XEngine: A Fast and Scalable XACML Policy Evaluation Engine
-
Upload
yuli-morris -
Category
Documents
-
view
48 -
download
0
description
Transcript of XEngine: A Fast and Scalable XACML Policy Evaluation Engine
![Page 1: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/1.jpg)
XEngine: A Fast and ScalableXACML Policy Evaluation Engine
Fei Chen
Dept. of Computer Science and Engineering
Michigan State University
Joint work with
Alex X. Liu, JeeHyun Hwang, Tao Xie
![Page 2: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/2.jpg)
• Introduction and Motivation• Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
2/29
Roadmap
![Page 3: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/3.jpg)
Introduction
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
3/29
Subject(processes, machines, …)
Resources(programs, file, …)
Action(execute, read, …)
Applications
Services/Middleware
Operating System
Hardware
Access control mechanisms
XACML (de facto standard)eXtensible Access Control Markup Language
• XML language
• Powerful evaluation logic
• Extensible and flexible
![Page 4: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/4.jpg)
Motivation
• Check whether a request satisfies a policy or not and return the decision.
• Performance is critical.– Cost per request millions of requests per minute (amazon)
– Size and complexity
processing time
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
4/29
XACMLPolicy Evaluation
Engine
XACML Policy
XACMLRequest Decision
![Page 5: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/5.jpg)
Prior work• No prior work focuses on optimizing performance of
XACML policy evaluation• Most work of XACML focuses on XACML policy analysis
and verification• Sun PDP (policy decision point) is an implementation of
standard XACML evaluation engine• We proposed XEngine
– Orders of magnitude faster than Sun PDP– More rules more orders of magnitude
• Hundreds of rules, two orders of magnitude faster than Sun PDP
• Thousands of rules, four orders of magnitude faster than Sun PDP
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
5/29
![Page 6: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/6.jpg)
• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
6/29
Roadmap
![Page 7: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/7.jpg)
Example
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
7/29
<PolicySet PolicySetId="n" PolicyCombiningAlgId="Permit-Overrides"> <Target/> <Policy PolicyId="n1" RuleCombinationAlgId="Deny-Overrides"> <Target/> <Rule RuleId=“1" Effect="Deny"> <Target> <Subjects><Subject> Student </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource></Resources> <Actions><Action> Change </Action></Actions> </Target> </Rule> <Rule RuleId=“2" Effect="Permit"> <Target> <Subjects><Subject> Professor </Subject> <Subject> Lecturer </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource> <Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy> <Policy PolicyId="n2" RuleCombinationAlgId="First-Applicable"> <Target/> <Rule RuleId=“3" Effect="Permit"> <Target> <Subjects><Subject> Student </Subject></Subjects> <Resources><Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy></PolicySet>
Rule 1: A student or secretary can not change grades.
Deny
Permit
Decision
![Page 8: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/8.jpg)
Three Key Ideas
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
8/29
• XACML policy numericalization– String values Numerical values
• XACML policy normalization– Recusive structure Flat structure– Multiple complex conflict resolution mechanisms
one conflict resolution mechanism
• XACML policy evaluation– Use a tree structure to efficiently process requests.
![Page 9: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/9.jpg)
• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
9/29
Roadmap
![Page 10: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/10.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
10/29
XACML Policy Numericalization• Map each distinct value of the
attribute to a distinct integer
<PolicySet PolicySetId="n" PolicyCombiningAlgId="Permit-Overrides"> <Target/> <Policy PolicyId="n1" RuleCombinationAlgId="Deny-Overrides"> <Target/> <Rule RuleId=“1" Effect="Deny"> <Target> <Subjects><Subject> Student </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource></Resources> <Actions><Action> Change </Action></Actions> </Target> </Rule> <Rule RuleId=“2" Effect="Permit"> <Target> <Subjects><Subject> Professor </Subject> <Subject> Lecturer </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource> <Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy> <Policy PolicyId="n2" RuleCombinationAlgId="First-Applicable"> <Target/> <Rule RuleId=“3" Effect="Permit"> <Target> <Subjects><Subject> Student </Subject></Subjects> <Resources><Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy></PolicySet>
Subject Resource Action
Student: 0Secretary: 1Professor: 2Leturer: 3
Grades: 0Records: 1
Change: 0Read: 1
permitARSR ]1,0[]1,1[]0,0[:3
permitARSR ]1,0[ ]1,0[ ]3,1[ :2
denyARSR ]0,0[]0,0[]1,0[:1
![Page 11: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/11.jpg)
• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
11/29
Roadmap
![Page 12: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/12.jpg)
XACML Policy Normalization: Challenges
• Four rule/policy combining algorithms– First-Applicable
– Only-One-Applicable
– Permit-Overrides
– Deny-Overrides
• Recursive structure
• Multi-valued request
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang,
Xie12/29
First-Applicable
Flat structure
Decompose to multiple single-valued requests
![Page 13: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/13.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
13/29
Recursive Structure
• Model an XACML policy as a tree• Store combining algorithm and target of the policy or
policy set
R1 R2
[1,3]
Permit-Overrides
Target t1
[1,2]
Deny-Overrides
Target t2
[3,3]
First-Applicable
Target t3
Permit-Overrides
Deny-Overrides
First-Applicable
R1 → deny R2 → permit
R3 → deny
R3
![Page 14: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/14.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
14/29
Scattered Predicates
R1 R2
[1,3]
Permit-Overrides
Target t1
[1,2]
Deny-Overrides
Target t2
[3,3]
First-Applicable
Target t3
R3
t1 : [1, 6]
t3 : [0, 4]
tR3: [3, 5]
[3, 4]
Λ
Λ
Target t1
Target t3
R3
Replace target of R3 by t1Λt3ΛtR3
![Page 15: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/15.jpg)
Complex XACML Functions
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
15/29
Predicate Λ f()→permit
Predicate→(if f() then permit)
![Page 16: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/16.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
16/29
Multi-valued Rules/Requests
• Multi-valued RulesSubject: A person who is both a professor and a student”
professor&student distinct value
• Multi-valued RequestsA person who is
both a professor and a student wants to assign grades
A professor wants … A student wants …
{Ri1, Ri2, …} {Rj1, Rj2, …}
Decision
![Page 17: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/17.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
17/29
Complex Rule/Policy Combining Alg• First-Applicable
– Concatenate rule sequences of normalized policies.
• Only-One-Applicable– Check whether two rules from two sequences are overlapped.
• Permit-Overrides or Deny-Overrides– Use policy decision diagram (PDD) to convert all-match rules to
first-match rules.
permitARSR
denyARSR
]1,0[ ]1,0[ ]3,1[ :
]0,0[]0,0[]1,0[:
2
1
[0, 0] [2, 3]S
[0, 0]
[0, 1]
[0, 1]
[0, 0]
[1, 1]
[1, 1] [0, 1]
[R1]d, [R2]p [R2]p[R1]d
[0, 0]
[0, 0]
[1, 1]
[R2]p [R2]p
R R R
A A A A
![Page 18: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/18.jpg)
Complex Rule/Policy Combining Alg
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
18/29
deny deny
deny
Professor [ [R1]deny, [R4]permit ]permit Student [ [R3]deny, [R2]permit ]permit
Q1 R1, R4
Q2 R2, R3
permit
permit
A person who is both a professor and a student
wants to assign grades
A professor wants …
A student wants …
Q1 :
Q2 :
R1: Professor→deny R2: Student→permit R4: Professor→permitR3: Student→deny
[1,4]
Permit-Overrides
[1,2]
First-Applicable
V1
V3V2 [3,4]
First-Applicable
×
![Page 19: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/19.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
19/29
XACML Policy Evaluation (1/2)
• The Decision Diagram Approach– A final sequence of first-match rules A PDDPDD.
[0, 0] [2, 3]S
R R[1, 1] [0, 0]
[0, 1]
[0, 1]R
A A[0, 0]
A A
[1, 1]
[1, 1]
[1, 1] [0, 1][0, 1]
A[0, 0] [1, 1]
[0, 0]
[R1]d [R-1]na [R3]p [[R1]d, [R2]p] d [R2]p [R2]p [R2]p
![Page 20: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/20.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
20/29
XACML Policy Evaluation (2/2)
• The Forwarding Table Approach– d-dimensional PDD d forwarding tables
0 0
1 1
2 2
3 2
T1
T2
0 1 2
0 0 2 4
1 1 3 4
0 1 2 3 4
0 [R1]d [R3]p [ [R1]d, [R2]p ] d [R2]p [R2]p
1 [R-1]na [R3]p [R2]p [R2]p [R2]p
T3
A request
![Page 21: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/21.jpg)
• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
20/29
Roadmap
![Page 22: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/22.jpg)
Correctness
• We proved the correctness of XEngine– Lemmas, Theorems
• Experimental results are the same as Sun PDP
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
21/29
![Page 23: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/23.jpg)
System Overview
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
23/29
PolicyNumericalization& Normalization
NumericalizationTable
First-machRange Rules
XACML Policy
StructureTree
XACMLRequest DecisionRequest
Numericalization +Decision Diagrams
Forwarding Tables
Evaluation Engine
![Page 24: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/24.jpg)
• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
24/29
Roadmap
![Page 25: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/25.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
25/29
Experimental Results (1/3)
• Preprocessing time of XEngine– Only 6 seconds for an synthetic XACML policy with 4000 rules
![Page 26: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/26.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
26/29
Experimental Results (2/3)• For real-life XACML policies (100,000 requests)
– Forwarding table approach is 117 times faster than Sun PDP– PDD approach is 75 times faster than Sun PDP
(Log scale)
![Page 27: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/27.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
27/29
Experimental Results (3/3)• For synthetic XACML policies(100,000 requests)
– Under 400, 2000 and 4000 rules• Forwarding table is 3594, 18643, 34408 times faster than Sun PDP.• PDD approach is 1405, 6210, 10873 times faster than Sun PDP.• Performance difference grows almost linearly with the number of rules.
(Log scale)
![Page 28: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/28.jpg)
Concluding Remarks
• We presented a series of algorithms to convert an XACML policy to a decision diagram (or forwarding tables)
• We proposed a series of algorithms to process requests.
• XEngine is effective on both real-life and synthetic XACML policies
– It is orders of magnitude faster than the widely deployed Sun PDP
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
28/29
![Page 29: XEngine: A Fast and Scalable XACML Policy Evaluation Engine](https://reader035.fdocuments.net/reader035/viewer/2022062309/568137a0550346895d9f46c4/html5/thumbnails/29.jpg)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
29/29
Questions?