The Community for Technology Leaders
RSS Icon
Issue No.06 - Nov.-Dec. (2013 vol.10)
pp: 341-354
Hongxin Hu , Dept. of Comput. & Inf. Sci., Delaware State Univ., Dover, DE, USA
Gail-Joon Ahn , Security Eng. for Future Comput. Lab., Arizona State Univ., Tempe, AZ, USA
Ketan Kulkarni , NVIDIA, Sunnyvale, CA, USA
Emerging computing technologies such as web services, service-oriented architecture, and cloud computing has enabled us to perform business services more efficiently and effectively. However, we still suffer from unintended security leakages by unauthorized actions in business services while providing more convenient services to Internet users through such a cutting-edge technological growth. Furthermore, designing and managing web access control policies are often error-prone due to the lack of effective analysis mechanisms and tools. In this paper, we represent an innovative policy anomaly analysis approach for web access control policies, focusing on extensible access control markup language policy. We introduce a policy-based segmentation technique to accurately identify policy anomalies and derive effective anomaly resolutions, along with an intuitive visualization representation of analysis results. We also discuss a proof-of-concept implementation of our method called XAnalyzer and demonstrate how our approach can efficiently discover and resolve policy anomalies.
Data structures, Authorization, Boolean functions, Algorithm design and analysis, Access control, Web services, Knowledge discovery,discovery and resolution, Access control policies, XACML, conflict, redundancy
Hongxin Hu, Gail-Joon Ahn, Ketan Kulkarni, "Discovery and Resolution of Anomalies in Web Access Control Policies", IEEE Transactions on Dependable and Secure Computing, vol.10, no. 6, pp. 341-354, Nov.-Dec. 2013, doi:10.1109/TDSC.2013.18
[1] D. Agrawal, J. Giles, K. Lee, and J. Lobo, "Policy Ratification," Proc. Sixth IEEE Int'l Workshop Policies for Distributed Systems and Networks, pp. 223-232, 2005.
[2] G. Ahn, H. Hu, J. Lee, and Y. Meng, "Representing and Reasoning about Web Access Control Policies," Proc. 34th Ann. IEEE Computer Software and Applications Conf., pp. 137-146, 2010.
[3] E. Al-Shaer and H. Hamed, "Discovery of Policy Anomalies in Distributed Firewalls," Proc. IEEE INFOCOM, vol. 4, pp. 2605-2616, 2004.
[4] J. Alfaro, N. Boulahia-Cuppens, and F. Cuppens, "Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies," Int'l J. Information Security, vol. 7, no. 2, pp. 103-122, 2008.
[5] A. Anderson, "Evaluating XACML as a Policy Language," technical report, OASIS, 2003.
[6] L. Bauer, S. Garriss, and M. Reiter, "Detecting and Resolving Policy Misconfigurations in Access-Control Systems," ACM Trans. Information and System Security, vol. 14, no. 1, p. 2, 2011.
[7] A. Birgisson, M. Dhawan, U. Erlingsson, V. Ganapathy, and L. Iftode, "Enforcing Authorization Policies Using Transactional Memory Introspection," Proc. 15th ACM Conf. Computer and Comm. Security, pp. 223-234, 2008.
[8] J. Bryans, "Reasoning about XACML Policies Using CSP," Proc. Workshop Secure Web Services, p. 35, 2005.
[9] R. Bryant, "Graph-Based Algorithms for Boolean Function Manipulation," IEEE Trans. Computers, vol. C-100, no. 35, pp. 677-691, Aug. 1986.
[10] Buddy, "Buddy Version 2.4, 2010,", 2013.
[11] K. Fisler, S. Krishnamurthi, L. Meyerovich, and M. Tschantz, "Verification and Change-Impact Analysis of Access-Control Policies," Proc. 27th Int'l Conf. Software Eng., pp. 196-205, 2005.
[12] H. Hu and G. Ahn, "Enabling Verification and Conformance Testing for Access Control Model," Proc. 13th ACM Symp. Access Control Models and Technologies, pp. 195-204, 2008.
[13] H. Hu, G. Ahn, and K. Kulkarni, "Fame: A Firewall Anomaly Management Environment," Proc. Third ACM Workshop Assurable and Usable Security Configuration, pp. 17-26, 2010.
[14] S. Jajodia, P. Samarati, and V.S. Subrahmanian, "A Logical Language for Expressing Authorizations," IEEE Symp. Security and Privacy, pp. 31-42, May 1997.
[15] JavaBDD, "JavaBDD, 2007," http:/, 2013.
[16] J. Jin, G. Ahn, H. Hu, M. Covington, and X. Zhang, "Patient-Centric Authorization Framework for Sharing Electronic Health Records," Proc. 14th ACM Symp. Access Control Models and Technologies, pp. 125-134, 2009.
[17] N. Li, Q. Wang, W. Qardaji, E. Bertino, P. Rao, J. Lobo, and D. Lin, "Access Control Policy Combining: Theory Meets Practice," Proc. 14th ACM Symp. Access Control Models and Technologies, pp. 135-144, 2009.
[18] D. Lin, P. Rao, E. Bertino, N. Li, and J. Lobo, "Exam: A Comprehensive Environment for the Analysis of Access Control Policies," Int'l J. Information Security, vol. 9, no. 4, pp. 253-273, 2010.
[19] D. Lin, P. Rao, E. Bertino, and J. Lobo, "An Approach to Evaluate Policy Similarity," Proc. 12th ACM Symp. Access Control Models and Technologies, pp. 1-10, 2007.
[20] A. Liu, F. Chen, J. Hwang, and T. Xie, "XEngine: A Fast and Scalable XACML Policy Evaluation Engine," ACM SIGMETRICS Performance Evaluation Rev., vol. 36, no. 1, pp. 265-276, 2008.
[21] A. Liu, F. Chen, J. Hwang, and T. Xie, "Designing Fast and Scalable XACML Policy Evaluation Engines," IEEE Trans. Computers, vol. 60, no. 12, pp. 1802-1817, Dec. 2011.
[22] A. Liu and M. Gouda, "Complete Redundancy Detection in Firewalls," Proc. 19th Ann. IFIP Conf. Data and Applications Security, 2005.
[23] E. Lupu and M. Sloman, "Conflicts in Policy-Based Distributed Systems Management," IEEE Trans. Software Eng., vol. 25, no. 6, pp. 852-869, Nov./Dec. 1999.
[24] P. Mazzoleni, B. Crispo, S. Sivasubramanian, and E. Bertino, "XACML Policy Integration Algorithms," ACM Trans. Information and System Security, vol. 11, no. 1,article 4, 2008.
[25] T. Moses et al, "Extensible Access Control Markup Language (XACML) Version 2.0," Oasis Standard, 200502, 2005.
[26] P. Rao, D. Lin, E. Bertino, N. Li, and J. Lobo, "An Algebra for Fine-Grained Integration of XACML Policies," Proc. 14th ACM Symp. Access Control Models and Technologies, pp. 63-72, 2009.
[27] Sun XACML, "Sun XACML Implementation," http:/sunxacml., 2006.
[28] XACML, "OASIS XACML Committee Website," http://www. /, 2011.
[29] L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P. Mohapatra, and C. Davis, "Fireman: A Toolkit for Firewall Modeling and Analysis," Proc. IEEE Symp. Security and Privacy, pp. 199-213, 2006.
85 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool