Presentation is loading. Please wait.

Presentation is loading. Please wait.

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with."— Presentation transcript:

1 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with Alex X. Liu, JeeHyun Hwang, Tao Xie

2 Introduction and Motivation Three Key Ideas XACML Policy Numericalization XACML Policy Normalization Correctness Experimental Results Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie2/29 Roadmap

3 Introduction XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie3/29 Subject (processes, machines, …) Resources (programs, file, …) Action (execute, read, …) Applications Services/Middleware Operating System Hardware Access control mechanisms XACML (de facto standard) eXtensible Access Control Markup Language XML language Powerful evaluation logic Extensible and flexible

4 Motivation Check whether a request satisfies a policy or not and return the decision. Performance is critical. –Cost per request millions of requests per minute (amazon) –Size and complexity processing time XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie4/29 XACML Policy Evaluation Engine XACML Policy XACML Request Decision

5 Prior work No prior work focuses on optimizing performance of XACML policy evaluation Most work of XACML focuses on XACML policy analysis and verification Sun PDP (policy decision point) is an implementation of standard XACML evaluation engine We proposed XEngine –Orders of magnitude faster than Sun PDP –More rules  more orders of magnitude Hundreds of rules, two orders of magnitude faster than Sun PDP Thousands of rules, four orders of magnitude faster than Sun PDP XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie5/29

6 Introduction and Motivation Example and Three Key Ideas XACML Policy Numericalization XACML Policy Normalization Correctness Experimental Results Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie6/29 Roadmap

7 Example XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie7/29 Student Secretary Grades Change Professor Lecturer Secretary Grades Records Change Read Student Records Change Read Rule 1: A student or secretary can not change grades. Deny Permit Decision

8 Three Key Ideas XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie8/29 XACML policy numericalization –String values Numerical values XACML policy normalization –Recusive structure Flat structure –Multiple complex conflict resolution mechanisms one conflict resolution mechanism XACML policy evaluation –Use a tree structure to efficiently process requests.

9 Introduction and Motivation Example and Three Key Ideas XACML Policy Numericalization XACML Policy Normalization Correctness Experimental Results Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie9/29 Roadmap

10 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie10/29 XACML Policy Numericalization Map each distinct value of the attribute to a distinct integer Student Secretary Grades Change Professor Lecturer Secretary Grades Records Change Read Student Records Change Read SubjectResourceAction Student: 0 Secretary: 1 Professor: 2 Leturer: 3 Grades: 0 Records: 1 Change: 0 Read: 1

11 Introduction and Motivation Example and Three Key Ideas XACML Policy Numericalization XACML Policy Normalization Correctness Experimental Results Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie11/29 Roadmap

12 XACML Policy Normalization: Challenges Four rule/policy combining algorithms –First-Applicable –Only-One-Applicable –Permit-Overrides –Deny-Overrides Recursive structure Multi-valued request XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie12/29 First-Applicable Flat structure Decompose to multiple single-valued requests

13 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie13/29 Recursive Structure Model an XACML policy as a tree Store combining algorithm and target of the policy or policy set R1R1 R2R2 [1,3] Permit-Overrides Target t 1 [1,2] Deny-Overrides Target t 2 [3,3] First-Applicable Target t 3 Permit-Overrides Deny-Overrides First-Applicable R 1 → deny R 2 → permit R 3 → deny R3R3

14 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie14/29 Scattered Predicates R1R1 R2R2 [1,3] Permit-Overrides Target t 1 [1,2] Deny-Overrides Target t 2 [3,3] First-Applicable Target t 3 R3R3 t 1 : [1, 6] t 3 : [0, 4] t R3 : [3, 5] [3, 4] Λ Λ Target t 1 Target t 3 R3R3 Replace target of R 3 by t 1 Λt 3 Λt R 3

15 Complex XACML Functions XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie15/29 Predicate Λ f()→permit Predicate→(if f() then permit)

16 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie16/29 Multi-valued Rules/Requests Multi-valued Rules Subject: A person who is both a professor and a student” professor&student  distinct value Multi-valued Requests A person who is both a professor and a student wants to assign grades A professor wants … A student wants … {R i1, R i2, …}{R j1, R j2, …} Decision

17 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie17/29 Complex Rule/Policy Combining Alg First-Applicable –Concatenate rule sequences of normalized policies. Only-One-Applicable –Check whether two rules from two sequences are overlapped. Permit-Overrides or Deny-Overrides –Use policy decision diagram (PDD) to convert all-match rules to first-match rules. [0, 0] [2, 3] S [0, 0] [0, 1] [0, 0] [1, 1] [0, 1] [R 1 ] d, [R 2 ] p [R 2 ] p [R 1 ] d [0, 0] [1, 1] [R 2 ] p RRR AAAA

18 Complex Rule/Policy Combining Alg XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie18/29 deny Professor  [ [R 1 ] deny, [R 4 ] permit ] permit Student  [ [R 3 ] deny, [R 2 ] permit ] permit Q 1  R 1, R 4 Q 2  R 2, R 3 permit A person who is both a professor and a student wants to assign grades A professor wants … A student wants … Q1 :Q1 : Q 2 : R 1 : Professor→deny R 2 : Student→permitR 4 : Professor→permitR 3 : Student→deny [1,4] Permit-Overrides [1,2] First-Applicable V1V1 V3V3 V2V2 [3,4] First-Applicable ×

19 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie19/29 XACML Policy Evaluation (1/2) The Decision Diagram Approach PDD –A final sequence of first-match rules A PDD. [0, 0] [2, 3] S R R [1, 1][0, 0] [0, 1] R AA [0, 0] AA [1, 1] [0, 1] A [0, 0][1, 1] [0, 0] [R 1 ] d [R -1 ] na [R 3 ] p [[R 1 ] d, [R 2 ] p ] d [R 2 ] p

20 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie20/29 XACML Policy Evaluation (2/2) The Forwarding Table Approach –d-dimensional PDD d forwarding tables 00 11 22 32 T1T1 T2T2 012 0024 1134 01234 0[R1]d[R1]d [R3]p[R3]p [ [R 1 ] d, [R 2 ] p ] d [R2]p[R2]p [R2]p[R2]p 1[R -1 ] na [R3]p[R3]p [R2]p[R2]p [R2]p[R2]p [R2]p[R2]p T3T3 A request

21 Introduction and Motivation Example and Three Key Ideas XACML Policy Numericalization XACML Policy Normalization Correctness Experimental Results Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie20/29 Roadmap

22 Correctness We proved the correctness of XEngine –Lemmas, Theorems Experimental results are the same as Sun PDP XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie21/29

23 System Overview XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie23/29 Policy Numericalization & Normalization Numericalization Table First-mach Range Rules XACML Policy Structure Tree XACML Request Decision Request Numericalization + Decision Diagrams Forwarding Tables Evaluation Engine

24 Introduction and Motivation Example and Three Key Ideas XACML Policy Numericalization XACML Policy Normalization Correctness Experimental Results Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie24/29 Roadmap

25 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie25/29 Experimental Results (1/3) Preprocessing time of XEngine –Only 6 seconds for an synthetic XACML policy with 4000 rules

26 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie26/29 Experimental Results (2/3) For real-life XACML policies (100,000 requests) –Forwarding table approach is 117 times faster than Sun PDP –PDD approach is 75 times faster than Sun PDP (Log scale)

27 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie27/29 Experimental Results (3/3) For synthetic XACML policies(100,000 requests) –Under 400, 2000 and 4000 rules Forwarding table is 3594, 18643, 34408 times faster than Sun PDP. PDD approach is 1405, 6210, 10873 times faster than Sun PDP. Performance difference grows almost linearly with the number of rules. (Log scale)

28 Concluding Remarks We presented a series of algorithms to convert an XACML policy to a decision diagram (or forwarding tables) We proposed a series of algorithms to process requests. XEngine is effective on both real-life and synthetic XACML policies – It is orders of magnitude faster than the widely deployed Sun PDP XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie28/29

29 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie29/29 Questions?

Download ppt "XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with."

Similar presentations

L3S Research Center University of Hanover Germany

L3S Research Center University of Hanover Germany
Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.

Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.
First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.
1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
MassConf: Automatic Configuration Tuning By Leveraging User Community Information Computer Science Wei Zheng, Ricardo Bianchini, Thu Nguyen Rutgers University.

MassConf: Automatic Configuration Tuning By Leveraging User Community Information Computer Science Wei Zheng, Ricardo Bianchini, Thu Nguyen Rutgers University.
Privacy-Preserving Cross-Domain Network Reachability Quantification

Privacy-Preserving Cross-Domain Network Reachability Quantification
Abstract Data Types (ADT)

Abstract Data Types (ADT)
Software Testing and Quality Assurance

Software Testing and Quality Assurance
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
CS 290C: Formal Models for Web Software Lectures 12: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lectures 12: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan.
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Secure Data Storage and Retrieval in the Cloud Bhavani Thuraisingham,

UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Secure Data Storage and Retrieval in the Cloud Bhavani Thuraisingham,
1 Efficient Algorithms for Optimal Location Queries in Road Networks Zitong Chen (Sun Yat-Sen University) Yubao Liu (Sun Yat-Sen University) Raymond Chi-Wing.

1 Efficient Algorithms for Optimal Location Queries in Road Networks Zitong Chen (Sun Yat-Sen University) Yubao Liu (Sun Yat-Sen University) Raymond Chi-Wing.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Similar presentations

Ads by Google