Presentation is loading. Please wait.

Presentation is loading. Please wait.

Department of Computer Science PCL: A Policy Combining Language EXAM: Environment for Xacml policy Analysis & Management Access Control Policy Combining.

Published byJean Webb Modified over 8 years ago

Similar presentations

Presentation on theme: "Department of Computer Science PCL: A Policy Combining Language EXAM: Environment for Xacml policy Analysis & Management Access Control Policy Combining."— Presentation transcript:

1 Department of Computer Science PCL: A Policy Combining Language EXAM: Environment for Xacml policy Analysis & Management Access Control Policy Combining & Comparison Elisa Bertino, Ninghui Li (Purdue University)

2 Department of Computer Science Why Policy Combining? A policy may contain multiple sub- policies. The effect of the whole policy is determined by combining the effects of sub-policies –Firewalls: first-applicable –XACML: deny-overrides, permit-overrides, first-applicable, only-one-applicable

3 Department of Computer Science Other Useful Combining Algorithms Weak-consensus: Strong-consensus: Weak-majority: Strong-majority:

4 Department of Computer Science Our Goal An expressive and practical language for specifying policy combining algorithms Our solution: PCL NINGHUI LI, ELISA BERTINO, QIHUA WANG, WAHBEH QADARJI Purdue University

5 Department of Computer Science Overview of PCL Uses four values: Σ = {P, D, NA, IN} Evaluation errors are represented by non-empty subsets of {P, D, NA, IN} –15 possible values Two ways to specify policy combining behavior –Using a Policy Combining Operator (PCO) –Using linear constraints

6 Department of Computer Science Policy Combining Operators Policy combining operator (PCO) –is a PCA that combines two policies (or rules) –g: Σ × Σ -> Σ, where Σ = {P, D, NA, IN} A PCO can be represented as a matrix P1 \ P2PDNAIN PPDPD DDDDD NAPD D INDDDD Deny-overrides P1 \ P2PDNAIN PPPPP DDDDD NAPD IN First-applicable

7 Department of Computer Science From PCO to PCA PCA should be a function Σ + -> Σ Given a PCO g, its recursive PCA is the function f: –f(P 1 ) = P 1 –f(P 1, P 2 ) = g(P 1, P 2 ) –f(P 1,…,P n ) = g(f(P 1,…,P n-1 ), P n ) DFA-representation of policy evaluation P D NA IN Any D, IN P, NA D, IN P NA Deny-overrides P D NA IN Any D P NA IN Any First-applicable

8 Department of Computer Science Using Linear Constraints PCOs cannot express counting-based strategies. Second approach for PCA specification uses linear constraints on the number of sub- policies that return P, D, NA, and IN. –A Linear Constraint is an expressions that uses #P, #D, #NA, #IN, addition/subtraction, comparisons, and AND  and OR 

9 Department of Computer Science Other Issues We Considered Optimized evaluation of PCAs Specify how to specify obligation- handling behavior in a PCA

10 Department of Computer Science Expressive Power: There are Examples for each numbered area

11 Department of Computer Science Using PCL in XACML An XACML Policy can include the PCA it wants to use A PDP that understands PCL can parse and understand all PCAs specified in it –makes deployment of new PCAs feasible

12 Department of Computer Science Implementation We implemented PCL and integrated it with Sun’s implementation for XACML 1.1 Changes and additions were made to several classes and the Result class in particular to account for errors in evaluation

13 Department of Computer Science EXAM Environment for Xacml policy Analysis & Management EXAM is a comprehensive environment for analyzing and managing XACML access control policies. It supports acquisition, editing and retrieval of policies in addition to policy similarity filtering, policy similarity analysis and policy integration. ELISA BERTINO, NINGHUI LI, GABRIEL GHINITA, PRATHIMA RAO Purdue University

14 Department of Computer Science EXAM Overview: Architecture Policy Repository Policy Similarity Filter Policy Similarity Analyzer Query Dispatcher User User Interface … User Policy Annotation Policy Integration Framework

15 Department of Computer Science Key Feature – Policy Similarity Analysis Goal –Characterize the relationships among the sets of requests respectively authorized by a set of policies. Two techniques –Policy Similarity Filter Less precise, faster (based on techniques from document matching techniques) –Policy Similarity Analyzer Precise, slower (based on MTDBB) A visualization environment has been developed to visualize policy similarity results

16 Department of Computer Science p3  p4  “DRILL-DOWN” Multi-level Grid Visualization of Policy Similarity Action Type

17 Department of Computer Science Policy Integration A Fine-grained Integration Algebra (FIA) –3-valued (Permit, Deny, NotApplicable) –Specify behavior at the granularity of requests and effects –Restrict domain of applicability –Support expressive policy languages like XACML Framework for specifying integration constraints and generating integrated policies. –MTBDD based implementation of FIA –Generation of integrated policy in XACML syntax.

18 Department of Computer Science Fine-grained Integration Algebra (FIA) Vocabulary of attribute names and domains Policy constants Permit policy Deny policy Binary operators Addition Intersection Unary operators Negation Domain Projection

19 Department of Computer Science FIA - Theoretical Results Expressivity –FIA can express all XACML policy combining algorithms –FIA can express policy “jumps” –FIA can model closed policies and open policies Completeness –A completeness notion has been developed, based on the concept of policy combination matrix, and FIA is complete with respect to such notion Minimality –Identification of the minimal complete subsets of the FIA operators

20 Department of Computer Science Current Status of EXAM A prototype has been completed that includes the similarity filter and analyzer The visualization tool has been completed We expect to release EXAM to the project team in December 2009

21 Department of Computer Science On-Going Work Study the specification and analysis of stateful policies in a practical way –e.g., by extending XACML User experimental study – the goal is to assess whether the similarity filter is a good predictor for policy similarity as perceived by users Extend EXAM with tools for synonym and dictionary management, and ontologies Develop tools for collaborative privacy-preserving policy enforcement

Download ppt "Department of Computer Science PCL: A Policy Combining Language EXAM: Environment for Xacml policy Analysis & Management Access Control Policy Combining."

Similar presentations

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
1 Using Blind Search and Formal Concepts for Binary Factor Analysis Aleš Keprt

1 Using Blind Search and Formal Concepts for Binary Factor Analysis Aleš Keprt
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
CBio Meeting, March 2-3, 2006 CHISEL Group Dept of Computer Science University of Victoria, Canada Visualization of ontologies and data annotations.

CBio Meeting, March 2-3, 2006 CHISEL Group Dept of Computer Science University of Victoria, Canada Visualization of ontologies and data annotations.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
SSP Re-hosting System Development: CLBM Overview and Module Recognition SSP Team Department of ECE Stevens Institute of Technology Presented by Hongbing.

SSP Re-hosting System Development: CLBM Overview and Module Recognition SSP Team Department of ECE Stevens Institute of Technology Presented by Hongbing.
Xyleme A Dynamic Warehouse for XML Data of the Web.

Xyleme A Dynamic Warehouse for XML Data of the Web.
NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.

NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.
Visual Web Information Extraction With Lixto Robert Baumgartner Sergio Flesca Georg Gottlob.

Visual Web Information Extraction With Lixto Robert Baumgartner Sergio Flesca Georg Gottlob.
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.
1 CS 430 / INFO 430 Information Retrieval Lecture 24 Usability 2.

1 CS 430 / INFO 430 Information Retrieval Lecture 24 Usability 2.
Sangam: A Transformation Modeling Framework Kajal T. Claypool (U Mass Lowell) and Elke A. Rundensteiner (WPI)

Sangam: A Transformation Modeling Framework Kajal T. Claypool (U Mass Lowell) and Elke A. Rundensteiner (WPI)
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.

The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Secure Data Storage and Retrieval in the Cloud Bhavani Thuraisingham,

UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Secure Data Storage and Retrieval in the Cloud Bhavani Thuraisingham,

Similar presentations

Ads by Google