Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies

Abstract

XACML (eXtensible Access Control Markup Language) policies, which are widely adopted for defining and controlling dynamic access among Web/cloud services, are becoming more complex in order to handle the significant growth in communication and cooperation between individuals and composed services. However, the large size and complexity of these policies raise many concerns related to their correctness in terms of flaws, conflicts and redundancies presence. This paper addresses this problem through introducing a novel set and semantics based scheme that provides accurate and efficient analysis of XACML policies. First, our approach resolves the complexity of policies by elaborating an intermediate set-based representation to which the elements of XACML are automatically converted. Second, it allows to detect flaws, conflicts and redundancies between rules by offering new mechanisms to analyze the meaning of policy rules through semantics verification by inference rule structure and deductive logic. All the approach components and algorithms realizing the proposed analysis semantics have been implemented in one development framework. Experiments carried out on synthetic and real-life XACML policies explore the relevance of our analysis algorithms with acceptable overhead. Please visit http://www.azzammourad.org/#projects to download the framework.