The Community for Technology Leaders
RSS Icon
Issue No.12 - December (2011 vol.60)
pp: 1802-1817
Alex X. Liu , Michigan State University, East Lansing
Fei Chen , Michigan State University, East Lansing
JeeHyun Hwang , North Carolina State University, Raleigh
Tao Xie , North Carolina State University, Raleigh
Most prior research on policies has focused on correctness. While correctness is an important issue, the adoption of policy-based computing may be limited if the resulting systems are not implemented efficiently and thus perform poorly. To increase the effectiveness and adoption of policy-based computing, in this paper, we propose fast policy evaluation algorithms that can be adapted to support various policy languages. In this paper, we focus on XACML policy evaluation because XACML has become the de facto standard for specifying access control policies, has been widely used on web servers, and is most complex among existing policy languages. We implemented our algorithms in a policy evaluation system called XEngine and conducted side-by-side comparison with Sun Policy Decision Point (PDP), the industrial standard for XACML policy evaluation. The results show that XEngine is orders of magnitude faster than Sun PDP. The performance difference grows almost linearly with the number of rules in an XACML policy. To our best knowledge, there is no prior work on improving XACML policy evaluation performance. This paper represents the first step in exploring this unknown space.
Web servers, XACML, policy evaluation, policy-based computing, access control, policy decision point.
Alex X. Liu, Fei Chen, JeeHyun Hwang, Tao Xie, "Designing Fast and Scalable XACML Policy Evaluation Engines", IEEE Transactions on Computers, vol.60, no. 12, pp. 1802-1817, December 2011, doi:10.1109/TC.2010.274
[1] XEngine source code, http:/, 2011.
[2] Sun PDP, http:/, 2005.
[3] IBM, “Enterprise Privacy Authorization Language (EPAL),” /, 2003.
[4] K. Borders, X. Zhao, and A. Prakash, “CPOL: High-Performance Policy Evaluation,” Proc. 12th ACM Conf. Computer and Comm. Security (CCS), pp. 147-157, 2005.
[5] J. Crampton, W. Leung, and K. Beznosov, “The Secondary and Approximate Authorization Model and its Application to Bell-Lapadula Policies,” Proc. 11th ACM Symp. Access Control Models and Technologies (SACMAT), 2006.
[6] E.W. Dijkstra, Selected Writings on Computing: A Personal Perspective. Springer-Verlag, 1982.
[7] J. McLean, “The Algebra of Security,” IEEE Symposium on Security and Privacy, pp. 2-7, 1988.
[8] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “Role-Based Access Control Models,” Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
[9] OASIS eXtensible Access Control Markup Language (XACML), /, 2007.
[10] D.F. Ferraiolo, R.S. Sandhu, S. Gavrila, D.R. Kuhn, and R. Chandramouli, “Proposed NIST Standard for Role-Based Access Control,” ACM Trans. Information and System Security, vol. 4, no. 3, pp. 224-274, 2001.
[11] K. Fisler, S. Krishnamurthi, L. Meyerovich, and M. Tschantz, “Verification and Change Impact Analysis of Access-Control Policies,” Proc. Int'l Conf. Software Eng. (ICSE), pp. 196-205, May 2005.
[12] K. Frikken, M. Atallah, and J. Li, “Attribute-Based Access Control with Hidden Policies and Hidden Credentials,” IEEE Trans. Computers, vol. 55, no. 10, pp. 1259-1270, Oct. 2006.
[13] M.G. Gouda and A.X. Liu, “Firewall Design: Consistency, Completeness and Compactness,” Proc. Int'l Conf. Distributed Computing Systems (ICDCS), pp. 320-327, 2004.
[14] M.G. Gouda and A.X. Liu, “Structured Firewall Design,” Computer Networks J., vol. 51, no. 4, pp. 1106-1120, 2007.
[15] S. Hada and M. Kudo, “XML Access Control Language: Provisional Authorization for XML Documents,” xacl-spec.html, 2000.
[16] H. Hu and G. Ahn, “Enabling Verification and Conformance Testing for Access Control Model,” Proc. 13th ACM Symp. Access Control Models and Technologies (SACMAT), pp. 195-204, 2008.
[17] K. Jayaraman, V. Ganesh, M. Tripunitara, M. Rinard, and S. Chapin, “Automatic Error Finding in Access-Control Policies,” MIT Technical Report MIT-CSAIL-TR-2010-022, 2010.
[18] IBM, “Enterprise Privacy Authorization Language (EPAL),” /, 2003.
[19] L. Kagal, “Rei: A Policy Language for the Me-Centric Project,” technical report, HP Laboratories, , 2002.
[20] L. Kagal, T. Finin, and A. Joshi, “A Policy Language for a Pervasive Computing Environment,” Proc. IEEE Int'l Workshop Policies for Distributed Systems and Networks, 2003.
[21] V. Kolovski, J. Hendler, and B. Parsia, “Analyzing Web Access Control Policies,” Proc. Int'l Conf. World Wide Web (WWW), pp. 677-686, 2007.
[22] N. Li and M.V. Tripunitara, “Security Analysis in Role-Based Access Control,” ACM Trans. Information and System Security, vol. 9, no. 4, pp. 391-420, 2006.
[23] D. Lin, P. Rao, E. Bertino, N. Li, and J. Lobo, “Policy Decomposition for Collaborative Access Control,” Proc. 13th ACM Symp. Access Control Models and Technologies (SACMAT), pp. 103-112, 2008.
[24] A.X. Liu, F. Chen, J. Hwang, and T. Xie, “XEngine: A Fast and Scalable XACML Policy Evaluation Engine,” Proc. ACM SIGMETRICS, 2008.
[25] Q. Wang, F. Chen, A.X. Liu, and Z. Qin, “Towards High Performance Security Policy Evaluation,” Technical Report MSU-CSE-10-7, Michigan State Univ., http://www.cse.msu. edu/~feichen/paperEPAL_tech.pdf , 2010.
[26] E. Martin, T. Xie, and T. Yu, “Defining and Measuring Policy Coverage in Testing Access Control Policies,” Proc. Eighth Int'l Conf. Information and Comm. Security (ICICS), pp. 139-158, 2006.
[27] C. Ribeiro, A. Zquete, P. Ferreira, and P. Guedes, “SPL: An Acess Control Language for Security Policies with Complex Constraints,” Proc. Network and Distributed System Security Symp. (NDSS), 2001.
[28] R.S. Sandhu and P. Samarati, “Access Control: Principles and Practice,” IEEE Comm. Magazine, vol. 32, no. 9, pp. 40-48, Sept. 1994.
[29] S.D. Stoller, P. Yang, C.R. Ramakrishnan, and M.I. Gofman, “Efficient Policy Analysis for Administrative Role Based Access Control,” Proc. ACM Int'l Conf. Computer and Comm. Security (CCS), pp. 445-455, 2007.
[30] D.E. Taylor, “Survey & Taxonomy of Packet Classification Techniques,” ACM Computing Surveys, vol. 37, no. 3, pp. 238-275, 2005.
[31] M.C. Tschantz and S. Krishnamurthi, “Towards Reasonability Properties for Access-Control Policy Languages,” Proc. 11th ACM Symp. Access Control Models and Technologies (SACMAT), 2006.
[32] H.M. Vin, “Navigating Complexity through Managed Evolution,” Proc. ACM SIGMETRICS, keynote speech, 2008.
[33] Q. Wei, J. Crampton, K. Beznosov, and M. Ripeanu, “Authorization Recycling in RBAC Systems,” Proc. 13th ACM Symp. Access Control Models and Technologies (SACMAT), 2008.
[34] N. Zhang, M. Ryan, and D.P. Guelev, “Synthesising Verified Access Control Systems through Model Checking,” J. Computer Security, vol. 16, no. 1, pp. 1-61, 2007.
18 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool