Designing Fast and Scalable XACML Policy Evaluation Engines
- 23 December 2010
- journal article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE Transactions on Computers
- Vol. 60 (12), 1802-1817
- https://doi.org/10.1109/tc.2010.274
Abstract
Most prior research on policies has focused on correctness. While correctness is an important issue, the adoption of policy-based computing may be limited if the resulting systems are not implemented efficiently and thus perform poorly. To increase the effectiveness and adoption of policy-based computing, in this paper, we propose fast policy evaluation algorithms that can be adapted to support various policy languages. In this paper, we focus on XACML policy evaluation because XACML has become the de facto standard for specifying access control policies, has been widely used on web servers, and is most complex among existing policy languages. We implemented our algorithms in a policy evaluation system called XEngine and conducted side-by-side comparison with Sun Policy Decision Point (PDP), the industrial standard for XACML policy evaluation. The results show that XEngine is orders of magnitude faster than Sun PDP. The performance difference grows almost linearly with the number of rules in an XACML policy. To our best knowledge, there is no prior work on improving XACML policy evaluation performance. This paper represents the first step in exploring this unknown space.Keywords
This publication has 21 references indexed in Scilit:
- Policy decomposition for collaborative access controlPublished by Association for Computing Machinery (ACM) ,2008
- Structured firewall designComputer Networks, 2007
- Security analysis in role-based access controlACM Transactions on Information and System Security, 2006
- Towards reasonability properties for access-control policy languagesPublished by Association for Computing Machinery (ACM) ,2006
- The secondary and approximate authorization model and its application to Bell-LaPadula policiesPublished by Association for Computing Machinery (ACM) ,2006
- Defining and Measuring Policy Coverage in Testing Access Control PoliciesLecture Notes in Computer Science, 2006
- Survey and taxonomy of packet classification techniquesACM Computing Surveys, 2005
- The algebra of securityPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2003
- Proposed NIST standard for role-based access controlACM Transactions on Information and System Security, 2001
- Role-based access control modelsComputer, 1996