MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control

MyABDAC: Compiling XACML Policies for Attribute-BasedDatabase Access Control Sonia Jahid1, Carl A. Gunter1, Imranul Hoque1, and Hamed Okhravi2 University of Illinois at Urbana-Champaign1, MIT Lincoln Lab2 1st ACM Conference on Data and Application Security and Privacy (CODASPY) 2011

Motivation position = nurse, department = ID: select column1 from table1 Alice: select column1 from table1 Attribute-based Access Control (ABAC) Enforcement Middleware select column1 from table1 select column1 from table1

Our Contribution Compile high level ABAC policies (XACML) into low level Database access control mechanisms (ACLs) by a policy compilation engine MyABDAC • Expressiveness • Efficiency • Protection at the lowest level GRANT SELECT, INSERT ON hospital.table1 TO ‘Alice’ Example 1 GRANT nurses of department infectious disease SELECT, INSERT on patient records with infectious disease diagnoses Example 2

Outline • Architecture • Policy Compilation • Update Analysis • Implementation and Evaluation • Conclusion

Architecture Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module Policy Conflict Discovery and Resolution Module ACL Building Module Database Attributes Resources ACLs (permissions) Table1 Table2

Simplified XACML Policy PolicySet: P Combining Algorithm: Permit Overrides Policy: P1 Combining Algorithm: Permit Overrides Policy: P2 Combining Algorithm: Deny Overrides Rule: R1 E: Permit S: nurse & Infectious Disease R: Sensitive Information A: select, insert Rule: R2 E: Permit S: nurse and experience>5 R: table1 A: select, delete Rule: R3 E: Deny S: nurse & level<3 R: table1 A: select Rule: R4 E: Deny S: nurse & floor=4 R: table1 A: select, insert

Compilation - Parse & Extraction <Rule RuleId=R1 Effect=Permit> <Target> <Subjects> <Subject> <Id>position<Value>nurse <Id>department<Value>infectious disease </Subject> </Subjects> <Resources> <Resource> sensitive information </Resource> </Resources> <Actions> <Action> select, insert </Action> </Actions> </Target> </Rule> Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module <P1, R1, position = ‘nurse’ AND department = ‘infectious disease’, resource = ‘sensitive information’,‘SELECT,INSERT’, Permit> 1) SELECT username FROM hospital.employee WHERE jobtitle=`nurse' AND department=`infectious disease'; 2) SELECT table_name FROM information_schema.tables WHERE table_comment=`sensitive information';

Compilation - Parse & Extraction Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module Rule:R1 E:Permit Rule:R2 E:Permit Rule:R3 E:Deny Rule:R4 E:Deny Conflict Discovery and Resolution Module Database Attributes Resources ACLs

Compilation - Conflict Resolution PolicySet:P Permit Overrides active Policy:P1 Permit Overrides Policy:P2 Deny Overrides conflict Rule:R1 E:Permit Rule:R2 E:Permit Rule:R3 E:Deny Rule:R4 E:Deny active redundant conflict

Compilation - ACL Population Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module Conflict Discovery and Resolution Module ACL Building Module Database GRANT SELECT ON tab1 TO nrs1,nrs2; GRANT INSERT ON tab1 TO nrs1, nrs2; … … REVOKE SELECT ON tab1 FROM nrs3, nrs4; REVOKE INSERT ON tab1 FROM nrs4; Attributes Resources ACLs

Update Analysis • Attributes change • Revoke existing permissions • Grant new permissions • Revoke and Grant permissions • ACL Update • Delayed • Instantaneous • Efficient Instantaneous ACL recalculation upon attribute changes • Recompile a relevant subset of policies • Cache compilation information

Update Analysis P PolicySet:PO P1 Policy:PO P2 Policy:DO Rule:R1 E:Permit S:dept=ID Rule:R2 E:Permit S:exp>5 Rule:R3 E:Deny S:evel<3 Rule:R4 E:Deny S:floor=4

Challenges (2) P PolicySet:PO P1 Policy:PO P2 Policy:DO Rule:R1 E:Permit S:dept=ID Rule:R5 E:Permit S:dept=Med Rule:R2 E:Permit S:exp>5 Rule:R3 E:Deny S:level<3 Rule:R4 E:Deny S:floor=4

Implementation and Evaluation • Prototype Implementation • MyABDAC for MySQL database • Resource database based on a local health complex schema • 50,000 users each with 100 attributes • 40 resource tables • XACML policies • Consisting of 3 layers and 100, 1000, 2000, …, 5000 rules • Experiments performed in 2.40GHz Intel Core 2 Duo with 3GB memory

Policy Compilation Time Policy with 5000 rules each with 10 subject attributes, 5 resources, 2 actions takes 882sec (14.7min) 31s (a) Policy Parse Time (b) User Extraction and ACL Population Time

Update Analysis UPDATE users SETattrx = valx,…, attry = valyWHEREcondition

Comparison with Existing Approaches Request Submitted: <username, password, database query>

Conclusion • Compiled XACML policy into Database ACLs • Built a prototype MyABDAC to test on MySQL • Comparison with SunXACML and XEngine shows that MyABDAC makes database access enforcement faster

Backup Slides

Simplified XACML Policy <PolicySet PolicySetId=P PolicyCombiningAlgId=permit-overrides> <Target/> <Policy PolicyId=P1 RuleCombiningAlgId=permit-overrides> <Target/> <Rule RuleId=R1 Effect=Permit> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>department<Value>infectious disease</Subject> </Subjects> <Resources> <Resource>sensitive information</Resource> </Resources> <Actions> <Action>select,insert</Action> </Actions> </Target> </Rule> <Rule RuleId=R2 Effect=Permit> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>experience<Value>5</Subject> </Subjects> <Resources> <Resource>table1</Resource></Resources> <Actions><Action>select,delete</Action> </Actions> </Target> </Rule> <Rule RuleId=R3 Effect=Deny> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>level<Value>3</Subject> </Subjects> <Resources> <Resource>table1</Resource></Resources> <Actions><Action>select</Action> </Actions> </Target> </Rule> </Policy> <Policy PolicyId=P2 RuleCombiningAlgId=deny-overrides> <Target/> <Rule RuleId=R4 Effect=Deny> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>floor<Value>4</Subject> </Subjects> <Resources> <Resource>table1</Resource> </Resources> <Actions> <Action>select,insert</Action> </Actions> </Target> </Rule> </Policy> </PolicySet>

Cache Compilation

Space Requirement

Key Related Works • A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. In ACM SIGMETRICS, 2008. • Sun Microsystems, Inc. Sun's XACML Implementation. • S. Marouf, M. Shehab, A. Squicciarini, and S. Sundareswaran. Statistics & Clustering based Framework for Efficient XACML Policy Evaluation. In POLICY, 2009.

MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control

MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control

Presentation Transcript

Database Security Kennesaw State University

ADT Select Entry Hosted and Brivo Web Based Access Control

Database Systems Kernel

DATABASE CONCEPTS

Switched Supervisory Control

VB .NET Database Access

Crime Control Policy

Part II: Access Control

Part II: Access Control

463.9 Policies

Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

Relational Databases

Chapter 15 : Concurrency Control

CHAPTER 9 The Study of the Internal Control and Assessment of Control Risk

Chapter 9 Technology of a database server

Case Studies

Microsoft Access

CS419 – Computer Security

Chapter 16 : Concurrency Control

Chapter 9 Technology of a database server

DATABASE DESIGN