Multi-data-types interval decision diagrams for XACML evaluation engine
- 1 July 2013
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE) in 2013 Eleventh Annual Conference on Privacy, Security and Trust
- p. 257-266
- https://doi.org/10.1109/pst.2013.6596061
Abstract
XACML policy evaluation efficiency is an important factor influencing the overall system performance, especially when the number of policies grows. Some existing approaches on high performance XACML policy evaluation can support simple policies with equality comparisons and handle requests with well defined conditions. Such mechanisms do not provide the semantic correctness of combining algorithms in cases with indeterminate and not-applicable states. They ignore the critical attribute setting, a mandatory property in XACML, leading to potential missing attribute attacks. In this paper, we present a solution using data interval partition aggregation together with new decision diagram combinations, that not only optimizes the performance but also provides correctness and completeness of XACML 3.0 features, including complex logical expressions, correctness in indeterminate states processing, critical attribute setting, obligations and advices as well as complex comparison functions for multiple data types.Keywords
This publication has 13 references indexed in Scilit:
- Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy EvaluationIEEE Transactions on Services Computing, 2010
- Access control policy combiningPublished by Association for Computing Machinery (ACM) ,2009
- Policy decomposition for collaborative access controlPublished by Association for Computing Machinery (ACM) ,2008
- Analyzing web access control policiesPublished by Association for Computing Machinery (ACM) ,2007
- XACML policy integration algorithmsPublished by Association for Computing Machinery (ACM) ,2006
- Survey and taxonomy of packet classification techniquesACM Computing Surveys, 2005
- Verification and change-impact analysis of access-control policiesPublished by Association for Computing Machinery (ACM) ,2005
- An MTIDD Based FirewallTelecommunication Systems, 2004
- Interval diagrams for efficient symbolic verification of process networksIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2000
- Graph-Based Algorithms for Boolean Function ManipulationIEEE Transactions on Computers, 1986