Set-based approach for efficient evaluation and analysis of XACML policies. (c2014)

Abstract

Policy-based computing is taking an increasing role in governing the systematic interaction among distributed cloud and Web services. XACML has been known as the de facto standard widely used by many vendors for specifying access control policies. Accordingly, the size and complexity of XACML policies are significantly growing to cope with the evolution of webbased applications. This growth raised many concerns related to the efficiency of real-time decision process (i.e. policy evaluation) and the correctness of complex policies. This thesis is addressing both concerns through the elaboration of SBA-XACML, a novel set-based scheme that provides efficient evaluation and analysis of XACML policies. To the best of our knowledge, we are the first addressing both problems simultaneously. Our approach constitutes of elaborating (1) set-based language that covers all the XACML components and establish an intermediate layer to which policies are automatically converted, (2) policy evaluation module that provides better performance compared to the industrial standard Sun Policy Decision Point (PDP) and its corresponding ameliorations, and (3) policy analysis module that allows to detect flaws, conflicts and redundancies in XACML policies. Formal and practical experiments have been conducted on real-life and synthetic XACML policies in order to demonstrate the efficiency, relevance and scalability of our proposition. The experimental results explore that SBA-XACML evaluation of large and small sizes policies offers better performance than the current approaches, by a factor ranging between 2.4 and 15 times faster depending on policy size. Moreover, they show how SBA-XACML analysis module allows detecting access flaws, conflict and redundancy at policy and rule levels.