DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian - PowerPoint PPT Presentation

DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML 
 Jorian van Oostenbrugge Supervisor: Fatih Turkmen August 19, 2016 System and Network Engineering University of Amsterdam

WHY § Customer data more and more valuable § Data stored in cloud § Access control becomes critical

XACML § eXtensible Access Control Markup Language § XML-based language § Also an architecture § OASIS standard for the expression of security policies

XACML ELEMENTS <PolicySet> <PolicySet> <Policy <Policy RuleCombiningAlg="..." > <Target/> <Target/> <Rule <Rule RuleId="..." Effect="Permit"> <Target/> <Target/> <Condition/> <Condition/> </Rule> </Rule> <Rule <Rule RuleId="..." Effect="Deny"> <Target/> <Target/> <Condition/> <Condition/> </Rule> </Rule> </Policy> /Policy> <Policy <Policy RuleCombiningAlgId="..."> ... </Policy> </Policy> <PolicySet> <PolicySet>

EXAMPLE XACML POLICY <Policy RuleCombiningAlgId="identifier:rule-combining-algorithm:permit-overrides"> <Target/> <Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:SimpleRule1" Effect="Permit"> <Target> <AnyOf> <AllOf> <Match MatchId="string-equal"> <AttributeValue DataType="string">admin</AttributeValue> <AttributeDesignator AttributeId="role" DataType="string"/> </Match> </AllOf> </AnyOf> </Target> <Condition> ... </Condition> </Rule> <Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:SimpleRule2" Effect="Deny"> ... </Rule> </Policy>

XACML IN ACTION Request intercepted 1. by PEP Request converted 2. to XACML PDP evaluates 3. policy If needed retrieve 4. additional attributes PDP reaches 5. decision and forwards this to PEP Request arrives at 6. resource Source: Wikipedia

RELATED RESEARCH (Adaptive) reordering Decision Diagrams § Based on statistics and § XEngine categorization § Matching Tree (MT) and Combining Tree (CT) § SNE-XACML with MIDD S [0, 0] [2, 3] [1, 1] R R R [1, 1] [0, 1] [0, 0] [1, 1] [0, 0] A A A A A [0, 1] [0, 0] [1, 1] [0, 1] [0, 0] [1, 1] [0, 1] [R -1 ] na [R 2 ] p [R 2 ] p [R 1 ] d [R 3 ] p [R 2 ] p [[R 1 ] d , [R 2 ] p ] d Source: XEngine: A Fast and Scalable XACML Policy Evaluation Engine

RESEARCH QUESTION • Propositional encoding • PDP

SAT & CNF f ( x 1 , x 2 ,..., x n ) § Boolean function: x 1 , ∧ , ∨ , ¬ ,() § Variables, operators and parentheses: § SAT solvers § CNF: ( p 1 ∨ p 2 ) ∧ ( p 3 ∨ p 4 ) ∧ ( p 5 ∨ p 6 ) § Conjunction of clauses § Disjunction of literals

ALGORITHM • Constructing attribute domains • Policy flattening • SAT encoding

CONSTRUCTING ATTRIBUTE DOMAINS (1) § Attributes § AttributeValue § AttributeDesignator § AttributeSelector <rule <rule Effect=”Permit”> ... <AttributeValue <AttributeValue DataType=”String”>admin</AttributeValue> </AttributeValue> <AttributeDesignator <AttributeDesignator AttributeId=”role” DataType=”String”/> ... </rule> </rule>

CONSTRUCTING ATTRIBUTE DOMAINS (2) D role ∈ { admin , manager , hr , user } admin ∈ { admin , manager , hr , user }

CONSTRUCTING ATTRIBUTE DOMAINS (3) Algorithm 1 EnumerateVariables Input: A map m containing the DataTypes as keys and (empty) arrays as values and a policy p 1: procedure EnumerateVars ( p, m ) for all target elements do 2: update m with values found in the policy 3: target end for 4: for all variable definitions do 5: update m with values found in the variable 6: definitions end for 7: for all policy elements do 8: if element is a policy then 9: enumerateVars(element,m) 10: else if element is a rule then 11: update m with values found in the rule 12: targets update m with values found in the rule 13: condition end if 14: end for 15: 16: end procedure

ALGORITHM • Constructing attribute domains • Policy flattening • SAT encoding

Policy Flattening (1) • Applicability space <AS A , AS IN , AS NA > • Decision space <DS P , DS D , DS IN , DS NA >

Algorithm 2 FlattenPolicy Input: A policy p Output: Decision space < DS P , DS D , DS IN ( P ) , DS IN ( D ) , DS IN ( NA ) , DS NA > 1: procedure flattenPolicy ( p ) if p is a rule then 2: AS P A = AS T A ∩ AS C 3: A AS P IN = AS C IN ∪ AS T 4: IN if e ff ect of p is Permit then 5: DS P = AS P 6: A DS D = ∅ 7: DS IN ( P ) = AS P 8: IN DS IN ( D ) = ∅ 9: else if e ff ect of p is Deny then 10: DS P = ∅ 11: DS D = AS P 12: A DS IN ( P ) = ∅ 13: DS IN ( D ) = AS P 14: IN end if 15: DS IN ( P D ) = ∅ 16: DS IN ( NA ) = 17: ( DS P ∪ DS D ∪ DS IN ( P ) ∪ DS IN ( D ) ∪ DS IN ( P D ) ) return 18: ( DS P , DS D , DS IN ( P ) , DS IN ( D ) , DS IN ( P D ) , DS IN ( NA ) ) else if p is a policy (set) then 19: policies = ∅ 20: for all elements e of p do 21: result = flattenPolicy( e ) 22: add result to policies 23: end for 24: combiningAlg = combining algorithm of p 25: return applyCA(policies, combiningAlg) 26: end if 27: 28: end procedure

ALGORITHM • Constructing attribute domains • Policy flattening • SAT encoding

SAT ENCODING DS P ∪ DS D ∪ DS IN ( P ) ∪ DS IN ( D ) ∪ DS IN ( PD ) ∪ DS NA

FRAMEWORK

Conclusion • Creating SAT formula • SAT solvers • No trees • Experimental validation