Multi-data-types Interval Decision Diagrams for XACML Evaluation Engine

Multi-data-types Interval Decision Diagrams for XACML Evaluation Engine

Canh Ngo, Marc X. Makkes,

Yuri Demchenko, Cees de Laat

System and Network Engineering Group, University of Amsterdam

PST 2013 July 12, 2013

PST 2013, Tarragona, July 12, 2013

Content

• Overview

• Related work

• Motivation

• XACML Analysis

• Proposed mechanisms: Multi-data-types Interval Decision Diagrams

• XACML Evaluation Engine

• Evaluation & Experiments

• Conclusion

2/25

PST 2013, Tarragona, July 12, 2013

XACML Policy Language

• XACML - eXtensible Access Control Markup Language

– Attribute based Access Control model (ABAC)

– History: • 2003 – XACML 1.0

• 2005 – XACML 2.0

• 2013 – XACML 3.0

Overview

3/25

PST 2013, Tarragona, July 12, 2013

XACML: Policy Language Model v3.0

XACML Overview

PolicySet

PolicyTarget

Policy Combining Algorithm

AnyOf

AllOf

Rule

Condition Effect

Rule Combining Algorithm

ObligationExpression

AdviceExpression

1

1

1..*

1

1

1

1

1

1..*

0..*

1

0..*

1

1

11

1

11

1

0..*

0..*

0..*

0..*

1

0..*

0..*

1

1

4/25

PST 2013, Tarragona, July 12, 2013

XACML: Architecture

XACML Overview

Access Requester PEPObligation

service

Context handler

3.Req 12. Resp

PDP

4. Req

5. attr query

10. attrs

11. Resp

PAP

1. Policies

PIP

6. attr query 8. attributes

2. Request 13. Obligations

Resource

Subjects

Environment

9. Res content

7b. Env attrs

7a. Subj attrs

7c. Res attrs

5/25

PST 2013, Tarragona, July 12, 2013

Motivation

• XACML policy analysis and evaluation – High performance evaluation

– Solve Indeterminate states handling

– Complex XACML logic expressions

– Support XACML analysis and verification.

[*] Multiple Indeterminate states: Indeterminate , Indeterminate (D), Indeterminate(P), Indeterminate(DP) in XACML 3.0

6/25

PST 2013, Tarragona, July 12, 2013

Related work

• Current implementations: – Mechanisms: brute-force search, caching decisions

– SunXACML [1]: XACML 2.0 standard implementation: 100-200 req/s

– Enterprise-XACML [2]: XACML 2.0, caching optimizations

• Policy verification and managements – XACML verification with binary decision diagrams [3].

– Redundancy detection & optimization policies using description logic [4].

– Policy integration algebra with binary decision diagrams [5].

1. http://sunxacml.sourceforge.net/: 2. http://code.google.com/p/enterprise-java-xacml/ 3. K. Fisler et. al. Verification and change-impact analysis of access-control policies. (ICSE '05) 4. V. Kolovski et. al. Analyzing web access control policies. (WWW '07) 5. P. Rao et. al. “An algebra for fine-grained integration of XACML policies” (SACMAT’09)

7/25

PST 2013, Tarragona, July 12, 2013

XACML policy evaluation

• Marouf et. al. [6]: – Using statistics to cluster high frequent evaluated rules/policies to top

levels

• Liu et. Al. [7]: XEngine – Mechanism: using firewall decision diagram to transform XACML policies into

flat policies; numericalize predefined values.

– Pros: very high performance

– Cons: only support “=” operators, fixed #attribute values; incorrect Indeterminate states processing

Related work

6. S. Marouf et.al , “Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation,” 2009 7. A. Liu et. al. “Designing Fast and Scalable XACML Policy Evaluation Engines.” IEEE Transactions on Computers , 2011

8/25

PST 2013, Tarragona, July 12, 2013

XACML policy evaluation

• Ros et. al. [8]: Graph-based XACML evaluation – Mechanism: improved [6] with more comparable operators

– Cons: support a subset of XACML policies • Ignore XACML Indeterminate states(*)

• “MustBePresent” (**) property: handle missing attributes in requests

• Data interval processing: handle simple forms of Target logic expressions

Related work

8. S. Ros et. al. Graph-based XACML evaluation. (SACMAT '12).

(*) XACML 3.0 has multi-decisions values: Permit (P), Deny (D), NotApplicable (NA), Indeterminate states (INDP, IND, INP)

R(, data, r)

DO(NA, P, NA) =P

PDP

R(, data, r)

DO(IND, P, INP)=INDP

PDP*

CombiningAlgo="Deny-overrides"

PolicyId=’P0'

(resId=“data”) ^ (action=“r”)

RuleId=‘R2’

Permit

(role=“guests”)

RuleId=‘R1’

Deny

(role=“manager” ^ (resId=“data”) ^ (action=“w”)

RuleId=‘R3’

Permit

9/25

PST 2013, Tarragona, July 12, 2013

Attribute logic expressions

• Target Expression – AllOf expression: mkk

– AnyOf expression: mkkj

XACML Analysis

T(X) = mkkji

Request: X = {x1,x2..,xn}

Match expression: mk:= (x, f, v)

• Matching rule logic condition path

Ti(X)

i∈{P0..,Pk,r}

→ true

A sample policy tree

PS0

PS PS1 P

R

P P P P2

R RR R R R

10/25

PST 2013, Tarragona, July 12, 2013

XACML Combining Algorithms

• Specifications: XACML 2.0, 3.0

• DFA representation: – States: Q= {P, D, INP, IND, INDP, NA}

– Input symbols: Q

– Start states: NA

– Accept states: Q

– Transition function: 𝛿: 𝑄 × 𝑄 → 𝑄

XACML Analysis

Combining algorithms(*)

Permit-overrides

Deny-overrides

First-applicable

Only-one-applicable

Permit-unless-deny

Deny-unless-permit

(*) XACML 3.0 specs

P INDP INP D IND NA

P P P P P P P

INDP P INDP INDP INDP INDP INDP

INP P INDP INP INDP INDP INP

D P INDP INDP D D D

IND P INDP INDP D IND IND

NA P INDP INP D IND NA

Permit-overrides transition function

11/25

PST 2013, Tarragona, July 12, 2013

Multi-data-type Interval Decision diagrams

• Decision diagrams G(V, E) represents function f

Proposed mechanism

𝑓 𝑥1, 𝑥2… , 𝑥𝑛 ≔ 𝐷1 × 𝐷2…× 𝐷𝑛 → {𝑡𝑟𝑢𝑒, 𝑓𝑎𝑙𝑠𝑒}

𝑓 𝑋 = ℎ𝑥𝑖𝑃∈𝑃(𝐷𝑖)

(𝑃) 𝑓𝑥𝑖𝑃

• Partial function decomposition

ℎ𝑥𝑖 𝑃 = 𝑡𝑟𝑢𝑒 𝑖𝑓 𝑥 ∈ 𝑃 𝑓𝑎𝑙𝑠𝑒 𝑖𝑓 𝑥 ∉ 𝑃

Multi-data-type decision diagrams (MIDD): an example

• Concepts – Interval: I Di

– Interval partition:

P = {I | I Di : Ii,Ij, i j, Ii Ij = }

x1

x2

x3

P11

True

P31

P12

x2 x2

P13

P21

x3 x3 x3 x3

P22 P23 P25 P26P24 P27

P32 P33 P34 P35

12/25

PST 2013, Tarragona, July 12, 2013

Generic Interval Partition Processing

• Concept – Reduced interval partition: P’ = |P|

• Operators on reduced interval partitions

– Union: v P1 P2, v P

– Intersect: v P1 P2, v P

– Complement: v P1 \ P2, v P

• Operators on MIDDs: logical functions f1, f2

– Conjunctive join: Mf = Mf1 Mf2

– Disjunctive join: Mf = Mf1 Mf2

Proposed mechanism

13/25

PST 2013, Tarragona, July 12, 2013

Methods: Construct X-MIDDs

XACML Evaluation

MIDD parsing

XACML rule R

MIDDR

X-MIDD transformation

X-MIDDR

Decision states

MustBePresent

Rule Effect

NA False _

INP True Permit

IND True Deny

Extract, aggregate & reduce IP list from AllOf expressions

Create a MIDD path for each AllOf expression

Compose MIDDs: conjunctive & disjunctive joins

Leaf node: condition, effect, obligations/advices

Internal nodes: decision states

14/25

PST 2013, Tarragona, July 12, 2013

Methods: Construct X-MIDDs (2)

XACML Evaluation

RuleId=‘R1’

Permit

)21()96(

)'1085''1080('

)21(

)'1098''1095('

)43()1712(

)'1085''1080('

pricetime

BLpcodeAB

price

XHpcodeCJ

pricetime

BLpcodeAB

O1

CombiningAlgo="Permit-overrides"

PolicyId=’P0'

(‘1080AB’ ≤ pcode) (pcode ≤ ‘1098XH’)

RuleId=‘R2’

)12()'1098'(

)21(

)'1095''1085('

)17()'1080'(

timeXHpcode

time

CJpcodeBL

timeABpcode

Deny O2Rule R1: MIDDs

P-code

time

Price

[1080AB,1085BL]

[12pm,5pm]

True

[3,4]

P-code

Price

[1095CJ,1098XH]

[1,2]

True

P-code

time

[1080AB,1085BL]

[6am,9am]

Price

[1,2]

True

15/25

PST 2013, Tarragona, July 12, 2013

Methods: Construct X-MIDDs (3)

XACML Evaluation

Rule R1: Combined MIDDs

P-code

time

Price

[1080AB,1085BL]

[6am,9am][12pm,5pm]

True

[3,4]

Price

[1095CJ,1098XH]

[1,2]

Rule R1: MIDDs

P-code

time

Price

[1080AB,1085BL]

[12pm,5pm]

True

[3,4]

P-code

Price

[1095CJ,1098XH]

[1,2]

True

P-code

time

[1080AB,1085BL]

[6am,9am]

Price

[1,2]

True

MIDD disjunctive/conjunctive

joins

16/25

PST 2013, Tarragona, July 12, 2013

Methods: Construct X-MIDDs (4)

XACML Evaluation

Rule R1: Combined MIDDs

P-code

time

Price

[1080AB,1085BL]

[6am,9am][12pm,5pm]

True

[3,4]

Price

[1095CJ,1098XH]

[1,2]

Transform

P-code(INP)

time(NA)

Price(NA)

[1080AB,1085BL]

[6am,9am][12pm,5pm]

P, (O1)

[3,4]

Price(NA)

[1095CJ,1098XH]

[1,2]

X-MIDDR1

17/25

PST 2013, Tarragona, July 12, 2013

Methods: Construct X-MIDDs (4)

XACML Evaluation

P-code(INP)

time(NA)

Price(NA)

[1080AB,1085BL]

[6am,9am][12pm,5pm]

P, (O1)

[3,4]

Price(NA)

[1095CJ,1098XH]

[1,2]

X-MIDDR1

P-code(IND)

time(NA)

[1080AB]

time(NA)

[1085BL,1095CJ]

D, (O2)

[5pm][9am]

time(NA)

[1098XH]

[12pm]

X-MIDDR2

18/25

PST 2013, Tarragona, July 12, 2013

Methods: Combine X-MIDDs

XACML Evaluation

time(NA)

[1080AB]

Price(D, (O2))

[5pm]

[3,4]

Price(NA)

[12pm, 5pm)

[3,4]

Price(NA)

[6am,9am]

[1,2]

time(NA)

[1085BL]

[6am,9am)

Price(D, (O2))

[9am]

[1,2]

[12pm, 5pm]

time(NA)

[1095CJ]

[9am]

{(-inf,9am)U(9am, +inf)}

time(NA)

[1098XH]

[12pm]{(-inf,12pm)U(12pm, +inf)}

{(-inf,1)U(2, +inf)}

{(-inf,3)U(4, +inf)}

time(NA)

(1080AB,1085BL)

[6am,9am]

[12pm, 5pm)

(1095CJ,1098XH) time(NA)

(1085BL,1095CJ)

[9am]

P, (O1) D, (O2)

P-code(INDP)

Permit-Overrides (X-MIDDR1, X-MIDDR2) X-MIDDP0

19/25

PST 2013, Tarragona, July 12, 2013

Evaluation and Experiments: complexity

• Policies with n attributes • 𝑎𝑖𝜖𝑃𝑖

• 𝑃𝑖 has 𝑘𝑖 distinct values in policies

• X-MIDD complexity

– Evaluation time (avg): 𝑂 𝑙𝑜𝑔2 2𝑘𝑖 + 1 + 1𝑛𝑖=1

– Space (worst case): 𝑂 2𝑘𝑗 + 1𝑖𝑗=1

𝑛𝑖=1

XACML Evaluation

20/25

PST 2013, Tarragona, July 12, 2013

Evaluation and Experiments: Implementation

• Implementation

– XACML 3.0

– Oracle Java 1.7, Linux Mint x64 i5 2.67GHz, 4GB RAM

– LGPL: https://code.google.com/p/sne-xacml/

• Validation

– Compare with SunXACML

– 1000 random requests/time

XACML Evaluation

21/25

PST 2013, Tarragona, July 12, 2013

Evaluation and Experiments: performance

XACML Evaluation

Datasets Policy level

# Policy-sets

#Policies

#Rules Attributes

Operators

GEYSERS(*) 3 6 7 33 3 =

Continue-a (**) 6 111 266 298 14 =

Synthetic-360 4 31 72 360 10 =(80%),

complex (20%)

1.0

10.0

100.0

1000.0

10000.0

100000.0

GEYSERS Continue-a Synthetic-360

Mic

rose

con

ds

SNEXACML

SunXACML

(*) SNE-XACML: average response time for 1M random requests

(*) GEYSERS Prj: http://www.geysers.eu/ (**) Fisler et. al. ICSE '05.

22/25

PST 2013, Tarragona, July 12, 2013

Evaluation and Experiments: microbenchmark

XACML Evaluation

14.2%

38.7% 44.8% 3.4%

1.6% 2.5%

82.4%

59.7% 52.3%

0%

20%

40%

60%

80%

100%

GEYSERS Continue-a Synthetic-360

X-MIDD eval. time

Resp. conversion time

Req. conversion time

GEYSERS Continue-a Synthetic-360

Pre-processing (ms) 94 480 1043

X-MIDD size (nodes) 55 3258 104,675

Throughput (req/s) 229,551 172,114 238,878

23/25

PST 2013, Tarragona, July 12, 2013

Conclusions

• Summary

– High performance XACML evaluation

– Solved Indeterminate states handling

– Critical attribute property setting

– Complex XACML logic expressions

– Mechanisms for policy analysis & verification

• Future work

– Implementation: other XACML 3.0 features

– Policy verification, redundancy detection.

24/25

Group Meeting Amsterdam, July 12, 2013

Thank you! Q&A

Contact Information Canh Ngo System and Network Engineering research group (SNE) University of Amsterdam Email: [email protected]

SNE-XACML project (LGPL): https://code.google.com/p/sne-xacml/

25