicable
Only-one-applicable
Permit-unless-deny
Deny-unless-permit
(*) XACML 3.0 specs
P INDP INP D IND NA
P P P P P P P
INDP P INDP INDP INDP INDP INDP
INP P INDP INP INDP INDP INP
D P INDP INDP D D D
IND P INDP INDP D IND IND
NA P INDP INP D IND NA
Permit-overrides transition function
11/25
12. PST 2013, Tarragona, July 12, 2013
Multi-data-type Interval Decision diagrams
• Decision diagrams G(V, E) represents function f
Proposed mechanism
𝑓 𝑥1, 𝑥2 … , 𝑥 𝑛 ≔ 𝐷1 × 𝐷2 … × 𝐷 𝑛 → {𝑡𝑟𝑢𝑒, 𝑓𝑎𝑙𝑠𝑒}
𝑓 𝑋 = ℎ 𝑥 𝑖
𝑃∈𝑃(𝐷 𝑖)
(𝑃) 𝑓 𝑥 𝑖
𝑃
• Partial function decomposition
ℎ 𝑥 𝑖
𝑃 =
𝑡𝑟𝑢𝑒 𝑖𝑓 𝑥 ∈ 𝑃
𝑓𝑎𝑙𝑠𝑒 𝑖𝑓 𝑥 ∉ 𝑃
Multi-data-type decision diagrams (MIDD): an example
• Concepts
– Interval: I Di
– Interval partition:
P = {I | I Di : Ii,Ij, i j, Ii Ij = }
x1
x2
x3
P11
True
P31
P12
x2 x2
P13
P21
x3 x3 x3 x3
P22 P23 P25 P26P24 P27
P32 P33 P34 P35
12/25
13. PST 2013, Tarragona, July 12, 2013
Generic Interval Partition Processing
• Concept
– Reduced interval partition: P’ = |P|
• Operators on reduced interval partitions
– Union: v P1 P2, v P
– Intersect: v P1 P2, v P
– Complement: v P1 P2, v P
• Operators on MIDDs: logical functions f1, f2
– Conjunctive join: Mf = Mf1 Mf2
– Disjunctive join: Mf = Mf1 Mf2
Proposed mechanism
13/25
14. PST 2013, Tarragona, July 12, 2013
Methods: Construct X-MIDDs
XACML Evaluation
MIDD parsing
XACML rule R
MIDDR
X-MIDD
transformation
X-MIDDR
Decision
states
MustBe
Present
Rule Effect
NA False _
INP True Permit
IND True Deny
Extract, aggregate & reduce
IP list from AllOf expressions
Create a MIDD path for each
AllOf expression
Compose MIDDs: conjunctive
& disjunctive joins
Leaf node: condition, effect,
obligations/advices
Internal nodes: decision
states
14/25
23. PST 2013, Tarragona, July 12, 2013
Evaluation and Experiments: microbenchmark
XACML Evaluation
14.2%
38.7% 44.8%
3.4%
1.6%
2.5%
82.4%
59.7% 52.3%
0%
20%
40%
60%
80%
100%
GEYSERS Continue-a Synthetic-360
X-MIDD eval. time
Resp. conversion time
Req. conversion time
GEYSERS Continue-a Synthetic-360
Pre-processing (ms) 94 480 1043
X-MIDD size (nodes) 55 3258 104,675
Throughput (req/s) 229,551 172,114 238,878
23/25
24. PST 2013, Tarragona, July 12, 2013
Conclusions
• Summary
– High performance XACML evaluation
– Solved Indeterminate states handling
– Critical attribute property setting
– Complex XACML logic expressions
– Mechanisms for policy analysis & verification
• Future work
– Implementation: other XACML 3.0 features
– Policy verification, redundancy detection.
24/25
25. Group Meeting
Amsterdam, July 12, 2013
Thank you!
Q&A
Contact Information
Canh Ngo
System and Network Engineering research group (SNE)
University of Amsterdam
Email: t.c.ngo@uva.nl
SNE-XACML project (LGPL): https://code.google.com/p/sne-xacml/
25