| ¡¡ | Chinese Journal of Computers Full Text |
| Title | A Conflict and Redundancy Analysis Method for XACML Rules |
| Authors | WANG Ya-Zhe FENG Deng-Guo |
| Address | (State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100190) (National Engineering Research Center of Information Security, Beijing 100190) |
| Year | 2009 |
| Issue | No.3(516¡ª530) |
| Abstract & Background | Abstract XACML is a kind of declarative policy language which has flexible expressive functions based on attributes and satisfies complex security requirements of access management in the open environment, but it lacks the capabilities of detecting conflict rules and analyzing rule redundancy. This paper proposes rule state concept and applies it to analyze several categories of rule conflict caused by attribute hierarchy. In order to detecting and locating these conflicts, resource semantic tree and state relativity are utilized for depicting conflict detecting algorithms. Besides that, rule redundancy is the other issue in this paper. Employing state covering method, the mechanism of rule redundancy is explained, and redundancy judgment theorems are proven for various rules combining algorithms. The emulation tests in the last part of this paper firstly analyze the algorithm¡¯s efficiency, secondly indicate that evaluation performance can profit from resource semantic tree index and redundancy disposing. Keywords access control£» rule state£» attribute hierarchy£» rule conflict detecting£» rule redundancy£» XACML Background This work is supported by the National High Technology Research and Development Program(863 Program) of China (No.2006AA01Z454); the National Key Technology R&D Program of China (No.2006BAH02A02) and the National Natural Science Foundation of China (No.60603017). One important research field of these projects is to providing policy based authorization components for distributed computing and cross domain applications. The projects apply XACML to define access control policies with respect to its flexible expressive function based on attributes, but it lacks the capabilities of detecting and pre-locating conflict rules before system makes policy decisions. While the language has proposed several combining algorithms in order to resolve conflict decisions, user doesn¡¯t know conflict origin all the time and whether the chosen algorithm is consistent with authorization intention. In addition, some rules couldn¡¯t be imposed on the decisions exactly under a given algorithm, these redundancy rules will lower the efficiency of policy evaluation. This paper first introduces the concept of rule state, then designs an effective policies index architecture using resource semantic tree. After analyzing conflict categories caused by operation association between subjects¡¯ and resources¡¯ attribute hierarchy, two conflict detecting algorithms are proposed. These algorithms can pre-locate conflict rules resulting from permission inheritance and permission implication or conflict rules for the node has been specified in the semantic tree. Some rule redundancy judgment theorems for various combining algorithms are deduced. Evaluation systems that are enhanced by policies index and rule redundancy would improve match efficiency. |