微信服务号

微信订阅号

2025-4-24- 17
Home > Archive>Volume 22, Issue 2, 2011 >323-338. DOI:10.3724/SP.J.1001.2011.03707
PDF HTML XML Export Cite reminder
XACML Policy Evaluation Engine Based on Multi-Level Optimization Technology
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [26]
    • |
  • Related [20]
    • |
  • Cited by [2]
    • | |
  • Comments
    Abstract:

    This paper proposes an implementation scheme of XACML (extensible access control markup language) policy evaluation engine based on multi-level optimization technology, MLOBEE (multi-level optimization based evaluation engine). Before evaluating these policies, the scenario implements rule refinement to lessen scale policies and adjust the sequence at the rule. During evaluation, the engine adopts a multi-cache mechanism that includes result cache, attribute cache, and policy cache to reduce the communication cost between engine and other components. To decrease matching magnitudes and enhance matching exactitudes, policy cache practices two stage index techniques. Finally, emulation tests validate that the overall evaluation performance of MLOBEE, using multi-level optimization technology, is better than most other similar systems.

    Reference
    [1] XACML reference. 2007. http://docs.oasis-open.org/xacml/references/xacmlRefsV1.83.html
    [2] Moses T. Extensible access control markup language (XACML) version 2.0. Technical Report, OASIS Standard, 2005.
    [3] Fisler K, Krishnamurthi S, Meyerovich LA, Tschantz MC. Verification and change-impact analysis of access-control policies. In: Proc. of the 27th Int’l Conf. on Software Engineering. New York: ACM Press, 2005. 196?205. [doi: 10.1145/1062455.1062502]
    [4] Kolovski V, Hendler J, Parsia B. Analyzing web access control policies. In: Proc. of the 16th Int’l Conf. on World Wide Web. New York: ACM Press, 2007. 677?686. [doi: 10.1145/1242572.1242664]
    [5] Martin E, Xie T, Yu T. Defining and measuring policy coverage in testing access control policies. In: Proc. of the 8th Int’l Conf. on Information and Communications Security. Berlin: Springer-Verlag, 2006. 139?158.
    [6] Mazzoleni P, Bertino E, Crispo B, Sivasubramanian S. XACML policy integration algorithms: not to be confused with XACML policy combination algorithms! In: Proc. of the 11th ACM Symp. on Access Control Models and Technologies. New York: ACM Press, 2006. 219?227. [doi: 10.1145/1133058.1133089]
    [7] Tschantz MC, Krishnamurthi S. Towards reasonability properties for access-control policy languages. In: Proc. of the 11th ACM Symp. on Access Control Models and Technologies. New York: ACM Press, 2006. 160?169. [doi: 10.1145/1133058.1133081]
    [8] Guelev DP, Ryan M, Schobbens PY. Model-Checking access control policies. In: Zhang K, Zheng Y, eds. Proc. of the ISC 2004. LNCS 3225, Berlin: Springer-Verlag, 2004. 219?230. [doi: 10.1007/978-3-540-30144-8_19]
    [9] Bryans J. Reasoning about XACML policies using CSP. In: Proc. of the 2005 Workshop on Secure Web Services. New York: ACM Press, 2005. 28?35. [doi: 10.1145/1103022.1103028]
    [10] Lin D, Rao P, Bertino E, Lobo J. An approach to evaluate policy similarity. In: Proc. of the 12th ACM Symp. on Access Control Models and Technologies. New York: ACM Press, 2007. 1?10. [doi: 10.1145/1266840.1266842]
    [11] Sun XACML. 2006. http://sunxacml.sourceforge.net/
    [12] XACML.NET. 2005. http://mvpos.sourceforge.net/index.html
    [13] Parthenon XACML. 2005. http://www.parthcomp.com/xacml_toolkit.html
    [14] JBoss XACML. 2008. http://www.jboss.org/jbosssecurity/download/index.html
    [15] Melcoe PDP. 2008. http://www.muradora.org/muradora/wiki/MelcoePDPDoc
    [16] XACMLight. 2008. http://sourceforge.net/projects/xacmllight/
    [17] AXESCON XACML. 2006. http://axescon.com/ax2e/
    [18] Enterprise XACML. 2008. http://code.google.com/p/enterprise-java-xacml/
    [19] Liu AX, Chen F, Hwang JH, Xie T. XEngine: A fast and scalable XACML policy evaluation engine. In: Proc. of the 2008 ACM SIGMETRICS Int’l Conf. on Measurement and Modeling of Computer Systems. New York: ACM Press, 2008. 265?276. [doi: 10.1145/1375457.1375488]
    [20] Li N, Hwang JH, Xie T. Multiple-Implementation testing for XACML implementations. In: Proc. of the 2008 Workshop on Testing, Analysis, and Verification of Web Services and Applications. New York: ACM Press, 2008. 27?33. [doi: 10.1145/1390832. 1390837]
    [21] Turkmen F, Crispo B. Performance evaluation of XACML PDP implementations. In: Proc. of the 2008 ACM Workshop on Secure Web Services. New York: ACM Press, 2008. 37?44. [doi: 10.1145/1456492.1456499]
    [22] Li XF, Feng DG, Xu Z. Access control policy management based on extended-XACML. Journal on Communications, 2007,28(1): 103?110 (in Chinese with English abstract).
    [23] Li XF, Feng DG, He YZ. Research on preprocessing policies in XACML admin. Journal of Computer Research and Development, 2007,44(5):729?736 (in Chinese with English abstract). [doi: 10.1360/crad20070501]
    [24] Nie XW, Feng DG. TXACML—An access control policy framework based on trusted platform. Journal of Computer Research and Development, 2008,45(10):1676?1686 (in Chinese with English abstract).
    [25] Wang YZ, Feng DG. A conflict and redundancy analysis method for XACML rules. Chinese Journal of Computers, 2009,32(3): 516?530 (in Chinese with English abstract)
    [26] XACML 2.0 conformance tests. 2005. http://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip
    Comments
    Comments
    分享到微博
    Submit
Get Citation

王雅哲,冯登国,张立武,张敏.基于多层次优化技术的XACML 策略评估引擎.软件学报,2011,22(2):323-338

Copy
Share
Article Metrics
  • Abstract:5278
  • PDF: 8212
  • HTML: 0
  • Cited by: 0
History
  • Received:February 20,2009
  • Revised:August 12,2009
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2038176Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063