1 / 23

MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control

MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control. Sonia Jahid 1 , Carl A. Gunter 1 , Imranul Hoque 1 , and Hamed Okhravi 2 University of Illinois at Urbana-Champaign 1 , MIT Lincoln Lab 2

hien
Download Presentation

MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. MyABDAC: Compiling XACML Policies for Attribute-BasedDatabase Access Control Sonia Jahid1, Carl A. Gunter1, Imranul Hoque1, and Hamed Okhravi2 University of Illinois at Urbana-Champaign1, MIT Lincoln Lab2 1st ACM Conference on Data and Application Security and Privacy (CODASPY) 2011

  2. Motivation position = nurse, department = ID: select column1 from table1 Alice: select column1 from table1 Attribute-based Access Control (ABAC) Enforcement Middleware select column1 from table1 select column1 from table1

  3. Our Contribution Compile high level ABAC policies (XACML) into low level Database access control mechanisms (ACLs) by a policy compilation engine MyABDAC • Expressiveness • Efficiency • Protection at the lowest level GRANT SELECT, INSERT ON hospital.table1 TO ‘Alice’ Example 1 GRANT nurses of department infectious disease SELECT, INSERT on patient records with infectious disease diagnoses Example 2

  4. Outline • Architecture • Policy Compilation • Update Analysis • Implementation and Evaluation • Conclusion

  5. Architecture Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module Policy Conflict Discovery and Resolution Module ACL Building Module Database Attributes Resources ACLs (permissions) Table1 Table2

  6. Simplified XACML Policy PolicySet: P Combining Algorithm: Permit Overrides Policy: P1 Combining Algorithm: Permit Overrides Policy: P2 Combining Algorithm: Deny Overrides Rule: R1 E: Permit S: nurse & Infectious Disease R: Sensitive Information A: select, insert Rule: R2 E: Permit S: nurse and experience>5 R: table1 A: select, delete Rule: R3 E: Deny S: nurse & level<3 R: table1 A: select Rule: R4 E: Deny S: nurse & floor=4 R: table1 A: select, insert

  7. Compilation - Parse & Extraction <Rule RuleId=R1 Effect=Permit> <Target> <Subjects> <Subject> <Id>position<Value>nurse <Id>department<Value>infectious disease </Subject> </Subjects> <Resources> <Resource> sensitive information </Resource> </Resources> <Actions> <Action> select, insert </Action> </Actions> </Target> </Rule> Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module <P1, R1, position = ‘nurse’ AND department = ‘infectious disease’, resource = ‘sensitive information’,‘SELECT,INSERT’, Permit> 1) SELECT username FROM hospital.employee WHERE jobtitle=`nurse' AND department=`infectious disease'; 2) SELECT table_name FROM information_schema.tables WHERE table_comment=`sensitive information';

  8. Compilation - Parse & Extraction Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module Rule:R1 E:Permit Rule:R2 E:Permit Rule:R3 E:Deny Rule:R4 E:Deny Conflict Discovery and Resolution Module Database Attributes Resources ACLs

  9. Compilation - Conflict Resolution PolicySet:P Permit Overrides active Policy:P1 Permit Overrides Policy:P2 Deny Overrides conflict Rule:R1 E:Permit Rule:R2 E:Permit Rule:R3 E:Deny Rule:R4 E:Deny active redundant conflict

  10. Compilation - ACL Population Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module Conflict Discovery and Resolution Module ACL Building Module Database GRANT SELECT ON tab1 TO nrs1,nrs2; GRANT INSERT ON tab1 TO nrs1, nrs2; … … REVOKE SELECT ON tab1 FROM nrs3, nrs4; REVOKE INSERT ON tab1 FROM nrs4; Attributes Resources ACLs

  11. Update Analysis • Attributes change • Revoke existing permissions • Grant new permissions • Revoke and Grant permissions • ACL Update • Delayed • Instantaneous • Efficient Instantaneous ACL recalculation upon attribute changes • Recompile a relevant subset of policies • Cache compilation information

  12. Update Analysis P PolicySet:PO P1 Policy:PO P2 Policy:DO Rule:R1 E:Permit S:dept=ID Rule:R2 E:Permit S:exp>5 Rule:R3 E:Deny S:evel<3 Rule:R4 E:Deny S:floor=4

  13. Challenges (2) P PolicySet:PO P1 Policy:PO P2 Policy:DO Rule:R1 E:Permit S:dept=ID Rule:R5 E:Permit S:dept=Med Rule:R2 E:Permit S:exp>5 Rule:R3 E:Deny S:level<3 Rule:R4 E:Deny S:floor=4

  14. Implementation and Evaluation • Prototype Implementation • MyABDAC for MySQL database • Resource database based on a local health complex schema • 50,000 users each with 100 attributes • 40 resource tables • XACML policies • Consisting of 3 layers and 100, 1000, 2000, …, 5000 rules • Experiments performed in 2.40GHz Intel Core 2 Duo with 3GB memory

  15. Policy Compilation Time Policy with 5000 rules each with 10 subject attributes, 5 resources, 2 actions takes 882sec (14.7min) 31s (a) Policy Parse Time (b) User Extraction and ACL Population Time

  16. Update Analysis UPDATE users SETattrx = valx,…, attry = valyWHEREcondition

  17. Comparison with Existing Approaches Request Submitted: <username, password, database query>

  18. Conclusion • Compiled XACML policy into Database ACLs • Built a prototype MyABDAC to test on MySQL • Comparison with SunXACML and XEngine shows that MyABDAC makes database access enforcement faster

  19. Backup Slides

  20. Simplified XACML Policy <PolicySet PolicySetId=P PolicyCombiningAlgId=permit-overrides> <Target/> <Policy PolicyId=P1 RuleCombiningAlgId=permit-overrides> <Target/> <Rule RuleId=R1 Effect=Permit> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>department<Value>infectious disease</Subject> </Subjects> <Resources> <Resource>sensitive information</Resource> </Resources> <Actions> <Action>select,insert</Action> </Actions> </Target> </Rule> <Rule RuleId=R2 Effect=Permit> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>experience<Value>5</Subject> </Subjects> <Resources> <Resource>table1</Resource></Resources> <Actions><Action>select,delete</Action> </Actions> </Target> </Rule> <Rule RuleId=R3 Effect=Deny> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>level<Value>3</Subject> </Subjects> <Resources> <Resource>table1</Resource></Resources> <Actions><Action>select</Action> </Actions> </Target> </Rule> </Policy> <Policy PolicyId=P2 RuleCombiningAlgId=deny-overrides> <Target/> <Rule RuleId=R4 Effect=Deny> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>floor<Value>4</Subject> </Subjects> <Resources> <Resource>table1</Resource> </Resources> <Actions> <Action>select,insert</Action> </Actions> </Target> </Rule> </Policy> </PolicySet>

  21. Cache Compilation

  22. Space Requirement

  23. Key Related Works • A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. In ACM SIGMETRICS, 2008. • Sun Microsystems, Inc. Sun's XACML Implementation. • S. Marouf, M. Shehab, A. Squicciarini, and S. Sundareswaran. Statistics & Clustering based Framework for Efficient XACML Policy Evaluation. In POLICY, 2009.

More Related