Analyzing XACML policies using answer set programming

作     者：Rezvani, Mohsen Rajaratnam, David Ignjatovic, Aleksandar Pagnucco, Maurice Jha, Sanjay 

作者机构：Shahrood Univ Technol Fac Comp Engn Shahrood Iran Univ New South Wales Sch Comp Sci & Engn Sydney NSW Australia 

出 版 物：《INTERNATIONAL JOURNAL OF INFORMATION SECURITY》 (国际信息安全杂志)

年 卷 期：2019年第18卷第4期

页      面：465-479页

核心收录：

学科分类：08[工学] 0835[工学-软件工程] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

主　　题：XACML Policy analysis Anomaly detection Answer set programming 

摘      要：With the tremendous growth of Web applications and services, eXtensible Access Control Markup Language (XACML) has been broadly adopted to specify Web access control policies. However, when the policies are large or defined by multiple authorities, it has proved difficult to analyze errors and vulnerabilities in a manual fashion. Recent advances in the answer set programming (ASP) paradigm have provided a powerful problem-solving formalism that is capable of dealing with policy verification. In this paper, we employ ASP to analyze various properties of XACML policies. To this end, we first propose a structured mechanism to translate a XACML policy into an ASP program. Then, we leverage the features of off-the-shelf ASP solvers to specify and verify a wide range of properties of a XACML policy, including redundancy, conflicts, refinement, completeness, reachability, and usefulness. We present an empirical evaluation of the effectiveness and efficiency of a policy analysis tool implemented on top of the Clingo ASP solver. The evaluation results show that our approach is computationally more efficient compared with existing approaches.