MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control Sonia Jahid 1, Carl A. Gunter 1, Imranul Hoque 1, and Hamed Okhravi 2 University.

Slides:



Advertisements
Similar presentations
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Advertisements

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Module 12: Auditing SQL Server Environments
1 Authorization XACML – a language for expressing policies and rules.
Implementing Reflective Access Control in SQL Lars E. Olson 1, Carl A. Gunter 1, William R. Cook 2, and Marianne Winslett 1 1 University of Illinois at.
An Efficient Multi-Dimensional Index for Cloud Data Management Xiangyu Zhang Jing Ai Zhongyuan Wang Jiaheng Lu Xiaofeng Meng School of Information Renmin.
Database Security CS461/ECE422 Spring Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.
A Medical Database Case Study for Reflective Database Access Control Lars E. Olson 1, Carl A. Gunter 1, and Sarah Peterson Olson 2 1 University of Illinois.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
Database Management System
Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
A Robust System Architecture For Mining Semi-structured Data By Aby M Mathew CSE
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.
Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.
Lecture 7 Access Control
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Database Management Systems (DBMS)
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Secure Data Storage and Retrieval in the Cloud Bhavani Thuraisingham,
ORACLE DATABASE SECURITY
10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
Authorization Infrastructure, a Standards View Hal Lockhart OASIS.
Differentiated Access to Virtual Resources in Cloud Environments M. Fazio and A. Puliafito Euro-TM Workshop.
Panagiotis Antonopoulos Microsoft Corp Ioannis Konstantinou National Technical University of Athens Dimitrios Tsoumakos.
Chapter 1 In-lab Quiz Next week
A Metadata Based Approach For Supporting Subsetting Queries Over Parallel HDF5 Datasets Vignesh Santhanagopalan Graduate Student Department Of CSE.
Automatic Cache Update Control for Scalable Resource Information Service with WS-Management September 23, 2009 Kumiko Tadano, Fumio Machida, Masahiro Kawato,
Information Systems Today (©2006 Prentice Hall) 3-1 CS3754 Class Note 12 Summery of Relational Database.
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
Metadata, Security, and the DBA Chapter 8.1 V3.0 Napier University Dr Gordon Russell.
Database Management System (DBMS) an Introduction DeSiaMore 1.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
G53SEC 1 Access Control principals, objects and their operations.
ICDL 2004 Improving Federated Service for Non-cooperating Digital Libraries R. Shi, K. Maly, M. Zubair Department of Computer Science Old Dominion University.
MySQL Database Management Systems Universitas Muhammadiyah Surakarta Yogiek Indra Kurniawan.
Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.
Enhancing Security and Privacy in Online Social Networks Sonia Jahid University of Illinois at Urbana-Champaign PhD Forum.
Authorization in Trust Management Conditional Delegation and Attribute-Based Role Assignment using XACML and RBAC Brian Garback © Brian Garback 2005.
By: Nikhil Bendre Gauri Jape.  What is Identity?  Digital Identity  Attributes  Role  Relationship.
Computer Science 1 Detection of Multiple-Duty-Related Security Leakage in Access Control Policies JeeHyun Hwang 1, Tao Xie 1, and Vincent Hu 2 North Carolina.
September XACML: Consistency analysis Luigi Logrippo Université du Québec University of Ottawa
11 Restricting key use with XACML* for access control * Zack’-a-mul.
1. Efficient Peer-to-Peer Lookup Based on a Distributed Trie 2. Complex Queries in DHT-based Peer-to-Peer Networks Lintao Liu 5/21/2002.
Department of Computer Science PCL: A Policy Combining Language EXAM: Environment for Xacml policy Analysis & Management Access Control Policy Combining.
PolicyMorph: Interactive Policy Model Transformations for a Logical ABAC Framework Michael LeMay Omid Fatemieh Carl A. Gunter.
Chapter 5 : Integrity And Security  Domain Constraints  Referential Integrity  Security  Triggers  Authorization  Authorization in SQL  Views 
Feb 24-27, 2004ICDL 2004, New Dehli Improving Federated Service for Non-cooperating Digital Libraries R. Shi, K. Maly, M. Zubair Department of Computer.
Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
1 XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment Brian Garback © Brian Garback 2005.
Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh
Access Control and Audit Indrakshi Ray Computer Science Department Colorado State University Fort Collins CO
CHAPTER 1: INTRODUCTION Purpose of Database Systems View of Data Data Models Data Definition Language Data Manipulation Language Storage Management Database.
A DFA with Extended Character-Set for Fast Deep Packet Inspection
Physical Changes That Don’t Change the Logical Design
A gLite Authorization Framework
Institute for Cyber Security
XACML and the Cloud.
Introduction What is a Database?.
Database System Architecture
Presentation transcript:

MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control Sonia Jahid 1, Carl A. Gunter 1, Imranul Hoque 1, and Hamed Okhravi 2 University of Illinois at Urbana-Champaign 1, MIT Lincoln Lab 2 1st ACM Conference on Data and Application Security and Privacy (CODASPY) 2011

Motivation 2 Alice: select column1 from table1 position = nurse, department = ID: select column1 from table1 Attribute-based Access Control (ABAC) Enforcement Middleware select column1 from table1

Expressiveness Efficiency Protection at the lowest level Our Contribution 3 GRANT SELECT, INSERT ON hospital.table1 TO ‘Alice’ Example 1 GRANT nurses of department infectious disease SELECT, INSERT on patient records with infectious disease diagnoses Example 2 Compile high level ABAC policies (XACML) into low level Database access control mechanisms (ACLs) by a policy compilation engine MyABDAC

Architecture – Policy Compilation Update Analysis Implementation and Evaluation Conclusion Outline 4

Architecture 5 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module ACL Building Module ACL Building Module Conflict Discovery and Resolution Module Conflict Discovery and Resolution Module Attributes ACLs (permissions) ACLs (permissions) Resources Table1Table2 Policy Database

Simplified XACML Policy 6 PolicySet: P Combining Algorithm: Permit Overrides PolicySet: P Combining Algorithm: Permit Overrides Policy: P 1 Combining Algorithm: Permit Overrides Policy: P 1 Combining Algorithm: Permit Overrides Policy: P 2 Combining Algorithm: Deny Overrides Policy: P 2 Combining Algorithm: Deny Overrides Rule: R 1 E: Permit S: nurse & Infectious Disease R: Sensitive Information A: select, insert Rule: R 1 E: Permit S: nurse & Infectious Disease R: Sensitive Information A: select, insert Rule: R 2 E: Permit S: nurse and experience>5 R: table1 A: select, delete Rule: R 2 E: Permit S: nurse and experience>5 R: table1 A: select, delete Rule: R 3 E: Deny S: nurse & level<3 R: table1 A: select Rule: R 3 E: Deny S: nurse & level<3 R: table1 A: select Rule: R 4 E: Deny S: nurse & floor=4 R: table1 A: select, insert Rule: R 4 E: Deny S: nurse & floor=4 R: table1 A: select, insert

position nurse department infectious disease sensitive information select, insert position nurse department infectious disease sensitive information select, insert Compilation - Parse & Extraction 7 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module 1) SELECT username FROM hospital.employee WHERE jobtitle=`nurse' AND department=`infectious disease'; 2) SELECT table_name FROM information_schema.tables WHERE table_comment=`sensitive information'; 1) SELECT username FROM hospital.employee WHERE jobtitle=`nurse' AND department=`infectious disease'; 2) SELECT table_name FROM information_schema.tables WHERE table_comment=`sensitive information';

Compilation - Parse & Extraction 8 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module Conflict Discovery and Resolution Module Conflict Discovery and Resolution Module AttributesACLs Resources Database Rule:R 1 E:Permit Rule:R 1 E:Permit Rule:R 2 E:Permit Rule:R 2 E:Permit Rule:R 3 E:Deny Rule:R 3 E:Deny Rule:R 4 E:Deny Rule:R 4 E:Deny 9. tab 1, nrs 1, s 10. tab 1, nrs 1, d 11. tab 1, nrs 1, s 12. tab 1, nrs 3, s 13. tab 1, nrs 1, s 14. tab 1, nrs 1, i 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, i

Compilation - Conflict Resolution 9 PolicySet:P Permit Overrides PolicySet:P Permit Overrides Policy:P 1 Permit Overrides Policy:P 1 Permit Overrides Policy:P 2 Deny Overrides Policy:P 2 Deny Overrides Rule:R 1 E:Permit Rule:R 1 E:Permit Rule:R 2 E:Permit Rule:R 2 E:Permit Rule:R 3 E:Deny Rule:R 3 E:Deny Rule:R 4 E:Deny Rule:R 4 E:Deny active conflict redundant active conflict

Compilation - ACL Population 10 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module ACL Building Module ACL Building Module Conflict Discovery and Resolution Module Conflict Discovery and Resolution Module AttributesACLs Resources Database GRANT SELECT ON tab1 TO nrs1, nrs2; GRANT INSERT ON tab1 TO nrs1, nrs2; … REVOKE SELECT ON tab1 FROM nrs3, nrs4; REVOKE INSERT ON tab1 FROM nrs4; GRANT SELECT ON tab1 TO nrs1, nrs2; GRANT INSERT ON tab1 TO nrs1, nrs2; … REVOKE SELECT ON tab1 FROM nrs3, nrs4; REVOKE INSERT ON tab1 FROM nrs4; Permit List 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, I 10. tab 1, nrs 1, d Deny List 12. tab 1, nrs 3, s 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i

Attributes change – Revoke existing permissions – Grant new permissions – Revoke and Grant permissions ACL Update – Delayed – Instantaneous Efficient Instantaneous ACL recalculation upon attribute changes – Recompile a relevant subset of policies – Cache compilation information Update Analysis 11

Update Analysis tab 1, nrs 1, s 10. tab 1, nrs 1, d 11. tab 1, nrs 1, s 12. tab 1, nrs 3, s 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, i P PolicySet:PO P PolicySet:PO P 1 Policy:PO P 1 Policy:PO P 2 Policy:DO P 2 Policy:DO Rule:R 1 E:Permit S:dept=ID Rule:R 1 E:Permit S:dept=ID Rule:R 2 E:Permit S:exp>5 Rule:R 2 E:Permit S:exp>5 Rule:R 3 E:Deny S:evel<3 Rule:R 3 E:Deny S:evel<3 Rule:R 4 E:Deny S:floor=4 Rule:R 4 E:Deny S:floor=4 13. tab 1, nrs 1, s 14. tab 1, nrs 1, i 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i

Challenges (2) tab 1, nrs 1, s 12. tab 1, nrs 3, s 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, i P PolicySet:PO P PolicySet:PO P 1 Policy:PO P 1 Policy:PO P 2 Policy:DO Rule:R 1 E:Permit S:dept=ID Rule:R 1 E:Permit S:dept=ID Rule:R 2 E:Permit S:exp>5 Rule:R 2 E:Permit S:exp>5 Rule:R 3 E:Deny S:level<3 Rule:R 3 E:Deny S:level<3 Rule:R 4 E:Deny S:floor=4 Rule:R 4 E:Deny S:floor=4 13. tab 1, nrs 1, s 14. tab 1, nrs 1, i 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i Rule:R 5 E:Permit S:dept=Med Rule:R 5 E:Permit S:dept=Med 17. tab 3, nrs 1, s 9. tab 1, nrs 1, s 10. tab 1, nrs 1, d

Prototype Implementation – MyABDAC for MySQL database Resource database based on a local health complex schema – 50,000 users each with 100 attributes – 40 resource tables XACML policies – Consisting of 3 layers and 100, 1000, 2000, …, 5000 rules Experiments performed in 2.40GHz Intel Core 2 Duo with 3GB memory Implementation and Evaluation 14

Policy with 5000 rules each with 10 subject attributes, 5 resources, 2 actions takes 882sec (14.7min) Policy Compilation Time 15 No. of Rules No. of Users Retrieved from DB Retrieval Time (sec) No. of GRANTs Rights Granted ACL Population Time (sec) (a) Policy Parse Time (b) User Extraction and ACL Population Time 31s

Users Updated Attributes Updated Rules Reconsidered New Rights Obsolete Rights Total Time (sec) UPDATE users SET attr x = val x,…, attr y = val y WHERE condition Update Analysis 16

Comparison with Existing Approaches 17 Request Submitted:

Compiled XACML policy into Database ACLs Built a prototype MyABDAC to test on MySQL Comparison with SunXACML and XEngine shows that MyABDAC makes database access enforcement faster Conclusion 18

Backup Slides

position nurse department infectious disease sensitive information select,insert position nurse experience 5 table1 select,delete position nurse level 3 table1 select position nurse floor 4 table1 select,insert Simplified XACML Policy 20

Cache Compilation 21 Table NameFields ruledetailsruleID, policyID, subjectQuery, resource, action, effect logusername, resource, action, effect, status, ruleID

Space Requirement 22

A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. In ACM SIGMETRICS, Sun Microsystems, Inc. Sun's XACML Implementation. S. Marouf, M. Shehab, A. Squicciarini, and S. Sundareswaran. Statistics & Clustering based Framework for Efficient XACML Policy Evaluation. In POLICY, Key Related Works 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.