1. MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control Sonia Jahid 1, Carl A. Gunter 1, Imranul Hoque 1, and Hamed Okhravi 2 University of Illinois at Urbana-Champaign 1, MIT Lincoln Lab 2 1st ACM Conference on Data and Application Security and Privacy (CODASPY) 2011

2. Motivation 2 Alice: select column1 from table1 position = nurse, department = ID: select column1 from table1 Attribute-based Access Control (ABAC) Enforcement Middleware select column1 from table1

3. Expressiveness Efficiency Protection at the lowest level Our Contribution 3 GRANT SELECT, INSERT ON hospital.table1 TO ‘Alice’ Example 1 GRANT nurses of department infectious disease SELECT, INSERT on patient records with infectious disease diagnoses Example 2 Compile high level ABAC policies (XACML) into low level Database access control mechanisms (ACLs) by a policy compilation engine MyABDAC

4. Architecture – Policy Compilation Update Analysis Implementation and Evaluation Conclusion Outline 4

5. Architecture 5 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module ACL Building Module ACL Building Module Conflict Discovery and Resolution Module Conflict Discovery and Resolution Module Attributes ACLs (permissions) ACLs (permissions) Resources Table1Table2 Policy Database

6. Simplified XACML Policy 6 PolicySet: P Combining Algorithm: Permit Overrides PolicySet: P Combining Algorithm: Permit Overrides Policy: P 1 Combining Algorithm: Permit Overrides Policy: P 1 Combining Algorithm: Permit Overrides Policy: P 2 Combining Algorithm: Deny Overrides Policy: P 2 Combining Algorithm: Deny Overrides Rule: R 1 E: Permit S: nurse & Infectious Disease R: Sensitive Information A: select, insert Rule: R 1 E: Permit S: nurse & Infectious Disease R: Sensitive Information A: select, insert Rule: R 2 E: Permit S: nurse and experience>5 R: table1 A: select, delete Rule: R 2 E: Permit S: nurse and experience>5 R: table1 A: select, delete Rule: R 3 E: Deny S: nurse & level<3 R: table1 A: select Rule: R 3 E: Deny S: nurse & level<3 R: table1 A: select Rule: R 4 E: Deny S: nurse & floor=4 R: table1 A: select, insert Rule: R 4 E: Deny S: nurse & floor=4 R: table1 A: select, insert

7. position nurse department infectious disease sensitive information select, insert position nurse department infectious disease sensitive information select, insert Compilation - Parse & Extraction 7 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module 1) SELECT username FROM hospital.employee WHERE jobtitle=`nurse' AND department=`infectious disease'; 2) SELECT table_name FROM information_schema.tables WHERE table_comment=`sensitive information'; 1) SELECT username FROM hospital.employee WHERE jobtitle=`nurse' AND department=`infectious disease'; 2) SELECT table_name FROM information_schema.tables WHERE table_comment=`sensitive information';

8. Compilation - Parse & Extraction 8 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module Conflict Discovery and Resolution Module Conflict Discovery and Resolution Module AttributesACLs Resources Database Rule:R 1 E:Permit Rule:R 1 E:Permit Rule:R 2 E:Permit Rule:R 2 E:Permit Rule:R 3 E:Deny Rule:R 3 E:Deny Rule:R 4 E:Deny Rule:R 4 E:Deny 9. tab 1, nrs 1, s 10. tab 1, nrs 1, d 11. tab 1, nrs 1, s 12. tab 1, nrs 3, s 13. tab 1, nrs 1, s 14. tab 1, nrs 1, i 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, i

9. Compilation - Conflict Resolution 9 PolicySet:P Permit Overrides PolicySet:P Permit Overrides Policy:P 1 Permit Overrides Policy:P 1 Permit Overrides Policy:P 2 Deny Overrides Policy:P 2 Deny Overrides Rule:R 1 E:Permit Rule:R 1 E:Permit Rule:R 2 E:Permit Rule:R 2 E:Permit Rule:R 3 E:Deny Rule:R 3 E:Deny Rule:R 4 E:Deny Rule:R 4 E:Deny active conflict redundant active conflict

10. Compilation - ACL Population 10 Policy Compilation Engine Policy Parsing Module Policy Parsing Module User and Resource Extraction Module User and Resource Extraction Module ACL Building Module ACL Building Module Conflict Discovery and Resolution Module Conflict Discovery and Resolution Module AttributesACLs Resources Database GRANT SELECT ON tab1 TO nrs1, nrs2; GRANT INSERT ON tab1 TO nrs1, nrs2; … REVOKE SELECT ON tab1 FROM nrs3, nrs4; REVOKE INSERT ON tab1 FROM nrs4; GRANT SELECT ON tab1 TO nrs1, nrs2; GRANT INSERT ON tab1 TO nrs1, nrs2; … REVOKE SELECT ON tab1 FROM nrs3, nrs4; REVOKE INSERT ON tab1 FROM nrs4; Permit List 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, I 10. tab 1, nrs 1, d Deny List 12. tab 1, nrs 3, s 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i

11. Attributes change – Revoke existing permissions – Grant new permissions – Revoke and Grant permissions ACL Update – Delayed – Instantaneous Efficient Instantaneous ACL recalculation upon attribute changes – Recompile a relevant subset of policies – Cache compilation information Update Analysis 11

12. Update Analysis 12 9. tab 1, nrs 1, s 10. tab 1, nrs 1, d 11. tab 1, nrs 1, s 12. tab 1, nrs 3, s 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, i P PolicySet:PO P PolicySet:PO P 1 Policy:PO P 1 Policy:PO P 2 Policy:DO P 2 Policy:DO Rule:R 1 E:Permit S:dept=ID Rule:R 1 E:Permit S:dept=ID Rule:R 2 E:Permit S:exp>5 Rule:R 2 E:Permit S:exp>5 Rule:R 3 E:Deny S:evel<3 Rule:R 3 E:Deny S:evel<3 Rule:R 4 E:Deny S:floor=4 Rule:R 4 E:Deny S:floor=4 13. tab 1, nrs 1, s 14. tab 1, nrs 1, i 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i 13 141516 12345 6781012 123456 7810121516

13. Challenges (2) 13 11. tab 1, nrs 1, s 12. tab 1, nrs 3, s 1. tab 1, nrs 1, s 2. tab 1, nrs 1, i 3. tab 1, nrs 2, s 4. tab 1, nrs 2, i 5. tab 2, nrs 1, s 6. tab 2, nrs 1, i 7. tab 2, nrs 2, s 8. tab 2, nrs 2, i P PolicySet:PO P PolicySet:PO P 1 Policy:PO P 1 Policy:PO P 2 Policy:DO Rule:R 1 E:Permit S:dept=ID Rule:R 1 E:Permit S:dept=ID Rule:R 2 E:Permit S:exp>5 Rule:R 2 E:Permit S:exp>5 Rule:R 3 E:Deny S:level<3 Rule:R 3 E:Deny S:level<3 Rule:R 4 E:Deny S:floor=4 Rule:R 4 E:Deny S:floor=4 13. tab 1, nrs 1, s 14. tab 1, nrs 1, i 15. tab 1, nrs 4, s 16. tab 1, nrs 4, i 13 141516 12345 6781012 123456 7810121516 Rule:R 5 E:Permit S:dept=Med Rule:R 5 E:Permit S:dept=Med 17. tab 3, nrs 1, s 9. tab 1, nrs 1, s 10. tab 1, nrs 1, d

14. Prototype Implementation – MyABDAC for MySQL database Resource database based on a local health complex schema – 50,000 users each with 100 attributes – 40 resource tables XACML policies – Consisting of 3 layers and 100, 1000, 2000, …, 5000 rules Experiments performed in 2.40GHz Intel Core 2 Duo with 3GB memory Implementation and Evaluation 14

15. Policy with 5000 rules each with 10 subject attributes, 5 resources, 2 actions takes 882sec (14.7min) Policy Compilation Time 15 No. of Rules No. of Users Retrieved from DB Retrieval Time (sec) No. of GRANTs Rights Granted ACL Population Time (sec) 100220171921800.16 10009569150119361428 30002543243112010947956 500034558720120170757131 (a) Policy Parse Time (b) User Extraction and ACL Population Time 31s

16. Users Updated Attributes Updated Rules Reconsidered New Rights Obsolete Rights Total Time (sec) 1666 539101104 10662101143 15822 50 1163 20900 50 1161 12384 5391411369 106621212409 158222612433 209003312448 UPDATE users SET attr x = val x,…, attr y = val y WHERE condition Update Analysis 16

17. Comparison with Existing Approaches 17 Request Submitted:

18. Compiled XACML policy into Database ACLs Built a prototype MyABDAC to test on MySQL Comparison with SunXACML and XEngine shows that MyABDAC makes database access enforcement faster Conclusion 18

19. Backup Slides

20. position nurse department infectious disease sensitive information select,insert position nurse experience 5 table1 select,delete position nurse level 3 table1 select position nurse floor 4 table1 select,insert Simplified XACML Policy 20

21. Cache Compilation 21 Table NameFields ruledetailsruleID, policyID, subjectQuery, resource, action, effect logusername, resource, action, effect, status, ruleID

22. Space Requirement 22

23. A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. In ACM SIGMETRICS, 2008. Sun Microsystems, Inc. Sun's XACML Implementation. S. Marouf, M. Shehab, A. Squicciarini, and S. Sundareswaran. Statistics & Clustering based Framework for Efficient XACML Policy Evaluation. In POLICY, 2009. Key Related Works 23