MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control Sonia Jahid 1, Carl A. Gunter 1, Imranul Hoque 1, and Hamed Okhravi 2 University of Illinois at Urbana-Champaign 1, MIT Lincoln Lab 2 1st ACM Conference on Data and Application Security and Privacy (CODASPY) 2011
Motivation 2 Alice: select column1 from table1 position = nurse, department = ID: select column1 from table1 Attribute-based Access Control (ABAC) Enforcement Middleware select column1 from table1
Expressiveness Efficiency Protection at the lowest level Our Contribution 3 GRANT SELECT, INSERT ON hospital.table1 TO ‘Alice’ Example 1 GRANT nurses of department infectious disease SELECT, INSERT on patient records with infectious disease diagnoses Example 2 Compile high level ABAC policies (XACML) into low level Database access control mechanisms (ACLs) by a policy compilation engine MyABDAC
Architecture – Policy Compilation Update Analysis Implementation and Evaluation Conclusion Outline 4
Architecture 5 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module ACL Building Module ACL Building Module Conflict Discovery and Resolution Module Conflict Discovery and Resolution Module Attributes ACLs (permissions) ACLs (permissions) Resources Table1Table2 Policy Database
Simplified XACML Policy 6 PolicySet: P Combining Algorithm: Permit Overrides PolicySet: P Combining Algorithm: Permit Overrides Policy: P 1 Combining Algorithm: Permit Overrides Policy: P 1 Combining Algorithm: Permit Overrides Policy: P 2 Combining Algorithm: Deny Overrides Policy: P 2 Combining Algorithm: Deny Overrides Rule: R 1 E: Permit S: nurse & Infectious Disease R: Sensitive Information A: select, insert Rule: R 1 E: Permit S: nurse & Infectious Disease R: Sensitive Information A: select, insert Rule: R 2 E: Permit S: nurse and experience>5 R: table1 A: select, delete Rule: R 2 E: Permit S: nurse and experience>5 R: table1 A: select, delete Rule: R 3 E: Deny S: nurse & level<3 R: table1 A: select Rule: R 3 E: Deny S: nurse & level<3 R: table1 A: select Rule: R 4 E: Deny S: nurse & floor=4 R: table1 A: select, insert Rule: R 4 E: Deny S: nurse & floor=4 R: table1 A: select, insert
position nurse department infectious disease sensitive information select, insert position nurse department infectious disease sensitive information select, insert Compilation - Parse & Extraction 7 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module 1) SELECT username FROM hospital.employee WHERE jobtitle=`nurse' AND department=`infectious disease'; 2) SELECT table_name FROM information_schema.tables WHERE table_comment=`sensitive information'; 1) SELECT username FROM hospital.employee WHERE jobtitle=`nurse' AND department=`infectious disease'; 2) SELECT table_name FROM information_schema.tables WHERE table_comment=`sensitive information';
Compilation - Parse & Extraction 8 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module Conflict Discovery and Resolution Module Conflict Discovery and Resolution Module AttributesACLs Resources Database Rule:R 1 E:Permit Rule:R 1 E:Permit Rule:R 2 E:Permit Rule:R 2 E:Permit Rule:R 3 E:Deny Rule:R 3 E:Deny Rule:R 4 E:Deny Rule:R 4 E:Deny 9. tab 1, nrs 1, s 10. tab 1, nrs 1, d 11. tab 1, nrs 1, s 12. tab 1, nrs 3, s 13. tab 1, nrs 1, s 14. tab 1, nrs 1, i 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, i
Compilation - Conflict Resolution 9 PolicySet:P Permit Overrides PolicySet:P Permit Overrides Policy:P 1 Permit Overrides Policy:P 1 Permit Overrides Policy:P 2 Deny Overrides Policy:P 2 Deny Overrides Rule:R 1 E:Permit Rule:R 1 E:Permit Rule:R 2 E:Permit Rule:R 2 E:Permit Rule:R 3 E:Deny Rule:R 3 E:Deny Rule:R 4 E:Deny Rule:R 4 E:Deny active conflict redundant active conflict
Compilation - ACL Population 10 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module ACL Building Module ACL Building Module Conflict Discovery and Resolution Module Conflict Discovery and Resolution Module AttributesACLs Resources Database GRANT SELECT ON tab1 TO nrs1, nrs2; GRANT INSERT ON tab1 TO nrs1, nrs2; … REVOKE SELECT ON tab1 FROM nrs3, nrs4; REVOKE INSERT ON tab1 FROM nrs4; GRANT SELECT ON tab1 TO nrs1, nrs2; GRANT INSERT ON tab1 TO nrs1, nrs2; … REVOKE SELECT ON tab1 FROM nrs3, nrs4; REVOKE INSERT ON tab1 FROM nrs4; Permit List 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, I 10. tab 1, nrs 1, d Deny List 12. tab 1, nrs 3, s 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i
Attributes change – Revoke existing permissions – Grant new permissions – Revoke and Grant permissions ACL Update – Delayed – Instantaneous Efficient Instantaneous ACL recalculation upon attribute changes – Recompile a relevant subset of policies – Cache compilation information Update Analysis 11
Update Analysis tab 1, nrs 1, s 10. tab 1, nrs 1, d 11. tab 1, nrs 1, s 12. tab 1, nrs 3, s 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, i P PolicySet:PO P PolicySet:PO P 1 Policy:PO P 1 Policy:PO P 2 Policy:DO P 2 Policy:DO Rule:R 1 E:Permit S:dept=ID Rule:R 1 E:Permit S:dept=ID Rule:R 2 E:Permit S:exp>5 Rule:R 2 E:Permit S:exp>5 Rule:R 3 E:Deny S:evel<3 Rule:R 3 E:Deny S:evel<3 Rule:R 4 E:Deny S:floor=4 Rule:R 4 E:Deny S:floor=4 13. tab 1, nrs 1, s 14. tab 1, nrs 1, i 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i
Challenges (2) tab 1, nrs 1, s 12. tab 1, nrs 3, s 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, i P PolicySet:PO P PolicySet:PO P 1 Policy:PO P 1 Policy:PO P 2 Policy:DO Rule:R 1 E:Permit S:dept=ID Rule:R 1 E:Permit S:dept=ID Rule:R 2 E:Permit S:exp>5 Rule:R 2 E:Permit S:exp>5 Rule:R 3 E:Deny S:level<3 Rule:R 3 E:Deny S:level<3 Rule:R 4 E:Deny S:floor=4 Rule:R 4 E:Deny S:floor=4 13. tab 1, nrs 1, s 14. tab 1, nrs 1, i 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i Rule:R 5 E:Permit S:dept=Med Rule:R 5 E:Permit S:dept=Med 17. tab 3, nrs 1, s 9. tab 1, nrs 1, s 10. tab 1, nrs 1, d
Prototype Implementation – MyABDAC for MySQL database Resource database based on a local health complex schema – 50,000 users each with 100 attributes – 40 resource tables XACML policies – Consisting of 3 layers and 100, 1000, 2000, …, 5000 rules Experiments performed in 2.40GHz Intel Core 2 Duo with 3GB memory Implementation and Evaluation 14
Policy with 5000 rules each with 10 subject attributes, 5 resources, 2 actions takes 882sec (14.7min) Policy Compilation Time 15 No. of Rules No. of Users Retrieved from DB Retrieval Time (sec) No. of GRANTs Rights Granted ACL Population Time (sec) (a) Policy Parse Time (b) User Extraction and ACL Population Time 31s
Users Updated Attributes Updated Rules Reconsidered New Rights Obsolete Rights Total Time (sec) UPDATE users SET attr x = val x,…, attr y = val y WHERE condition Update Analysis 16
Comparison with Existing Approaches 17 Request Submitted:
Compiled XACML policy into Database ACLs Built a prototype MyABDAC to test on MySQL Comparison with SunXACML and XEngine shows that MyABDAC makes database access enforcement faster Conclusion 18
Backup Slides
position nurse department infectious disease sensitive information select,insert position nurse experience 5 table1 select,delete position nurse level 3 table1 select position nurse floor 4 table1 select,insert Simplified XACML Policy 20
Cache Compilation 21 Table NameFields ruledetailsruleID, policyID, subjectQuery, resource, action, effect logusername, resource, action, effect, status, ruleID
Space Requirement 22
A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. In ACM SIGMETRICS, Sun Microsystems, Inc. Sun's XACML Implementation. S. Marouf, M. Shehab, A. Squicciarini, and S. Sundareswaran. Statistics & Clustering based Framework for Efficient XACML Policy Evaluation. In POLICY, Key Related Works 23