Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies

Hussein Jebbaoui, Azzam Mourad, Hadi Otrok, Ramzi Haraty

Research output: Contribution to journalArticlepeer-review

27 Scopus citations

Abstract

XACML (eXtensible Access Control Markup Language) policies, which are widely adopted for defining and controlling dynamic access among Web/cloud services, are becoming more complex in order to handle the significant growth in communication and cooperation between individuals and composed services. However, the large size and complexity of these policies raise many concerns related to their correctness in terms of flaws, conflicts and redundancies presence. This paper addresses this problem through introducing a novel set and semantics based scheme that provides accurate and efficient analysis of XACML policies. First, our approach resolves the complexity of policies by elaborating an intermediate set-based representation to which the elements of XACML are automatically converted. Second, it allows to detect flaws, conflicts and redundancies between rules by offering new mechanisms to analyze the meaning of policy rules through semantics verification by inference rule structure and deductive logic. All the approach components and algorithms realizing the proposed analysis semantics have been implemented in one development framework. Experiments carried out on synthetic and real-life XACML policies explore the relevance of our analysis algorithms with acceptable overhead. Please visit http://www.azzammourad.org/#projects to download the framework.

Original languageBritish English
Pages (from-to)91-103
Number of pages13
JournalComputers and Electrical Engineering
Volume44
DOIs
StatePublished - 1 May 2015

Keywords

  • Access control
  • Policy analysis
  • Semantics
  • Set theory
  • Web services security
  • XACML

Fingerprint

Dive into the research topics of 'Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies'. Together they form a unique fingerprint.

Cite this