MyABDAC: Compiling XACML Policies for Attribute-BasedDatabase Access Control

Sonia Jahid1, Carl A. Gunter1, Imranul Hoque1, and Hamed Okhravi2

University of Illinois at Urbana-Champaign1,MIT Lincoln Lab2

1st ACM Conference on Data and Application Security and Privacy (CODASPY) 2011

2

Motivation

Alice: select column1 from table1 position = nurse, department = ID: select column1 from table1

Attribute-based Access Control (ABAC) Enforcement

Middleware

select column1 from table1

select column1 from table1

Table1 Alice S

Table1 Bob S, I

… … …

3

• Expressiveness• Efficiency• Protection at the lowest level

Our Contribution

GRANT SELECT, INSERT ON hospital.table1 TO ‘Alice’

Example 1GRANT nurses of department infectious disease SELECT, INSERT on patient records with infectious disease diagnoses

Example 2

Compile high level ABAC policies (XACML) into low level Database access control mechanisms (ACLs) by a policy compilation engine MyABDAC

4

• Architecture– Policy Compilation

• Update Analysis• Implementation and Evaluation• Conclusion

Outline

5

Architecture

Policy Compilation Engine

Policy Parsing Module User and Resource

Extraction Module

ACL Building Module

Conflict Discovery and

Resolution Module

Attributes ACLs(permissions)

Resources

Table1 Table2

Policy

Database

6

Simplified XACML Policy

PolicySet: PCombining Algorithm:

Permit Overrides

Policy: P1

Combining Algorithm: Permit Overrides

Policy: P2

Combining Algorithm: Deny Overrides

Rule: R1

E: PermitS: nurse & Infectious

DiseaseR: Sensitive Information

A: select, insert

Rule: R2

E: PermitS: nurse and experience>5

R: table1A: select, delete

Rule: R3

E: DenyS: nurse & level<3

R: table1A: select

Rule: R4

E: DenyS: nurse & floor=4

R: table1A: select, insert

7

<Rule RuleId=R1 Effect=Permit> <Target> <Subjects> <Subject> <Id>position<Value>nurse <Id>department<Value>infectious disease </Subject> </Subjects> <Resources>

<Resource> sensitive information </Resource> </Resources> <Actions>

<Action> select, insert </Action> </Actions> </Target> </Rule>

Compilation - Parse & Extraction

Policy Compilation Engine

Policy Parsing Module User and Resource

Extraction Module

<P1, R1, position = ‘nurse’ AND department = ‘infectious disease’, resource = ‘sensitive information’,‘SELECT,INSERT’, Permit>

1) SELECT username FROM hospital.employeeWHERE jobtitle=`nurse' AND department=`infectious disease';

2) SELECT table_name FROM information_schema.tablesWHERE table_comment=`sensitive information';

8

Compilation - Parse & Extraction

Policy Compilation Engine

Policy Parsing Module User and Resource

Extraction Module

Conflict Discovery and

Resolution Module

Attributes ACLsResources

Database

Rule:R1

E:PermitRule:R2

E:PermitRule:R3

E:DenyRule:R4

E:Deny

9. tab1, nrs1, s

10. tab1, nrs1, d

11. tab1, nrs1, s

12. tab1, nrs3, s

13. tab1, nrs1, s

14. tab1, nrs1, i

15. tab1, nrs4, s

16. tab1, nrs4, i

1. tab1, nrs1, s

2. tab1, nrs1, i

3. tab1, nrs2, s

4. tab1, nrs2, i

5. tab2, nrs1, s

6. tab2, nrs1, i

7. tab2, nrs2, s

8. tab2, nrs2, i

9

9. tab1, nrs1, s

10. tab1, nrs1, d

11. tab1, nrs1, s

12. tab1, nrs3, s

1. tab1, nrs1, s

2. tab1, nrs1, i

3. tab1, nrs2, s

4. tab1, nrs2, i

5. tab2, nrs1, s

6. tab2, nrs1, i

7. tab2, nrs2, s

8. tab2, nrs2, i

Compilation - Conflict Resolution

PolicySet:PPermit Overrides

Policy:P1

Permit OverridesPolicy:P2

Deny Overrides

Rule:R1

E:PermitRule:R2

E:PermitRule:R3

E:DenyRule:R4

E:Deny

13. tab1, nrs1, s

14. tab1, nrs1, i

15. tab1, nrs4, s

16. tab1, nrs4, i

13 14 15 161 2 3 4 56 7 8 10 12

1 2 3 4 5 67 8 10 12 15 16

active

conflictredundant

active

conflict

10

Compilation - ACL Population

Policy Compilation Engine

Policy Parsing Module User and Resource

Extraction Module

ACL Building Module

Conflict Discovery and

Resolution Module

Attributes ACLsResources

Database

GRANT SELECT ON tab1 TO nrs1, nrs2;GRANT INSERT ON tab1 TO nrs1, nrs2;……REVOKE SELECT ON tab1 FROM nrs3, nrs4;REVOKE INSERT ON tab1 FROM nrs4;

Permit List

1. tab1, nrs1, s

2. tab1, nrs1, i

3. tab1, nrs2, s

4. tab1, nrs2, i

5. tab2, nrs1, s

6. tab2, nrs1, i

7. tab2, nrs2, s

8. tab2, nrs2, I

10. tab1, nrs1, d

Deny List

12. tab1, nrs3, s

15. tab1, nrs4, s

16. tab1, nrs4, i

11

• Attributes change– Revoke existing permissions– Grant new permissions– Revoke and Grant permissions

• ACL Update– Delayed– Instantaneous

• Efficient Instantaneous ACL recalculation upon attribute changes– Recompile a relevant subset of policies– Cache compilation information

Update Analysis

12

Update Analysis

9. tab1, nrs1, s

10. tab1, nrs1, d

11. tab1, nrs1, s

12. tab1, nrs3, s

1. tab1, nrs1, s

2. tab1, nrs1, i

3. tab1, nrs2, s

4. tab1, nrs2, i

5. tab2, nrs1, s

6. tab2, nrs1, i

7. tab2, nrs2, s

8. tab2, nrs2, i

PPolicySet:PO

P1

Policy:POP2

Policy:DO

Rule:R1

E:PermitS:dept=ID

Rule:R2

E:PermitS:exp>5

Rule:R3

E:DenyS:evel<3

Rule:R4

E:DenyS:floor=4

13. tab1, nrs1, s

14. tab1, nrs1, i

15. tab1, nrs4, s

16. tab1, nrs4, i

13 14 15 161 2 3 4 56 7 8 10 12

1 2 3 4 5 67 8 10 12 15 16

Challenges (2)

13

11. tab1, nrs1, s

12. tab1, nrs3, s

1. tab1, nrs1, s

2. tab1, nrs1, i

3. tab1, nrs2, s

4. tab1, nrs2, i

5. tab2, nrs1, s

6. tab2, nrs1, i

7. tab2, nrs2, s

8. tab2, nrs2, i

PPolicySet:PO

P1

Policy:POP2

Policy:DO

Rule:R1

E:PermitS:dept=ID

Rule:R2

E:PermitS:exp>5

Rule:R3

E:DenyS:level<3

Rule:R4

E:DenyS:floor=4

13. tab1, nrs1, s

14. tab1, nrs1, i

15. tab1, nrs4, s

16. tab1, nrs4, i

13 14 15 161 2 3 4 56 7 8 10 12

1 2 3 4 5 67 8 10 12 15 16

Rule:R5

E:PermitS:dept=Med

17. tab3, nrs1, s9. tab1, nrs1, s

10. tab1, nrs1, d

14

• Prototype Implementation– MyABDAC for MySQL database

• Resource database based on a local health complex schema– 50,000 users each with 100 attributes– 40 resource tables

• XACML policies – Consisting of 3 layers and 100, 1000, 2000, …, 5000 rules

• Experiments performed in 2.40GHz Intel Core 2 Duo with 3GB memory

Implementation and Evaluation

15

Policy with 5000 rules each with 10 subject attributes, 5 resources, 2 actions takes 882sec (14.7min)

Policy Compilation Time

No. of Rules

No. of Users Retrieved from DB

Retrieval Time (sec)

No. of GRANTs

Rights Granted

ACL Population Time (sec)

100 220 17 19 2180 0.161000 9569 150 119 36142 83000 25432 431 120 109479 565000 34558 720 120 170757 131

(a) Policy Parse Time (b) User Extraction and ACL Population Time

31s

16

Users Updated

Attributes Updated

Rules Reconsidere

d New Rights

Obsolete Rights

Total Time (sec)

1666

5 391 0 1 10410 662 10 1 14315 822 50 1 16320 900 50 1 161

12384

5 391 41 1 36910 662 121 2 40915 822 261 2 43320 900 331 2 448

UPDATE users SET attrx = valx,…, attry = valy WHERE condition

Update Analysis

17

Comparison with Existing Approaches

SunXACML XEngine MyABDAC0

200

400

600

800

1000

1200

1400

1600

1800

2000A

cces

s Ve

rific

ation

Tim

e (m

s)

Request Submitted: <username, password, database query>

18

• Compiled XACML policy into Database ACLs

• Built a prototype MyABDAC to test on MySQL

• Comparison with SunXACML and XEngine shows that MyABDAC makes database access enforcement faster

Conclusion

Backup Slides

20

<PolicySet PolicySetId=P PolicyCombiningAlgId=permit-overrides> <Target/> <Policy PolicyId=P1 RuleCombiningAlgId=permit-overrides> <Target/> <Rule RuleId=R1 Effect=Permit> <Target> <Subjects> <Subject><Id>position<Value>nurse

<Id>department<Value>infectious disease</Subject> </Subjects> <Resources> <Resource>sensitive information</Resource> </Resources> <Actions> <Action>select,insert</Action> </Actions> </Target> </Rule>

<Rule RuleId=R2 Effect=Permit> <Target> <Subjects> <Subject><Id>position<Value>nurse

<Id>experience<Value>5</Subject> </Subjects> <Resources> <Resource>table1</Resource></Resources>

<Actions><Action>select,delete</Action> </Actions> </Target> </Rule> <Rule RuleId=R3 Effect=Deny> <Target> <Subjects> <Subject><Id>position<Value>nurse

<Id>level<Value>3</Subject> </Subjects> <Resources> <Resource>table1</Resource></Resources>

<Actions><Action>select</Action> </Actions> </Target> </Rule> </Policy> <Policy PolicyId=P2 RuleCombiningAlgId=deny-overrides> <Target/> <Rule RuleId=R4 Effect=Deny> <Target> <Subjects> <Subject><Id>position<Value>nurse

<Id>floor<Value>4</Subject> </Subjects> <Resources> <Resource>table1</Resource> </Resources> <Actions> <Action>select,insert</Action> </Actions> </Target> </Rule> </Policy>

</PolicySet>

Simplified XACML Policy

21

Cache Compilation

Table Name Fields

ruledetails ruleID, policyID, subjectQuery, resource, action, effect

log username, resource, action, effect, status, ruleID

22

Space Requirement

0 20000 40000 600000

500

1000

1500

2000Database Level Table Level Column Level

No. of Users (Thousands)

Spa

ce (M

B) R

equi

rem

ent

(Tho

usan

ds)

23

• A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. In ACM SIGMETRICS, 2008.

• Sun Microsystems, Inc. Sun's XACML Implementation.

• S. Marouf, M. Shehab, A. Squicciarini, and S. Sundareswaran. Statistics & Clustering based Framework for Efficient XACML Policy Evaluation. In POLICY, 2009.

Key Related Works