230 likes | 474 Vues
MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control. Sonia Jahid 1 , Carl A. Gunter 1 , Imranul Hoque 1 , and Hamed Okhravi 2 University of Illinois at Urbana-Champaign 1 , MIT Lincoln Lab 2
E N D
MyABDAC: Compiling XACML Policies for Attribute-BasedDatabase Access Control Sonia Jahid1, Carl A. Gunter1, Imranul Hoque1, and Hamed Okhravi2 University of Illinois at Urbana-Champaign1, MIT Lincoln Lab2 1st ACM Conference on Data and Application Security and Privacy (CODASPY) 2011
Motivation position = nurse, department = ID: select column1 from table1 Alice: select column1 from table1 Attribute-based Access Control (ABAC) Enforcement Middleware select column1 from table1 select column1 from table1
Our Contribution Compile high level ABAC policies (XACML) into low level Database access control mechanisms (ACLs) by a policy compilation engine MyABDAC • Expressiveness • Efficiency • Protection at the lowest level GRANT SELECT, INSERT ON hospital.table1 TO ‘Alice’ Example 1 GRANT nurses of department infectious disease SELECT, INSERT on patient records with infectious disease diagnoses Example 2
Outline • Architecture • Policy Compilation • Update Analysis • Implementation and Evaluation • Conclusion
Architecture Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module Policy Conflict Discovery and Resolution Module ACL Building Module Database Attributes Resources ACLs (permissions) Table1 Table2
Simplified XACML Policy PolicySet: P Combining Algorithm: Permit Overrides Policy: P1 Combining Algorithm: Permit Overrides Policy: P2 Combining Algorithm: Deny Overrides Rule: R1 E: Permit S: nurse & Infectious Disease R: Sensitive Information A: select, insert Rule: R2 E: Permit S: nurse and experience>5 R: table1 A: select, delete Rule: R3 E: Deny S: nurse & level<3 R: table1 A: select Rule: R4 E: Deny S: nurse & floor=4 R: table1 A: select, insert
Compilation - Parse & Extraction <Rule RuleId=R1 Effect=Permit> <Target> <Subjects> <Subject> <Id>position<Value>nurse <Id>department<Value>infectious disease </Subject> </Subjects> <Resources> <Resource> sensitive information </Resource> </Resources> <Actions> <Action> select, insert </Action> </Actions> </Target> </Rule> Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module <P1, R1, position = ‘nurse’ AND department = ‘infectious disease’, resource = ‘sensitive information’,‘SELECT,INSERT’, Permit> 1) SELECT username FROM hospital.employee WHERE jobtitle=`nurse' AND department=`infectious disease'; 2) SELECT table_name FROM information_schema.tables WHERE table_comment=`sensitive information';
Compilation - Parse & Extraction Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module Rule:R1 E:Permit Rule:R2 E:Permit Rule:R3 E:Deny Rule:R4 E:Deny Conflict Discovery and Resolution Module Database Attributes Resources ACLs
Compilation - Conflict Resolution PolicySet:P Permit Overrides active Policy:P1 Permit Overrides Policy:P2 Deny Overrides conflict Rule:R1 E:Permit Rule:R2 E:Permit Rule:R3 E:Deny Rule:R4 E:Deny active redundant conflict
Compilation - ACL Population Policy Compilation Engine Policy Parsing Module User and Resource Extraction Module Conflict Discovery and Resolution Module ACL Building Module Database GRANT SELECT ON tab1 TO nrs1,nrs2; GRANT INSERT ON tab1 TO nrs1, nrs2; … … REVOKE SELECT ON tab1 FROM nrs3, nrs4; REVOKE INSERT ON tab1 FROM nrs4; Attributes Resources ACLs
Update Analysis • Attributes change • Revoke existing permissions • Grant new permissions • Revoke and Grant permissions • ACL Update • Delayed • Instantaneous • Efficient Instantaneous ACL recalculation upon attribute changes • Recompile a relevant subset of policies • Cache compilation information
Update Analysis P PolicySet:PO P1 Policy:PO P2 Policy:DO Rule:R1 E:Permit S:dept=ID Rule:R2 E:Permit S:exp>5 Rule:R3 E:Deny S:evel<3 Rule:R4 E:Deny S:floor=4
Challenges (2) P PolicySet:PO P1 Policy:PO P2 Policy:DO Rule:R1 E:Permit S:dept=ID Rule:R5 E:Permit S:dept=Med Rule:R2 E:Permit S:exp>5 Rule:R3 E:Deny S:level<3 Rule:R4 E:Deny S:floor=4
Implementation and Evaluation • Prototype Implementation • MyABDAC for MySQL database • Resource database based on a local health complex schema • 50,000 users each with 100 attributes • 40 resource tables • XACML policies • Consisting of 3 layers and 100, 1000, 2000, …, 5000 rules • Experiments performed in 2.40GHz Intel Core 2 Duo with 3GB memory
Policy Compilation Time Policy with 5000 rules each with 10 subject attributes, 5 resources, 2 actions takes 882sec (14.7min) 31s (a) Policy Parse Time (b) User Extraction and ACL Population Time
Update Analysis UPDATE users SETattrx = valx,…, attry = valyWHEREcondition
Comparison with Existing Approaches Request Submitted: <username, password, database query>
Conclusion • Compiled XACML policy into Database ACLs • Built a prototype MyABDAC to test on MySQL • Comparison with SunXACML and XEngine shows that MyABDAC makes database access enforcement faster
Simplified XACML Policy <PolicySet PolicySetId=P PolicyCombiningAlgId=permit-overrides> <Target/> <Policy PolicyId=P1 RuleCombiningAlgId=permit-overrides> <Target/> <Rule RuleId=R1 Effect=Permit> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>department<Value>infectious disease</Subject> </Subjects> <Resources> <Resource>sensitive information</Resource> </Resources> <Actions> <Action>select,insert</Action> </Actions> </Target> </Rule> <Rule RuleId=R2 Effect=Permit> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>experience<Value>5</Subject> </Subjects> <Resources> <Resource>table1</Resource></Resources> <Actions><Action>select,delete</Action> </Actions> </Target> </Rule> <Rule RuleId=R3 Effect=Deny> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>level<Value>3</Subject> </Subjects> <Resources> <Resource>table1</Resource></Resources> <Actions><Action>select</Action> </Actions> </Target> </Rule> </Policy> <Policy PolicyId=P2 RuleCombiningAlgId=deny-overrides> <Target/> <Rule RuleId=R4 Effect=Deny> <Target> <Subjects> <Subject><Id>position<Value>nurse <Id>floor<Value>4</Subject> </Subjects> <Resources> <Resource>table1</Resource> </Resources> <Actions> <Action>select,insert</Action> </Actions> </Target> </Rule> </Policy> </PolicySet>
Key Related Works • A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. In ACM SIGMETRICS, 2008. • Sun Microsystems, Inc. Sun's XACML Implementation. • S. Marouf, M. Shehab, A. Squicciarini, and S. Sundareswaran. Statistics & Clustering based Framework for Efficient XACML Policy Evaluation. In POLICY, 2009.