XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with

XEngine: A Fast and ScalableXACML Policy Evaluation Engine

Fei Chen

Dept. of Computer Science and Engineering

Michigan State University

Joint work with

Alex X. Liu, JeeHyun Hwang, Tao Xie

• Introduction and Motivation• Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

2/29

Roadmap

Introduction


3/29

Subject(processes, machines, …)

Resources(programs, file, …)

Action(execute, read, …)

Applications

Services/Middleware

Operating System

Hardware

Access control mechanisms

XACML (de facto standard)eXtensible Access Control Markup Language

• XML language

• Powerful evaluation logic

• Extensible and flexible

Motivation

• Check whether a request satisfies a policy or not and return the decision.

• Performance is critical.– Cost per request millions of requests per minute (amazon)

– Size and complexity

processing time


4/29

XACMLPolicy Evaluation

Engine

XACML Policy

XACMLRequest Decision

Prior work• No prior work focuses on optimizing performance of

XACML policy evaluation• Most work of XACML focuses on XACML policy analysis

and verification• Sun PDP (policy decision point) is an implementation of

standard XACML evaluation engine• We proposed XEngine

– Orders of magnitude faster than Sun PDP– More rules more orders of magnitude

• Hundreds of rules, two orders of magnitude faster than Sun PDP

• Thousands of rules, four orders of magnitude faster than Sun PDP


5/29

• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion


6/29

Roadmap

Example


7/29

<PolicySet PolicySetId="n" PolicyCombiningAlgId="Permit-Overrides"> <Target/> <Policy PolicyId="n1" RuleCombinationAlgId="Deny-Overrides"> <Target/> <Rule RuleId=“1" Effect="Deny"> <Target> <Subjects><Subject> Student </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource></Resources> <Actions><Action> Change </Action></Actions> </Target> </Rule> <Rule RuleId=“2" Effect="Permit"> <Target> <Subjects><Subject> Professor </Subject> <Subject> Lecturer </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource> <Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy> <Policy PolicyId="n2" RuleCombinationAlgId="First-Applicable"> <Target/> <Rule RuleId=“3" Effect="Permit"> <Target> <Subjects><Subject> Student </Subject></Subjects> <Resources><Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy></PolicySet>

Rule 1: A student or secretary can not change grades.

Deny

Permit

Decision

Three Key Ideas


8/29

• XACML policy numericalization– String values Numerical values

• XACML policy normalization– Recusive structure Flat structure– Multiple complex conflict resolution mechanisms

one conflict resolution mechanism

• XACML policy evaluation– Use a tree structure to efficiently process requests.



9/29

Roadmap


10/29

XACML Policy Numericalization• Map each distinct value of the

attribute to a distinct integer

<PolicySet PolicySetId="n" PolicyCombiningAlgId="Permit-Overrides"> <Target/> <Policy PolicyId="n1" RuleCombinationAlgId="Deny-Overrides"> <Target/> <Rule RuleId=“1" Effect="Deny"> <Target> <Subjects><Subject> Student </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource></Resources> <Actions><Action> Change </Action></Actions> </Target> </Rule> <Rule RuleId=“2" Effect="Permit"> <Target> <Subjects><Subject> Professor </Subject> <Subject> Lecturer </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource> <Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy> <Policy PolicyId="n2" RuleCombinationAlgId="First-Applicable"> <Target/> <Rule RuleId=“3" Effect="Permit"> <Target> <Subjects><Subject> Student </Subject></Subjects> <Resources><Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy></PolicySet>

Subject Resource Action

Student: 0Secretary: 1Professor: 2Leturer: 3

Grades: 0Records: 1

Change: 0Read: 1

permitARSR ]1,0[]1,1[]0,0[:3

permitARSR ]1,0[ ]1,0[ ]3,1[ :2

denyARSR ]0,0[]0,0[]1,0[:1



11/29

Roadmap

XACML Policy Normalization: Challenges

• Four rule/policy combining algorithms– First-Applicable

– Only-One-Applicable

– Permit-Overrides

– Deny-Overrides

• Recursive structure

• Multi-valued request

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang,

Xie12/29

First-Applicable

Flat structure

Decompose to multiple single-valued requests


13/29

Recursive Structure

• Model an XACML policy as a tree• Store combining algorithm and target of the policy or

policy set

R1 R2

[1,3]

Permit-Overrides

Target t1

[1,2]

Deny-Overrides

Target t2

[3,3]

First-Applicable

Target t3

Permit-Overrides

Deny-Overrides

First-Applicable

R1 → deny R2 → permit

R3 → deny

R3


14/29

Scattered Predicates

R1 R2

[1,3]

Permit-Overrides

Target t1

[1,2]

Deny-Overrides

Target t2

[3,3]

First-Applicable

Target t3

R3

t1 : [1, 6]

t3 : [0, 4]

tR3: [3, 5]

[3, 4]

Λ

Λ

Target t1

Target t3

R3

Replace target of R3 by t1Λt3ΛtR3

Complex XACML Functions


15/29

Predicate Λ f()→permit

Predicate→(if f() then permit)


16/29

Multi-valued Rules/Requests

• Multi-valued RulesSubject: A person who is both a professor and a student”

professor&student distinct value

• Multi-valued RequestsA person who is

both a professor and a student wants to assign grades

A professor wants … A student wants …

{Ri1, Ri2, …} {Rj1, Rj2, …}

Decision


17/29

Complex Rule/Policy Combining Alg• First-Applicable

– Concatenate rule sequences of normalized policies.

• Only-One-Applicable– Check whether two rules from two sequences are overlapped.

• Permit-Overrides or Deny-Overrides– Use policy decision diagram (PDD) to convert all-match rules to

first-match rules.

permitARSR

denyARSR

]1,0[ ]1,0[ ]3,1[ :

]0,0[]0,0[]1,0[:

2

1

[0, 0] [2, 3]S

[0, 0]

[0, 1]

[0, 1]

[0, 0]

[1, 1]

[1, 1] [0, 1]

[R1]d, [R2]p [R2]p[R1]d

[0, 0]

[0, 0]

[1, 1]

[R2]p [R2]p

R R R

A A A A

Complex Rule/Policy Combining Alg


18/29

deny deny

deny

Professor [ [R1]deny, [R4]permit ]permit Student [ [R3]deny, [R2]permit ]permit

Q1 R1, R4

Q2 R2, R3

permit

permit

A person who is both a professor and a student

wants to assign grades

A professor wants …

A student wants …

Q1 :

Q2 :

R1: Professor→deny R2: Student→permit R4: Professor→permitR3: Student→deny

[1,4]

Permit-Overrides

[1,2]

First-Applicable

V1

V3V2 [3,4]

First-Applicable

×


19/29

XACML Policy Evaluation (1/2)

• The Decision Diagram Approach– A final sequence of first-match rules A PDDPDD.

[0, 0] [2, 3]S

R R[1, 1] [0, 0]

[0, 1]

[0, 1]R

A A[0, 0]

A A

[1, 1]

[1, 1]

[1, 1] [0, 1][0, 1]

A[0, 0] [1, 1]

[0, 0]

[R1]d [R-1]na [R3]p [[R1]d, [R2]p] d [R2]p [R2]p [R2]p


20/29

XACML Policy Evaluation (2/2)

• The Forwarding Table Approach– d-dimensional PDD d forwarding tables

0 0

1 1

2 2

3 2

T1

T2

0 1 2

0 0 2 4

1 1 3 4

0 1 2 3 4

0 [R1]d [R3]p [ [R1]d, [R2]p ] d [R2]p [R2]p

1 [R-1]na [R3]p [R2]p [R2]p [R2]p

T3

A request



20/29

Roadmap

Correctness

• We proved the correctness of XEngine– Lemmas, Theorems

• Experimental results are the same as Sun PDP


21/29

System Overview


23/29

PolicyNumericalization& Normalization

NumericalizationTable

First-machRange Rules

XACML Policy

StructureTree

XACMLRequest DecisionRequest

Numericalization +Decision Diagrams

Forwarding Tables

Evaluation Engine



24/29

Roadmap


25/29

Experimental Results (1/3)

• Preprocessing time of XEngine– Only 6 seconds for an synthetic XACML policy with 4000 rules


26/29

Experimental Results (2/3)• For real-life XACML policies (100,000 requests)

– Forwarding table approach is 117 times faster than Sun PDP– PDD approach is 75 times faster than Sun PDP

(Log scale)


27/29

Experimental Results (3/3)• For synthetic XACML policies(100,000 requests)

– Under 400, 2000 and 4000 rules• Forwarding table is 3594, 18643, 34408 times faster than Sun PDP.• PDD approach is 1405, 6210, 10873 times faster than Sun PDP.• Performance difference grows almost linearly with the number of rules.

(Log scale)

Concluding Remarks

• We presented a series of algorithms to convert an XACML policy to a decision diagram (or forwarding tables)

• We proposed a series of algorithms to process requests.

• XEngine is effective on both real-life and synthetic XACML policies

– It is orders of magnitude faster than the widely deployed Sun PDP


28/29


29/29

Questions?

Documents

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with