Abstract
With the tremendous growth of Web applications and services, eXtensible Access Control Markup Language (XACML) has been broadly adopted to specify Web access control policies. However, when the policies are large or defined by multiple authorities, it has proved difficult to analyze errors and vulnerabilities in a manual fashion. Recent advances in the answer set programming (ASP) paradigm have provided a powerful problem-solving formalism that is capable of dealing with policy verification. In this paper, we employ ASP to analyze various properties of XACML policies. To this end, we first propose a structured mechanism to translate a XACML policy into an ASP program. Then, we leverage the features of off-the-shelf ASP solvers to specify and verify a wide range of properties of a XACML policy, including redundancy, conflicts, refinement, completeness, reachability, and usefulness. We present an empirical evaluation of the effectiveness and efficiency of a policy analysis tool implemented on top of the Clingo ASP solver. The evaluation results show that our approach is computationally more efficient compared with existing approaches.
Similar content being viewed by others
Notes
In this paper, the term policy refers to a security policy specified by XACML. Also terms “policy,” “security policy,” and “XACML policy” are used interchangeably.
The combining algorithms are more complex, as described in [1], and we simplified them to show the main parts of our specifications.
References
eXtensible Access Control Markup Language (XACML) Version 3.0 (2013). http://docs.oasis-open.org/xacml/30/xacml-30-core-spec-os-enpdf. Accessed Sept 2018
AU2EU: Authentication and authorisation for entrusted unions (2015). http://www.au2eu.eu/. Accessed Sept 2018
WSO2 balana: The open source XACML 3.0 implementation (2015). http://xacmlinfo.org/category/balana/. Accessed Sept 2018
Ahn, G.J., Hu, H., Lee, J., Meng, Y.: Representing and reasoning about web access control policies. In: Proceedings of the 2010 IEEE 34th Annual Computer Software and Applications Conference, COMPSAC ’10, pp. 137–146 (2010)
Al-Shaer, E.S., Hamed, H.H.: Discovery of policy anomalies in distributed firewalls. In: INFOCOM 2004. Twenty-third Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 4, pp. 2605–2616 (2004)
Arkoudas, K., Chadha, R., Chiang, J.: Sophisticated access control via SMT and logical frameworks. ACM Trans. Inf. Syst. Secur. 16(4), 17:1–17:31 (2014)
Ayed, D., Lepareux, M.N., Martins, C.: Analysis of XACML policies with ASP. In: 7th International Conference on New Technologies, Mobility and Security (NTMS) (2015)
Basile, C., Cappadonia, A., Lioy, A.: Geometric interpretation of policy specification. In: Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks, POLICY ’08, pp. 78–81 (2008)
Basile, C., Cappadonia, A., Lioy, A.: Network-level access control policy analysis and transformation. IEEE/ACM Trans. Netw. 20(4), 985–998 (2012)
Bauer, L., Garriss, S., Reiter, M.K.: Detecting and resolving policy misconfigurations in access-control systems. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(1), 2 (2011)
Brewka, G., Eiter, T., Truszczyński, M.: Answer set programming at a glance. Commun. ACM 54(12), 92–103 (2011)
Crampton, J., Morisset, C.: PTaCL: a language for attribute-based access control in open systems. In: International Conference on Principles of Security and Trust, pp. 390–409. Springer (2012)
Eiter, T., Ianni, G., Krennwallner, T.: Answer set programming: a primer. In: Reasoning Web. Semantic Technologies for Information Systems, Lecture Notes in Computer Science, vol. 5689, pp. 40–110 (2009)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th International Conference on Software Engineering, ICSE ’05, pp. 196–205 (2005)
Gebser, M., Kaminski, R., Kaufmann, B., Schaub, T.: Answer Set Solving in Practice. Synthesis Lectures on Artificial Intelligence and Machine Learning. Morgan and Claypool Publishers, San Francisco (2012)
Gebser, M., Kaminski, R., Kaufmann, B., Schaub, T.: Clingo = ASP + control: Preliminary report. CoRR arXiv:1405.3694 (2014)
Griffin, L., Butler, B., de Leastar E, Jennings, B., Botvich, D.: On the performance of access control policy evaluation. In: 2012 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 25–32 (2012)
Hu, H., Ahn, G.J., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secur. Comput. 9(3), 318–331 (2012)
Hu, H., Ahn, G.J., Kulkarni, K.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Dependable Secur. Comput. 10(6), 341–354 (2013)
Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transf. 10(6), 503–520 (2008)
Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW ’07, pp. 677–686 (2007)
Lee, J., Wang, Y., Zhang, Y.: Automated reasoning about xacml 3.0 delegation using answer set programming. In: CEUR Workshop Proceedings, CEUR-WS, vol. 1433 (2015)
Lifschitz, V.: What is answer set programming? In: Proceedings of the 23rd National Conference on Artificial Intelligence, vol. 3, pp. 1594–1597 (2008)
Lin, D., Rao, P., Bertino, E., Li, N., Lobo, J.: EXAM: a comprehensive environment for the analysis of access control policies. Int. J. Inf. Secur. 9(4), 253–273 (2010)
Liu, A.X., Chen, F., Hwang, J., Xie, T.: XEngine: a fast and scalable XACML policy evaluation engine. SIGMETRICS ’08, 265–276 (2008)
Margheri, A., Masi, M., Pugliese, R., Tiezzi, F.: A rigorous framework for specification, analysis and enforcement of access control policies. IEEE Trans. Softw. Eng. 99, 1–1 (2017)
Mejri, M., Yahyaoui, H.: Formal specification and integration of distributed security policies. Comput. Lang. Syst. Struct. 49, 1–35 (2017)
Ramli, C.D.P.K.: Detecting incompleteness, conflicting and unreachability XACML policies using answer set programming. CoRR, arXiv:1503.02732 (2015)
Ramli, C.D.P.K., Nielson, H., Nielson, F.: XACML 3.0 in answer set programming. In: Logic-Based Program Synthesis and Transformation, Lecture Notes in Computer Science, vol. 7844, pp. 89–105 (2013)
Rezvani, M., Aryan, R.: Analyzing and resolving anomalies in firewall security policies based on propositional logic. In: IEEE 13th International Multi Topic Conference, INMIC (2009)
Rezvani, M., Ignjatovic, A., Pagnucco, M., Jha, S.: Anomaly-free policy composition in software-defined networks. In: IFIP Networking 2016 Conference (Networking 2016), Vienna, Austria (2016)
Tschantz, M.C., Krishnamurthi, S.: Towards reasonability properties for access-control policy languages. In: Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies, SACMAT ’06, pp. 160–169 (2006)
Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Formal analysis of XACML policies using SMT. Comput. Secur. 66(Supplement C), 185–203 (2017)
Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.N., Mohapatra, P.: FIREMAN: a toolkit for firewall modeling and analysis. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 199–213 (2006)
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Rezvani, M., Rajaratnam, D., Ignjatovic, A. et al. Analyzing XACML policies using answer set programming. Int. J. Inf. Secur. 18, 465–479 (2019). https://doi.org/10.1007/s10207-018-0421-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-018-0421-5