Multi-data-types Interval Decision Diagrams for XACML Evaluation Engine Canh Ngo, Marc X. Makkes, Yuri Demchenko, Cees de Laat System and Network Engineering Group, University of Amsterdam PST 2013 July 12, 2013
Jun 21, 2015
Multi-data-types Interval Decision Diagrams for XACML Evaluation Engine
Canh Ngo, Marc X. Makkes,
Yuri Demchenko, Cees de Laat
System and Network Engineering Group, University of Amsterdam
PST 2013 July 12, 2013
PST 2013, Tarragona, July 12, 2013
Content
• Overview
• Related work
• Motivation
• XACML Analysis
• Proposed mechanisms: Multi-data-types Interval Decision Diagrams
• XACML Evaluation Engine
• Evaluation & Experiments
• Conclusion
2/25
PST 2013, Tarragona, July 12, 2013
XACML Policy Language
• XACML - eXtensible Access Control Markup Language
– Attribute based Access Control model (ABAC)
– History: • 2003 – XACML 1.0
• 2005 – XACML 2.0
• 2013 – XACML 3.0
Overview
3/25
PST 2013, Tarragona, July 12, 2013
XACML: Policy Language Model v3.0
XACML Overview
PolicySet
PolicyTarget
Policy Combining Algorithm
AnyOf
AllOf
Rule
Condition Effect
Rule Combining Algorithm
ObligationExpression
AdviceExpression
1
1
1..*
1
1
1
1
1
1..*
0..*
1
0..*
1
1
11
1
11
1
0..*
0..*
0..*
0..*
1
0..*
0..*
1
1
4/25
PST 2013, Tarragona, July 12, 2013
XACML: Architecture
XACML Overview
Access Requester PEPObligation
service
Context handler
3.Req 12. Resp
PDP
4. Req
5. attr query
10. attrs
11. Resp
PAP
1. Policies
PIP
6. attr query 8. attributes
2. Request 13. Obligations
Resource
Subjects
Environment
9. Res content
7b. Env attrs
7a. Subj attrs
7c. Res attrs
5/25
PST 2013, Tarragona, July 12, 2013
Motivation
• XACML policy analysis and evaluation – High performance evaluation
– Solve Indeterminate states handling
– Complex XACML logic expressions
– Support XACML analysis and verification.
[*] Multiple Indeterminate states: Indeterminate , Indeterminate (D), Indeterminate(P), Indeterminate(DP) in XACML 3.0
6/25
PST 2013, Tarragona, July 12, 2013
Related work
• Current implementations: – Mechanisms: brute-force search, caching decisions
– SunXACML [1]: XACML 2.0 standard implementation: 100-200 req/s
– Enterprise-XACML [2]: XACML 2.0, caching optimizations
• Policy verification and managements – XACML verification with binary decision diagrams [3].
– Redundancy detection & optimization policies using description logic [4].
– Policy integration algebra with binary decision diagrams [5].
1. http://sunxacml.sourceforge.net/: 2. http://code.google.com/p/enterprise-java-xacml/ 3. K. Fisler et. al. Verification and change-impact analysis of access-control policies. (ICSE '05) 4. V. Kolovski et. al. Analyzing web access control policies. (WWW '07) 5. P. Rao et. al. “An algebra for fine-grained integration of XACML policies” (SACMAT’09)
7/25
PST 2013, Tarragona, July 12, 2013
XACML policy evaluation
• Marouf et. al. [6]: – Using statistics to cluster high frequent evaluated rules/policies to top
levels
• Liu et. Al. [7]: XEngine – Mechanism: using firewall decision diagram to transform XACML policies into
flat policies; numericalize predefined values.
– Pros: very high performance
– Cons: only support “=” operators, fixed #attribute values; incorrect Indeterminate states processing
Related work
6. S. Marouf et.al , “Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation,” 2009 7. A. Liu et. al. “Designing Fast and Scalable XACML Policy Evaluation Engines.” IEEE Transactions on Computers , 2011
8/25
PST 2013, Tarragona, July 12, 2013
XACML policy evaluation
• Ros et. al. [8]: Graph-based XACML evaluation – Mechanism: improved [6] with more comparable operators
– Cons: support a subset of XACML policies • Ignore XACML Indeterminate states(*)
• “MustBePresent” (**) property: handle missing attributes in requests
• Data interval processing: handle simple forms of Target logic expressions
Related work
8. S. Ros et. al. Graph-based XACML evaluation. (SACMAT '12).
(*) XACML 3.0 has multi-decisions values: Permit (P), Deny (D), NotApplicable (NA), Indeterminate states (INDP, IND, INP)
R(, data, r)
DO(NA, P, NA) =P
PDP
R(, data, r)
DO(IND, P, INP)=INDP
PDP*
CombiningAlgo="Deny-overrides"
PolicyId=’P0'
(resId=“data”) ^ (action=“r”)
RuleId=‘R2’
Permit
(role=“guests”)
RuleId=‘R1’
Deny
(role=“manager” ^ (resId=“data”) ^ (action=“w”)
RuleId=‘R3’
Permit
9/25
PST 2013, Tarragona, July 12, 2013
Attribute logic expressions
• Target Expression – AllOf expression: mkk
– AnyOf expression: mkkj
XACML Analysis
T(X) = mkkji
Request: X = {x1,x2..,xn}
Match expression: mk:= (x, f, v)
• Matching rule logic condition path
Ti(X)
i∈{P0..,Pk,r}
→ true
A sample policy tree
PS0
PS PS1 P
R
P P P P2
R RR R R R
10/25
PST 2013, Tarragona, July 12, 2013
XACML Combining Algorithms
• Specifications: XACML 2.0, 3.0
• DFA representation: – States: Q= {P, D, INP, IND, INDP, NA}
– Input symbols: Q
– Start states: NA
– Accept states: Q
– Transition function: 𝛿: 𝑄 × 𝑄 → 𝑄
XACML Analysis
Combining algorithms(*)
Permit-overrides
Deny-overrides
First-applicable
Only-one-applicable
Permit-unless-deny
Deny-unless-permit
(*) XACML 3.0 specs
P INDP INP D IND NA
P P P P P P P
INDP P INDP INDP INDP INDP INDP
INP P INDP INP INDP INDP INP
D P INDP INDP D D D
IND P INDP INDP D IND IND
NA P INDP INP D IND NA
Permit-overrides transition function
11/25
PST 2013, Tarragona, July 12, 2013
Multi-data-type Interval Decision diagrams
• Decision diagrams G(V, E) represents function f
Proposed mechanism
𝑓 𝑥1, 𝑥2… , 𝑥𝑛 ≔ 𝐷1 × 𝐷2…× 𝐷𝑛 → {𝑡𝑟𝑢𝑒, 𝑓𝑎𝑙𝑠𝑒}
𝑓 𝑋 = ℎ𝑥𝑖𝑃∈𝑃(𝐷𝑖)
(𝑃) 𝑓𝑥𝑖𝑃
• Partial function decomposition
ℎ𝑥𝑖 𝑃 = 𝑡𝑟𝑢𝑒 𝑖𝑓 𝑥 ∈ 𝑃 𝑓𝑎𝑙𝑠𝑒 𝑖𝑓 𝑥 ∉ 𝑃
Multi-data-type decision diagrams (MIDD): an example
• Concepts – Interval: I Di
– Interval partition:
P = {I | I Di : Ii,Ij, i j, Ii Ij = }
x1
x2
x3
P11
True
P31
P12
x2 x2
P13
P21
x3 x3 x3 x3
P22 P23 P25 P26P24 P27
P32 P33 P34 P35
12/25
PST 2013, Tarragona, July 12, 2013
Generic Interval Partition Processing
• Concept – Reduced interval partition: P’ = |P|
• Operators on reduced interval partitions
– Union: v P1 P2, v P
– Intersect: v P1 P2, v P
– Complement: v P1 \ P2, v P
• Operators on MIDDs: logical functions f1, f2
– Conjunctive join: Mf = Mf1 Mf2
– Disjunctive join: Mf = Mf1 Mf2
Proposed mechanism
13/25
PST 2013, Tarragona, July 12, 2013
Methods: Construct X-MIDDs
XACML Evaluation
MIDD parsing
XACML rule R
MIDDR
X-MIDD transformation
X-MIDDR
Decision states
MustBePresent
Rule Effect
NA False _
INP True Permit
IND True Deny
Extract, aggregate & reduce IP list from AllOf expressions
Create a MIDD path for each AllOf expression
Compose MIDDs: conjunctive & disjunctive joins
Leaf node: condition, effect, obligations/advices
Internal nodes: decision states
14/25
PST 2013, Tarragona, July 12, 2013
Methods: Construct X-MIDDs (2)
XACML Evaluation
RuleId=‘R1’
Permit
)21()96(
)'1085''1080('
)21(
)'1098''1095('
)43()1712(
)'1085''1080('
pricetime
BLpcodeAB
price
XHpcodeCJ
pricetime
BLpcodeAB
O1
CombiningAlgo="Permit-overrides"
PolicyId=’P0'
(‘1080AB’ ≤ pcode) (pcode ≤ ‘1098XH’)
RuleId=‘R2’
)12()'1098'(
)21(
)'1095''1085('
)17()'1080'(
timeXHpcode
time
CJpcodeBL
timeABpcode
Deny O2Rule R1: MIDDs
P-code
time
Price
[1080AB,1085BL]
[12pm,5pm]
True
[3,4]
P-code
Price
[1095CJ,1098XH]
[1,2]
True
P-code
time
[1080AB,1085BL]
[6am,9am]
Price
[1,2]
True
15/25
PST 2013, Tarragona, July 12, 2013
Methods: Construct X-MIDDs (3)
XACML Evaluation
Rule R1: Combined MIDDs
P-code
time
Price
[1080AB,1085BL]
[6am,9am][12pm,5pm]
True
[3,4]
Price
[1095CJ,1098XH]
[1,2]
Rule R1: MIDDs
P-code
time
Price
[1080AB,1085BL]
[12pm,5pm]
True
[3,4]
P-code
Price
[1095CJ,1098XH]
[1,2]
True
P-code
time
[1080AB,1085BL]
[6am,9am]
Price
[1,2]
True
MIDD disjunctive/conjunctive
joins
16/25
PST 2013, Tarragona, July 12, 2013
Methods: Construct X-MIDDs (4)
XACML Evaluation
Rule R1: Combined MIDDs
P-code
time
Price
[1080AB,1085BL]
[6am,9am][12pm,5pm]
True
[3,4]
Price
[1095CJ,1098XH]
[1,2]
Transform
P-code(INP)
time(NA)
Price(NA)
[1080AB,1085BL]
[6am,9am][12pm,5pm]
P, (O1)
[3,4]
Price(NA)
[1095CJ,1098XH]
[1,2]
X-MIDDR1
17/25
PST 2013, Tarragona, July 12, 2013
Methods: Construct X-MIDDs (4)
XACML Evaluation
P-code(INP)
time(NA)
Price(NA)
[1080AB,1085BL]
[6am,9am][12pm,5pm]
P, (O1)
[3,4]
Price(NA)
[1095CJ,1098XH]
[1,2]
X-MIDDR1
P-code(IND)
time(NA)
[1080AB]
time(NA)
[1085BL,1095CJ]
D, (O2)
[5pm][9am]
time(NA)
[1098XH]
[12pm]
X-MIDDR2
18/25
PST 2013, Tarragona, July 12, 2013
Methods: Combine X-MIDDs
XACML Evaluation
time(NA)
[1080AB]
Price(D, (O2))
[5pm]
[3,4]
Price(NA)
[12pm, 5pm)
[3,4]
Price(NA)
[6am,9am]
[1,2]
time(NA)
[1085BL]
[6am,9am)
Price(D, (O2))
[9am]
[1,2]
[12pm, 5pm]
time(NA)
[1095CJ]
[9am]
{(-inf,9am)U(9am, +inf)}
time(NA)
[1098XH]
[12pm]{(-inf,12pm)U(12pm, +inf)}
{(-inf,1)U(2, +inf)}
{(-inf,3)U(4, +inf)}
time(NA)
(1080AB,1085BL)
[6am,9am]
[12pm, 5pm)
(1095CJ,1098XH) time(NA)
(1085BL,1095CJ)
[9am]
P, (O1) D, (O2)
P-code(INDP)
Permit-Overrides (X-MIDDR1, X-MIDDR2) X-MIDDP0
19/25
PST 2013, Tarragona, July 12, 2013
Evaluation and Experiments: complexity
• Policies with n attributes • 𝑎𝑖𝜖𝑃𝑖
• 𝑃𝑖 has 𝑘𝑖 distinct values in policies
• X-MIDD complexity
– Evaluation time (avg): 𝑂 𝑙𝑜𝑔2 2𝑘𝑖 + 1 + 1𝑛𝑖=1
– Space (worst case): 𝑂 2𝑘𝑗 + 1𝑖𝑗=1
𝑛𝑖=1
XACML Evaluation
20/25
PST 2013, Tarragona, July 12, 2013
Evaluation and Experiments: Implementation
• Implementation
– XACML 3.0
– Oracle Java 1.7, Linux Mint x64 i5 2.67GHz, 4GB RAM
– LGPL: https://code.google.com/p/sne-xacml/
• Validation
– Compare with SunXACML
– 1000 random requests/time
XACML Evaluation
21/25
PST 2013, Tarragona, July 12, 2013
Evaluation and Experiments: performance
XACML Evaluation
Datasets Policy level
# Policy-sets
#Policies
#Rules Attributes
Operators
GEYSERS(*) 3 6 7 33 3 =
Continue-a (**) 6 111 266 298 14 =
Synthetic-360 4 31 72 360 10 =(80%),
complex (20%)
1.0
10.0
100.0
1000.0
10000.0
100000.0
GEYSERS Continue-a Synthetic-360
Mic
rose
con
ds
SNEXACML
SunXACML
(*) SNE-XACML: average response time for 1M random requests
(*) GEYSERS Prj: http://www.geysers.eu/ (**) Fisler et. al. ICSE '05.
22/25
PST 2013, Tarragona, July 12, 2013
Evaluation and Experiments: microbenchmark
XACML Evaluation
14.2%
38.7% 44.8% 3.4%
1.6% 2.5%
82.4%
59.7% 52.3%
0%
20%
40%
60%
80%
100%
GEYSERS Continue-a Synthetic-360
X-MIDD eval. time
Resp. conversion time
Req. conversion time
GEYSERS Continue-a Synthetic-360
Pre-processing (ms) 94 480 1043
X-MIDD size (nodes) 55 3258 104,675
Throughput (req/s) 229,551 172,114 238,878
23/25
PST 2013, Tarragona, July 12, 2013
Conclusions
• Summary
– High performance XACML evaluation
– Solved Indeterminate states handling
– Critical attribute property setting
– Complex XACML logic expressions
– Mechanisms for policy analysis & verification
• Future work
– Implementation: other XACML 3.0 features
– Policy verification, redundancy detection.
24/25
Group Meeting Amsterdam, July 12, 2013
Thank you! Q&A
Contact Information Canh Ngo System and Network Engineering research group (SNE) University of Amsterdam Email: [email protected]
SNE-XACML project (LGPL): https://code.google.com/p/sne-xacml/
25