Multi-data-types Interval Decision Diagrams for XACML Evaluation Engine
Upcoming SlideShare
Loading in...5
×
 

Multi-data-types Interval Decision Diagrams for XACML Evaluation Engine

on

  • 461 views

 

Statistics

Views

Total Views
461
Views on SlideShare
461
Embed Views
0

Actions

Likes
1
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Multi-data-types Interval Decision Diagrams for XACML Evaluation Engine Multi-data-types Interval Decision Diagrams for XACML Evaluation Engine Presentation Transcript

  • Multi-data-types Interval Decision Diagrams for XACML Evaluation Engine Canh Ngo, Marc X. Makkes, Yuri Demchenko, Cees de Laat System and Network Engineering Group, University of Amsterdam PST 2013 July 12, 2013
  • PST 2013, Tarragona, July 12, 2013 Content • Overview • Related work • Motivation • XACML Analysis • Proposed mechanisms: Multi-data-types Interval Decision Diagrams • XACML Evaluation Engine • Evaluation & Experiments • Conclusion 2/25
  • PST 2013, Tarragona, July 12, 2013 XACML Policy Language • XACML - eXtensible Access Control Markup Language – Attribute based Access Control model (ABAC) – History: • 2003 – XACML 1.0 • 2005 – XACML 2.0 • 2013 – XACML 3.0 Overview 3/25
  • PST 2013, Tarragona, July 12, 2013 XACML: Policy Language Model v3.0 XACML Overview PolicySet Policy Target Policy Combining Algorithm AnyOf AllOf Rule Condition Effect Rule Combining Algorithm Obligation Expression Advice Expression 1 1 1..* 1 1 1 1 1 1..* 0..* 1 0..* 1 1 11 1 11 1 0..* 0..* 0..* 0..* 1 0..* 0..* 1 1 4/25
  • PST 2013, Tarragona, July 12, 2013 XACML: Architecture XACML Overview Access Requester PEP Obligation service Context handler 3.Req 12. Resp PDP 4. Req 5. attr query 10. attrs 11. Resp PAP 1. Policies PIP 6. attr query 8. attributes 2. Request 13. Obligations Resource Subjects Environment 9. Res content 7b. Env attrs 7a. Subj attrs 7c. Res attrs 5/25
  • PST 2013, Tarragona, July 12, 2013 Motivation • XACML policy analysis and evaluation – High performance evaluation – Solve Indeterminate states handling – Complex XACML logic expressions – Support XACML analysis and verification. [*] Multiple Indeterminate states: Indeterminate , Indeterminate (D), Indeterminate(P), Indeterminate(DP) in XACML 3.0 6/25
  • PST 2013, Tarragona, July 12, 2013 Related work • Current implementations: – Mechanisms: brute-force search, caching decisions – SunXACML [1]: XACML 2.0 standard implementation: 100-200 req/s – Enterprise-XACML [2]: XACML 2.0, caching optimizations • Policy verification and managements – XACML verification with binary decision diagrams [3]. – Redundancy detection & optimization policies using description logic [4]. – Policy integration algebra with binary decision diagrams [5]. 1. http://sunxacml.sourceforge.net/: 2. http://code.google.com/p/enterprise-java-xacml/ 3. K. Fisler et. al. Verification and change-impact analysis of access-control policies. (ICSE '05) 4. V. Kolovski et. al. Analyzing web access control policies. (WWW '07) 5. P. Rao et. al. “An algebra for fine-grained integration of XACML policies” (SACMAT’09) 7/25
  • PST 2013, Tarragona, July 12, 2013 XACML policy evaluation • Marouf et. al. [6]: – Using statistics to cluster high frequent evaluated rules/policies to top levels • Liu et. Al. [7]: XEngine – Mechanism: using firewall decision diagram to transform XACML policies into flat policies; numericalize predefined values. – Pros: very high performance – Cons: only support “=” operators, fixed #attribute values; incorrect Indeterminate states processing Related work 6. S. Marouf et.al , “Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation,” 2009 7. A. Liu et. al. “Designing Fast and Scalable XACML Policy Evaluation Engines.” IEEE Transactions on Computers , 2011 8/25
  • PST 2013, Tarragona, July 12, 2013 XACML policy evaluation • Ros et. al. [8]: Graph-based XACML evaluation – Mechanism: improved [6] with more comparable operators – Cons: support a subset of XACML policies • Ignore XACML Indeterminate states(*) • “MustBePresent” (**) property: handle missing attributes in requests • Data interval processing: handle simple forms of Target logic expressions Related work 8. S. Ros et. al. Graph-based XACML evaluation. (SACMAT '12). (*) XACML 3.0 has multi-decisions values: Permit (P), Deny (D), NotApplicable (NA), Indeterminate states (INDP, IND, INP) R(, data, r) DO(NA, P, NA) =P PDP R(, data, r) DO(IND, P, INP)=INDP PDP* CombiningAlgo="Deny-overrides" PolicyId=’P0' (resId=“data”) ^ (action=“r”) RuleId=‘R2’ Permit (role=“guests”) RuleId=‘R1’ Deny (role=“manager” ^ (resId=“data”) ^ (action=“w”) RuleId=‘R3’ Permit 9/25
  • PST 2013, Tarragona, July 12, 2013 Attribute logic expressions • Target Expression – AllOf expression: mkk – AnyOf expression: mkkj XACML Analysis T(X) = mk kji Request: X = {x1,x2..,xn} Match expression: mk:= (x, f, v) • Matching rule logic condition path Ti(X) i∈{P0..,Pk,r} → true A sample policy tree PS0 PS PS1 P R P P P P2 R RR R R R 10/25
  • PST 2013, Tarragona, July 12, 2013 XACML Combining Algorithms • Specifications: XACML 2.0, 3.0 • DFA representation: – States: Q= {P, D, INP, IND, INDP, NA} – Input symbols: Q – Start states: NA – Accept states: Q – Transition function: 𝛿: 𝑄 × 𝑄 → 𝑄 XACML Analysis Combining algorithms(*) Permit-overrides Deny-overrides First-applicable Only-one-applicable Permit-unless-deny Deny-unless-permit (*) XACML 3.0 specs P INDP INP D IND NA P P P P P P P INDP P INDP INDP INDP INDP INDP INP P INDP INP INDP INDP INP D P INDP INDP D D D IND P INDP INDP D IND IND NA P INDP INP D IND NA Permit-overrides transition function 11/25
  • PST 2013, Tarragona, July 12, 2013 Multi-data-type Interval Decision diagrams • Decision diagrams G(V, E) represents function f Proposed mechanism 𝑓 𝑥1, 𝑥2 … , 𝑥 𝑛 ≔ 𝐷1 × 𝐷2 … × 𝐷 𝑛 → {𝑡𝑟𝑢𝑒, 𝑓𝑎𝑙𝑠𝑒} 𝑓 𝑋 = ℎ 𝑥 𝑖 𝑃∈𝑃(𝐷 𝑖) (𝑃) 𝑓 𝑥 𝑖 𝑃 • Partial function decomposition ℎ 𝑥 𝑖 𝑃 = 𝑡𝑟𝑢𝑒 𝑖𝑓 𝑥 ∈ 𝑃 𝑓𝑎𝑙𝑠𝑒 𝑖𝑓 𝑥 ∉ 𝑃 Multi-data-type decision diagrams (MIDD): an example • Concepts – Interval: I  Di – Interval partition: P = {I | I  Di : Ii,Ij, i j, Ii  Ij =  } x1 x2 x3 P11 True P31 P12 x2 x2 P13 P21 x3 x3 x3 x3 P22 P23 P25 P26P24 P27 P32 P33 P34 P35 12/25
  • PST 2013, Tarragona, July 12, 2013 Generic Interval Partition Processing • Concept – Reduced interval partition: P’ = |P| • Operators on reduced interval partitions – Union: v P1  P2, v  P – Intersect: v P1  P2, v  P – Complement: v P1 P2, v  P • Operators on MIDDs: logical functions f1, f2 – Conjunctive join: Mf = Mf1  Mf2 – Disjunctive join: Mf = Mf1  Mf2 Proposed mechanism 13/25
  • PST 2013, Tarragona, July 12, 2013 Methods: Construct X-MIDDs XACML Evaluation MIDD parsing XACML rule R MIDDR X-MIDD transformation X-MIDDR Decision states MustBe Present Rule Effect NA False _ INP True Permit IND True Deny Extract, aggregate & reduce IP list from AllOf expressions Create a MIDD path for each AllOf expression Compose MIDDs: conjunctive & disjunctive joins Leaf node: condition, effect, obligations/advices Internal nodes: decision states 14/25
  • PST 2013, Tarragona, July 12, 2013 Methods: Construct X-MIDDs (2) XACML Evaluation RuleId=‘R1’ Permit                         )21()96( )'1085''1080(' )21( )'1098''1095(' )43()1712( )'1085''1080(' pricetime BLpcodeAB price XHpcodeCJ pricetime BLpcodeAB O1 CombiningAlgo="Permit-overrides" PolicyId=’P0' (‘1080AB’ ≤ pcode)  (pcode ≤ ‘1098XH’) RuleId=‘R2’    )12()'1098'( )21( )'1095''1085(' )17()'1080'(           timeXHpcode time CJpcodeBL timeABpcode Deny O2 Rule R1: MIDDs P-code time Price [1080AB,1085BL] [12pm,5pm] True [3,4] P-code Price [1095CJ,1098XH] [1,2] True P-code time [1080AB,1085BL] [6am,9am] Price [1,2] True 15/25
  • PST 2013, Tarragona, July 12, 2013 Methods: Construct X-MIDDs (3) XACML Evaluation Rule R1: Combined MIDDs P-code time Price [1080AB,1085BL] [6am,9am][12pm,5pm] True [3,4] Price [1095CJ,1098XH] [1,2] Rule R1: MIDDs P-code time Price [1080AB,1085BL] [12pm,5pm] True [3,4] P-code Price [1095CJ,1098XH] [1,2] True P-code time [1080AB,1085BL] [6am,9am] Price [1,2] True MIDD disjunctive/conjunctive joins 16/25
  • PST 2013, Tarragona, July 12, 2013 Methods: Construct X-MIDDs (4) XACML Evaluation Rule R1: Combined MIDDs P-code time Price [1080AB,1085BL] [6am,9am][12pm,5pm] True [3,4] Price [1095CJ,1098XH] [1,2] Transform P-code (INP) time (NA) Price (NA) [1080AB,1085BL] [6am,9am][12pm,5pm] P, (O1) [3,4] Price (NA) [1095CJ,1098XH] [1,2] X-MIDDR1 17/25
  • PST 2013, Tarragona, July 12, 2013 Methods: Construct X-MIDDs (4) XACML Evaluation P-code (INP) time (NA) Price (NA) [1080AB,1085BL] [6am,9am][12pm,5pm] P, (O1) [3,4] Price (NA) [1095CJ,1098XH] [1,2] X-MIDDR1 P-code (IND) time (NA) [1080AB] time (NA) [1085BL,1095CJ] D, (O2) [5pm] [9am] time (NA) [1098XH] [12pm] X-MIDDR2 18/25
  • PST 2013, Tarragona, July 12, 2013 Methods: Combine X-MIDDs XACML Evaluation time (NA) [1080AB] Price (D, (O2)) [5pm] [3,4] Price (NA) [12pm, 5pm) [3,4] Price (NA) [6am,9am] [1,2] time (NA) [1085BL] [6am,9am) Price (D, (O2)) [9am] [1,2] [12pm, 5pm] time (NA) [1095CJ] [9am] {(-inf,9am)U (9am, +inf)} time (NA) [1098XH] [12pm]{(-inf,12pm)U (12pm, +inf)} {(-inf,1)U (2, +inf)} {(-inf,3)U (4, +inf)} time (NA) (1080AB,1085BL) [6am,9am] [12pm, 5pm) (1095CJ,1098XH) time (NA) (1085BL,1095CJ) [9am] P, (O1) D, (O2) P-code (INDP) Permit-Overrides (X-MIDDR1, X-MIDDR2) X-MIDDP0 19/25
  • PST 2013, Tarragona, July 12, 2013 Evaluation and Experiments: complexity • Policies with n attributes • 𝑎𝑖 𝜖𝑃𝑖 • 𝑃𝑖 has 𝑘𝑖 distinct values in policies • X-MIDD complexity – Evaluation time (avg): 𝑂 𝑙𝑜𝑔2 2𝑘𝑖 + 1 + 1𝑛 𝑖=1 – Space (worst case): 𝑂 2𝑘𝑗 + 1𝑖 𝑗=1 𝑛 𝑖=1 XACML Evaluation 20/25
  • PST 2013, Tarragona, July 12, 2013 Evaluation and Experiments: Implementation • Implementation – XACML 3.0 – Oracle Java 1.7, Linux Mint x64 i5 2.67GHz, 4GB RAM – LGPL: https://code.google.com/p/sne-xacml/ • Validation – Compare with SunXACML – 1000 random requests/time XACML Evaluation 21/25
  • PST 2013, Tarragona, July 12, 2013 Evaluation and Experiments: performance XACML Evaluation Datasets Policy level # Policy- sets #Polici es #Rules Attrib utes Operators GEYSERS(*) 3 6 7 33 3 = Continue-a (**) 6 111 266 298 14 = Synthetic-360 4 31 72 360 10 =(80%), complex (20%) 1.0 10.0 100.0 1000.0 10000.0 100000.0 GEYSERS Continue-a Synthetic-360 Microseconds SNEXACML SunXACML (*) SNE-XACML: average response time for 1M random requests (*) GEYSERS Prj: http://www.geysers.eu/ (**) Fisler et. al. ICSE '05. 22/25
  • PST 2013, Tarragona, July 12, 2013 Evaluation and Experiments: microbenchmark XACML Evaluation 14.2% 38.7% 44.8% 3.4% 1.6% 2.5% 82.4% 59.7% 52.3% 0% 20% 40% 60% 80% 100% GEYSERS Continue-a Synthetic-360 X-MIDD eval. time Resp. conversion time Req. conversion time GEYSERS Continue-a Synthetic-360 Pre-processing (ms) 94 480 1043 X-MIDD size (nodes) 55 3258 104,675 Throughput (req/s) 229,551 172,114 238,878 23/25
  • PST 2013, Tarragona, July 12, 2013 Conclusions • Summary – High performance XACML evaluation – Solved Indeterminate states handling – Critical attribute property setting – Complex XACML logic expressions – Mechanisms for policy analysis & verification • Future work – Implementation: other XACML 3.0 features – Policy verification, redundancy detection. 24/25
  • Group Meeting Amsterdam, July 12, 2013 Thank you! Q&A Contact Information Canh Ngo System and Network Engineering research group (SNE) University of Amsterdam Email: t.c.ngo@uva.nl SNE-XACML project (LGPL): https://code.google.com/p/sne-xacml/ 25