A Formal Language for Specifying Policy Combining Algorithms in Access Control

Get BibTex-formatted data

Download

PDF

Author

Ninghui Li, Qihua Wang, Prathima Rao, Dan Lin, Elisa Bertino, Jorge Lobo

Tech report number

CERIAS TR 2008-9

Entry type

article

Abstract

Many access control policy languages, e.g., XACML, allow a policy to ontain multiple sub-policies, and the result of the policy on a request is determined by combining the results of the sub-policies according to some policy combining algorithms (PCAs). Existing access control policy languages, however, do not provide a formal language for specifying PCAs. As a result, it is difficult to extend them with new PCAs. The lacking of a formal approach also makes the design of combining algorithms in XACML plagued with issues and subtleties that can be confusing and surprising for policy authors. Motivated by the need to provide a flexible and user-friendly mechanism for specifying PCAs, we propose a policy combining language PCL, which can succinctly and precisely express a variety of PCAs. We show that our approach avoids the pitfalls of XACML and that it is expressive enough to express both PCAs in XACML and other natural PCAs. A policy evaluation engine only needs to understand PCL to evaluate any PCA specified in it. In particular, we model the evaluation of PCAs using finite state automata. Using techniques from automata theory, we also develop systematic policy evaluation optimization techniques that improve evaluation efficiency.

Download

PDF

Date

2008 – 10 – 27

Key alpha

CERIAS, Purdue

School

PURDUE

Affiliation

CERIAS

Publication Date

2008-10-27

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Article{ CERIAS, Purdue,
	title = "A Formal Language for Specifying Policy Combining Algorithms in Access Control",
	author = "Ninghui Li, Qihua Wang, Prathima Rao, Dan Lin, Elisa Bertino, Jorge Lobo",
	year = "2008",
	month = "10",
	school = "PURDUE",
	day = "27",
	abstract = "Many access control policy languages, e.g., XACML, allow a policy to ontain multiple sub-policies, and the result of the policy on a request is determined by combining the results of the sub-policies according to some policy combining algorithms (PCAs). Existing access control policy languages, however, do not provide a formal language for specifying PCAs. As a result, it is difficult to extend them with new PCAs. The lacking of a formal approach also makes the design of combining algorithms in XACML plagued with issues and subtleties that can be confusing and surprising for policy authors. Motivated by the need to provide a flexible and user-friendly mechanism for specifying PCAs, we propose a policy combining language PCL, which can succinctly and precisely express a variety of PCAs. We show that our approach avoids the pitfalls of XACML and that it is expressive enough to express both PCAs in XACML and other natural PCAs. A policy evaluation engine only needs to understand PCL to evaluate
any PCA specified in it. In particular, we model the evaluation of PCAs using finite state automata. Using techniques from automata theory, we also develop systematic policy evaluation optimization techniques that improve evaluation efficiency.",
	affiliation = "CERIAS",
}