Title :
Multi-data-types interval decision diagrams for XACML evaluation engine
Author :
Canh Ngo ; Makkes, Marc X. ; Demchenko, Y. ; de Laat, Cees
Author_Institution :
Univ. of Amsterdam, Amsterdam, Netherlands
Abstract :
XACML policy evaluation efficiency is an important factor influencing the overall system performance, especially when the number of policies grows. Some existing approaches on high performance XACML policy evaluation can support simple policies with equality comparisons and handle requests with well defined conditions. Such mechanisms do not provide the semantic correctness of combining algorithms in cases with indeterminate and not-applicable states. They ignore the critical attribute setting, a mandatory property in XACML, leading to potential missing attribute attacks. In this paper, we present a solution using data interval partition aggregation together with new decision diagram combinations, that not only optimizes the performance but also provides correctness and completeness of XACML 3.0 features, including complex logical expressions, correctness in indeterminate states processing, critical attribute setting, obligations and advices as well as complex comparison functions for multiple data types.
Keywords :
XML; authorisation; XACML 3.0 feature; XACML evaluation engine; XACML policy evaluation efficiency; attribute attack; complex logical expression; critical attribute setting; data interval partition aggregation; decision diagram combination; extensible access control mark-up language; mandatory property; multidata-types interval decision diagram; Aggregates; Boolean functions; Data structures; Engines; Partitioning algorithms; Semantics; Standards; Access control; MIDD combination; XACML; authorization; decision diagram; interval partition processing; multi-data-types Interval Decision Diagram (MIDD); policy evaluation;
Conference_Titel :
Privacy, Security and Trust (PST), 2013 Eleventh Annual International Conference on
Conference_Location :
Tarragona
DOI :
10.1109/PST.2013.6596061
