MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control Sonia Jahid 1, Carl A....
-
Upload
jonas-young -
Category
Documents
-
view
219 -
download
0
Transcript of MyABDAC: Compiling XACML Policies for Attribute-Based Database Access Control Sonia Jahid 1, Carl A....
MyABDAC: Compiling XACML Policies for Attribute-BasedDatabase Access Control
Sonia Jahid1, Carl A. Gunter1, Imranul Hoque1, and Hamed Okhravi2
University of Illinois at Urbana-Champaign1,MIT Lincoln Lab2
1st ACM Conference on Data and Application Security and Privacy (CODASPY) 2011
2
Motivation
Alice: select column1 from table1 position = nurse, department = ID: select column1 from table1
Attribute-based Access Control (ABAC) Enforcement
Middleware
select column1 from table1
select column1 from table1
Table1 Alice S
Table1 Bob S, I
… … …
3
• Expressiveness• Efficiency• Protection at the lowest level
Our Contribution
GRANT SELECT, INSERT ON hospital.table1 TO ‘Alice’
Example 1GRANT nurses of department infectious disease SELECT, INSERT on patient records with infectious disease diagnoses
Example 2
Compile high level ABAC policies (XACML) into low level Database access control mechanisms (ACLs) by a policy compilation engine MyABDAC
4
• Architecture– Policy Compilation
• Update Analysis• Implementation and Evaluation• Conclusion
Outline
5
Architecture
Policy Compilation Engine
Policy Parsing Module User and Resource
Extraction Module
ACL Building Module
Conflict Discovery and
Resolution Module
Attributes ACLs(permissions)
Resources
Table1 Table2
Policy
Database
6
Simplified XACML Policy
PolicySet: PCombining Algorithm:
Permit Overrides
Policy: P1
Combining Algorithm: Permit Overrides
Policy: P2
Combining Algorithm: Deny Overrides
Rule: R1
E: PermitS: nurse & Infectious
DiseaseR: Sensitive Information
A: select, insert
Rule: R2
E: PermitS: nurse and experience>5
R: table1A: select, delete
Rule: R3
E: DenyS: nurse & level<3
R: table1A: select
Rule: R4
E: DenyS: nurse & floor=4
R: table1A: select, insert
7
<Rule RuleId=R1 Effect=Permit> <Target> <Subjects> <Subject> <Id>position<Value>nurse <Id>department<Value>infectious disease </Subject> </Subjects> <Resources>
<Resource> sensitive information </Resource> </Resources> <Actions>
<Action> select, insert </Action> </Actions> </Target> </Rule>
Compilation - Parse & Extraction
Policy Compilation Engine
Policy Parsing Module User and Resource
Extraction Module
<P1, R1, position = ‘nurse’ AND department = ‘infectious disease’, resource = ‘sensitive information’,‘SELECT,INSERT’, Permit>
1) SELECT username FROM hospital.employeeWHERE jobtitle=`nurse' AND department=`infectious disease';
2) SELECT table_name FROM information_schema.tablesWHERE table_comment=`sensitive information';
8
Compilation - Parse & Extraction
Policy Compilation Engine
Policy Parsing Module User and Resource
Extraction Module
Conflict Discovery and
Resolution Module
Attributes ACLsResources
Database
Rule:R1
E:PermitRule:R2
E:PermitRule:R3
E:DenyRule:R4
E:Deny
9. tab1, nrs1, s
10. tab1, nrs1, d
11. tab1, nrs1, s
12. tab1, nrs3, s
13. tab1, nrs1, s
14. tab1, nrs1, i
15. tab1, nrs4, s
16. tab1, nrs4, i
1. tab1, nrs1, s
2. tab1, nrs1, i
3. tab1, nrs2, s
4. tab1, nrs2, i
5. tab2, nrs1, s
6. tab2, nrs1, i
7. tab2, nrs2, s
8. tab2, nrs2, i
9
9. tab1, nrs1, s
10. tab1, nrs1, d
11. tab1, nrs1, s
12. tab1, nrs3, s
1. tab1, nrs1, s
2. tab1, nrs1, i
3. tab1, nrs2, s
4. tab1, nrs2, i
5. tab2, nrs1, s
6. tab2, nrs1, i
7. tab2, nrs2, s
8. tab2, nrs2, i
Compilation - Conflict Resolution
PolicySet:PPermit Overrides
Policy:P1
Permit OverridesPolicy:P2
Deny Overrides
Rule:R1
E:PermitRule:R2
E:PermitRule:R3
E:DenyRule:R4
E:Deny
13. tab1, nrs1, s
14. tab1, nrs1, i
15. tab1, nrs4, s
16. tab1, nrs4, i
13 14 15 161 2 3 4 56 7 8 10 12
1 2 3 4 5 67 8 10 12 15 16
active
conflictredundant
active
conflict
10
Compilation - ACL Population
Policy Compilation Engine
Policy Parsing Module User and Resource
Extraction Module
ACL Building Module
Conflict Discovery and
Resolution Module
Attributes ACLsResources
Database
GRANT SELECT ON tab1 TO nrs1, nrs2;GRANT INSERT ON tab1 TO nrs1, nrs2;……REVOKE SELECT ON tab1 FROM nrs3, nrs4;REVOKE INSERT ON tab1 FROM nrs4;
Permit List
1. tab1, nrs1, s
2. tab1, nrs1, i
3. tab1, nrs2, s
4. tab1, nrs2, i
5. tab2, nrs1, s
6. tab2, nrs1, i
7. tab2, nrs2, s
8. tab2, nrs2, I
10. tab1, nrs1, d
Deny List
12. tab1, nrs3, s
15. tab1, nrs4, s
16. tab1, nrs4, i
11
• Attributes change– Revoke existing permissions– Grant new permissions– Revoke and Grant permissions
• ACL Update– Delayed– Instantaneous
• Efficient Instantaneous ACL recalculation upon attribute changes– Recompile a relevant subset of policies– Cache compilation information
Update Analysis
12
Update Analysis
9. tab1, nrs1, s
10. tab1, nrs1, d
11. tab1, nrs1, s
12. tab1, nrs3, s
1. tab1, nrs1, s
2. tab1, nrs1, i
3. tab1, nrs2, s
4. tab1, nrs2, i
5. tab2, nrs1, s
6. tab2, nrs1, i
7. tab2, nrs2, s
8. tab2, nrs2, i
PPolicySet:PO
P1
Policy:POP2
Policy:DO
Rule:R1
E:PermitS:dept=ID
Rule:R2
E:PermitS:exp>5
Rule:R3
E:DenyS:evel<3
Rule:R4
E:DenyS:floor=4
13. tab1, nrs1, s
14. tab1, nrs1, i
15. tab1, nrs4, s
16. tab1, nrs4, i
13 14 15 161 2 3 4 56 7 8 10 12
1 2 3 4 5 67 8 10 12 15 16
Challenges (2)
13
11. tab1, nrs1, s
12. tab1, nrs3, s
1. tab1, nrs1, s
2. tab1, nrs1, i
3. tab1, nrs2, s
4. tab1, nrs2, i
5. tab2, nrs1, s
6. tab2, nrs1, i
7. tab2, nrs2, s
8. tab2, nrs2, i
PPolicySet:PO
P1
Policy:POP2
Policy:DO
Rule:R1
E:PermitS:dept=ID
Rule:R2
E:PermitS:exp>5
Rule:R3
E:DenyS:level<3
Rule:R4
E:DenyS:floor=4
13. tab1, nrs1, s
14. tab1, nrs1, i
15. tab1, nrs4, s
16. tab1, nrs4, i
13 14 15 161 2 3 4 56 7 8 10 12
1 2 3 4 5 67 8 10 12 15 16
Rule:R5
E:PermitS:dept=Med
17. tab3, nrs1, s9. tab1, nrs1, s
10. tab1, nrs1, d
14
• Prototype Implementation– MyABDAC for MySQL database
• Resource database based on a local health complex schema– 50,000 users each with 100 attributes– 40 resource tables
• XACML policies – Consisting of 3 layers and 100, 1000, 2000, …, 5000 rules
• Experiments performed in 2.40GHz Intel Core 2 Duo with 3GB memory
Implementation and Evaluation
15
Policy with 5000 rules each with 10 subject attributes, 5 resources, 2 actions takes 882sec (14.7min)
Policy Compilation Time
No. of Rules
No. of Users Retrieved from DB
Retrieval Time (sec)
No. of GRANTs
Rights Granted
ACL Population Time (sec)
100 220 17 19 2180 0.161000 9569 150 119 36142 83000 25432 431 120 109479 565000 34558 720 120 170757 131
(a) Policy Parse Time (b) User Extraction and ACL Population Time
31s
16
Users Updated
Attributes Updated
Rules Reconsidere
d New Rights
Obsolete Rights
Total Time (sec)
1666
5 391 0 1 10410 662 10 1 14315 822 50 1 16320 900 50 1 161
12384
5 391 41 1 36910 662 121 2 40915 822 261 2 43320 900 331 2 448
UPDATE users SET attrx = valx,…, attry = valy WHERE condition
Update Analysis
17
Comparison with Existing Approaches
SunXACML XEngine MyABDAC0
200
400
600
800
1000
1200
1400
1600
1800
2000A
cces
s Ve
rific
ation
Tim
e (m
s)
Request Submitted: <username, password, database query>
18
• Compiled XACML policy into Database ACLs
• Built a prototype MyABDAC to test on MySQL
• Comparison with SunXACML and XEngine shows that MyABDAC makes database access enforcement faster
Conclusion
Backup Slides
20
<PolicySet PolicySetId=P PolicyCombiningAlgId=permit-overrides> <Target/> <Policy PolicyId=P1 RuleCombiningAlgId=permit-overrides> <Target/> <Rule RuleId=R1 Effect=Permit> <Target> <Subjects> <Subject><Id>position<Value>nurse
<Id>department<Value>infectious disease</Subject> </Subjects> <Resources> <Resource>sensitive information</Resource> </Resources> <Actions> <Action>select,insert</Action> </Actions> </Target> </Rule>
<Rule RuleId=R2 Effect=Permit> <Target> <Subjects> <Subject><Id>position<Value>nurse
<Id>experience<Value>5</Subject> </Subjects> <Resources> <Resource>table1</Resource></Resources>
<Actions><Action>select,delete</Action> </Actions> </Target> </Rule> <Rule RuleId=R3 Effect=Deny> <Target> <Subjects> <Subject><Id>position<Value>nurse
<Id>level<Value>3</Subject> </Subjects> <Resources> <Resource>table1</Resource></Resources>
<Actions><Action>select</Action> </Actions> </Target> </Rule> </Policy> <Policy PolicyId=P2 RuleCombiningAlgId=deny-overrides> <Target/> <Rule RuleId=R4 Effect=Deny> <Target> <Subjects> <Subject><Id>position<Value>nurse
<Id>floor<Value>4</Subject> </Subjects> <Resources> <Resource>table1</Resource> </Resources> <Actions> <Action>select,insert</Action> </Actions> </Target> </Rule> </Policy>
</PolicySet>
Simplified XACML Policy
21
Cache Compilation
Table Name Fields
ruledetails ruleID, policyID, subjectQuery, resource, action, effect
log username, resource, action, effect, status, ruleID
22
Space Requirement
0 20000 40000 600000
500
1000
1500
2000Database Level Table Level Column Level
No. of Users (Thousands)
Spa
ce (M
B) R
equi
rem
ent
(Tho
usan
ds)
23
• A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. In ACM SIGMETRICS, 2008.
• Sun Microsystems, Inc. Sun's XACML Implementation.
• S. Marouf, M. Shehab, A. Squicciarini, and S. Sundareswaran. Statistics & Clustering based Framework for Efficient XACML Policy Evaluation. In POLICY, 2009.
Key Related Works