Model-Driven Specification and Design-Level Analysis of XACML Policies

Abstract

Throughout the recent years, Web services security has been the target of many researchers. Particularly, by integrating policies and rules to govern the Web services behaviors at runtime, researchers have been able to prove the capability of policy languages in enforcing Web services security. XACML or eXtensible Access Control Markup Language is one of the most widely adopted security standards for controlling access to individual and between composed services based on policies specifications. However, like any other policy language, XACML policies are specified in structural files with complex syntax, which makes the policies specification process both, time consuming and error prone. Moreover, security policies are commonly verified in an afterthought stage after their enforcement, yet with diversity of rules and conditions specified in the policies, hidden conflicts, redundancies and access flaws are more likely to arise, which expose the system to serious vulnerabilities at execution time. To address these problems, we propose in this paper a novel approach that allows high-level specification of XACML security policies and provides design-level analysis to detect problems and vulnerabilities in the policies semantics, a priori to their integration and execution in the system.