DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge Supervisor: Fatih Turkmen August 19, 2016 System and Network Engineering University of Amsterdam
WHY § Customer data more and more valuable § Data stored in cloud § Access control becomes critical
XACML § eXtensible Access Control Markup Language § XML-based language § Also an architecture § OASIS standard for the expression of security policies
XACML ELEMENTS <PolicySet> <PolicySet> <Policy <Policy RuleCombiningAlg="..." > <Target/> <Target/> <Rule <Rule RuleId="..." Effect="Permit"> <Target/> <Target/> <Condition/> <Condition/> </Rule> </Rule> <Rule <Rule RuleId="..." Effect="Deny"> <Target/> <Target/> <Condition/> <Condition/> </Rule> </Rule> </Policy> /Policy> <Policy <Policy RuleCombiningAlgId="..."> ... </Policy> </Policy> <PolicySet> <PolicySet>
EXAMPLE XACML POLICY <Policy RuleCombiningAlgId="identifier:rule-combining-algorithm:permit-overrides"> <Target/> <Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:SimpleRule1" Effect="Permit"> <Target> <AnyOf> <AllOf> <Match MatchId="string-equal"> <AttributeValue DataType="string">admin</AttributeValue> <AttributeDesignator AttributeId="role" DataType="string"/> </Match> </AllOf> </AnyOf> </Target> <Condition> ... </Condition> </Rule> <Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:SimpleRule2" Effect="Deny"> ... </Rule> </Policy>
XACML IN ACTION Request intercepted 1. by PEP Request converted 2. to XACML PDP evaluates 3. policy If needed retrieve 4. additional attributes PDP reaches 5. decision and forwards this to PEP Request arrives at 6. resource Source: Wikipedia
RELATED RESEARCH (Adaptive) reordering Decision Diagrams § Based on statistics and § XEngine categorization § Matching Tree (MT) and Combining Tree (CT) § SNE-XACML with MIDD S [0, 0] [2, 3] [1, 1] R R R [1, 1] [0, 1] [0, 0] [1, 1] [0, 0] A A A A A [0, 1] [0, 0] [1, 1] [0, 1] [0, 0] [1, 1] [0, 1] [R -1 ] na [R 2 ] p [R 2 ] p [R 1 ] d [R 3 ] p [R 2 ] p [[R 1 ] d , [R 2 ] p ] d Source: XEngine: A Fast and Scalable XACML Policy Evaluation Engine
RESEARCH QUESTION • Propositional encoding • PDP
SAT & CNF f ( x 1 , x 2 ,..., x n ) § Boolean function: x 1 , ∧ , ∨ , ¬ ,() § Variables, operators and parentheses: § SAT solvers § CNF: ( p 1 ∨ p 2 ) ∧ ( p 3 ∨ p 4 ) ∧ ( p 5 ∨ p 6 ) § Conjunction of clauses § Disjunction of literals
ALGORITHM • Constructing attribute domains • Policy flattening • SAT encoding
CONSTRUCTING ATTRIBUTE DOMAINS (1) § Attributes § AttributeValue § AttributeDesignator § AttributeSelector <rule <rule Effect=”Permit”> ... <AttributeValue <AttributeValue DataType=”String”>admin</AttributeValue> </AttributeValue> <AttributeDesignator <AttributeDesignator AttributeId=”role” DataType=”String”/> ... </rule> </rule>
CONSTRUCTING ATTRIBUTE DOMAINS (2) D role ∈ { admin , manager , hr , user } admin ∈ { admin , manager , hr , user }
CONSTRUCTING ATTRIBUTE DOMAINS (3) Algorithm 1 EnumerateVariables Input: A map m containing the DataTypes as keys and (empty) arrays as values and a policy p 1: procedure EnumerateVars ( p, m ) for all target elements do 2: update m with values found in the policy 3: target end for 4: for all variable definitions do 5: update m with values found in the variable 6: definitions end for 7: for all policy elements do 8: if element is a policy then 9: enumerateVars(element,m) 10: else if element is a rule then 11: update m with values found in the rule 12: targets update m with values found in the rule 13: condition end if 14: end for 15: 16: end procedure
ALGORITHM • Constructing attribute domains • Policy flattening • SAT encoding
Policy Flattening (1) • Applicability space <AS A , AS IN , AS NA > • Decision space <DS P , DS D , DS IN , DS NA >
Algorithm 2 FlattenPolicy Input: A policy p Output: Decision space < DS P , DS D , DS IN ( P ) , DS IN ( D ) , DS IN ( NA ) , DS NA > 1: procedure flattenPolicy ( p ) if p is a rule then 2: AS P A = AS T A ∩ AS C 3: A AS P IN = AS C IN ∪ AS T 4: IN if e ff ect of p is Permit then 5: DS P = AS P 6: A DS D = ∅ 7: DS IN ( P ) = AS P 8: IN DS IN ( D ) = ∅ 9: else if e ff ect of p is Deny then 10: DS P = ∅ 11: DS D = AS P 12: A DS IN ( P ) = ∅ 13: DS IN ( D ) = AS P 14: IN end if 15: DS IN ( P D ) = ∅ 16: DS IN ( NA ) = 17: ( DS P ∪ DS D ∪ DS IN ( P ) ∪ DS IN ( D ) ∪ DS IN ( P D ) ) return 18: ( DS P , DS D , DS IN ( P ) , DS IN ( D ) , DS IN ( P D ) , DS IN ( NA ) ) else if p is a policy (set) then 19: policies = ∅ 20: for all elements e of p do 21: result = flattenPolicy( e ) 22: add result to policies 23: end for 24: combiningAlg = combining algorithm of p 25: return applyCA(policies, combiningAlg) 26: end if 27: 28: end procedure
ALGORITHM • Constructing attribute domains • Policy flattening • SAT encoding
SAT ENCODING DS P ∪ DS D ∪ DS IN ( P ) ∪ DS IN ( D ) ∪ DS IN ( PD ) ∪ DS NA
FRAMEWORK
Conclusion • Creating SAT formula • SAT solvers • No trees • Experimental validation
Recommend
More recommend
