EXAM - a Comprehensive Environment for the Analysis of Access
Department of Computer Science
Access Control Policy
Combining & Comparison
• PCL: A Policy Combining Language
• EXAM: E nvironment for X acml policy
A nalysis & M anagement
Elisa Bertino, Ninghui Li
(Purdue University)
Department of Computer Science
Why Policy Combining?
• A policy may contain multiple subpolicies. The effect of the whole policy is determined by combining the effects of sub-policies
– Firewalls: first-applicable
– XACML: deny-overrides , permit-overrides , first-applicable , only-one-applicable
Department of Computer Science
Other Useful Combining
Algorithms
• Weak-consensus :
• Strong-consensus :
• Weak-majority :
• Strong-majority:
Department of Computer Science
Our Goal
An expressive and practical language for specifying policy combining algorithms
Our solution: PCL
NINGHUI LI, ELISA BERTINO,
QIHUA WANG, WAHBEH QADARJI
Purdue University
Department of Computer Science
Overview of PCL
• Uses four values : Σ = {P, D, NA, IN}
• Evaluation errors are represented by non-empty subsets of {P, D, NA, IN}
– 15 possible values
• Two ways to specify policy combining behavior
– Using a Policy Combining Operator (PCO)
– Using linear constraints
Department of Computer Science
Policy Combining Operators
• Policy combining operator (PCO)
– is a PCA that combines two policies (or rules)
– g: Σ × Σ -> Σ, where Σ = {P, D, NA, IN}
• A PCO can be represented as a matrix
P1 \ P2 P D NA IN P1 \ P2 P D NA IN
P P D P D P
D D D D D D
P
D
P
D
P
D
P
D
NA
IN
P
D
D
D
NA
D
D
D
NA
IN
P
IN
D
IN
NA
IN
IN
IN
Deny-overrides
First-applicable
Department of Computer Science
From PCO to PCA
• PCA should be a function Σ + -> Σ
• Given a PCO g , its recursive PCA is the function f :
– f(P
1
) = P
1
– f(P
1
, P
2
) = g(P
1
, P
2
)
– f(P
1
,…,P n
) = g(f(P
1
,…,P n-1
), P n
)
• DFA-representation of policy evaluation
Any Any
Deny-overrides First-applicable
D D
P, NA Any
D, IN Any
Any
P D, IN
IN P IN
D
P P IN
NA NA
NA NA
Department of Computer Science
Using Linear Constraints
• PCOs cannot express counting-based strategies.
• Second approach for PCA specification uses linear constraints on the number of subpolicies that return P, D, NA, and IN.
– A Linear Constraint is an expressions that uses
#P, #D, #NA, #IN, addition/subtraction, comparisons, and AND
and OR
Department of Computer Science
Other Issues We Considered
• Optimized evaluation of PCAs
• Specify how to specify obligationhandling behavior in a PCA
Department of Computer Science
Expressive Power: There are
Examples for each numbered area
Department of Computer Science
Using PCL in XACML
• An XACML Policy can include the PCA it wants to use
• A PDP that understands PCL can parse and understand all PCAs specified in it
– makes deployment of new PCAs feasible
Department of Computer Science
Implementation
• We implemented PCL and integrated it with
Sun’s implementation for XACML 1.1
• Changes and additions were made to several classes and the Result class in particular to account for errors in evaluation
Department of Computer Science
EXAM
Environment for Xacml policy Analysis & Management
EXAM is a comprehensive environment for analyzing and managing
XACML access control policies. It supports acquisition, editing and retrieval of policies in addition to policy similarity filtering, policy similarity analysis and policy integration.
ELISA BERTINO, NINGHUI LI, GABRIEL GHINITA, PRATHIMA RAO
Purdue University
Department of Computer Science
EXAM Overview: Architecture
User User
…
User
User Interface
Query Dispatcher
Policy
Annotation
Policy
Similarity
Filter
Policy
Repository
Policy Similarity
Analyzer
Policy
Integration
Framework
Department of Computer Science
Key Feature –
Policy Similarity Analysis
• Goal
– Characterize the relationships among the sets of requests respectively authorized by a set of policies.
• Two techniques
– Policy Similarity Filter
• Less precise, faster (based on techniques from document matching techniques)
– Policy Similarity Analyzer
• Precise, slower (based on MTDBB)
• A visualization environment has been developed to visualize policy similarity results
Action Type
Department of Computer Science
Multi-level Grid Visualization of Policy Similarity p3
<Time
[9am,1am]> p4
<Time
[1am,9am]>
Department of Computer Science
Policy Integration
• A Fine-grained Integration Algebra (FIA)
– 3-valued (Permit, Deny, NotApplicable)
– Specify behavior at the granularity of requests and effects
– Restrict domain of applicability
– Support expressive policy languages like XACML
• Framework for specifying integration constraints and generating integrated policies.
– MTBDD based implementation of FIA
– Generation of integrated policy in XACML syntax.
Department of Computer Science
Fine-grained Integration Algebra (FIA)
Vocabulary of attribute names and domains
Policy constants
Permit policy
Deny policy
Binary operators
Addition
Intersection
Unary operators
Negation
Domain Projection
Department of Computer Science
FIA - Theoretical Results
• Expressivity
– FIA can express all XACML policy combining algorithms
– FIA can express policy “jumps”
– FIA can model closed policies and open policies
• Completeness
– A completeness notion has been developed, based on the concept of policy combination matrix , and FIA is complete with respect to such notion
• Minimality
– Identification of the minimal complete subsets of the FIA operators
Department of Computer Science
Current Status of EXAM
• A prototype has been completed that includes the similarity filter and analyzer
• The visualization tool has been completed
• We expect to release EXAM to the project team in December 2009
Department of Computer Science
On-Going Work
• Study the specification and analysis of stateful policies in a practical way
– e.g., by extending XACML
• User experimental study – the goal is to assess whether the similarity filter is a good predictor for policy similarity as perceived by users
• Extend EXAM with tools for synonym and dictionary management, and ontologies
• Develop tools for collaborative privacy-preserving policy enforcement
