V.

I MPLEMENTATION AND E VALUATION XACML policies is expensive and still needs to examine
We have implemented a tool called XACML 2 ASP in Java its feasibility for larger size of policies. In [6], the authors
1.6.3. XACML 2 ASP can automatically convert core XACML formalized XACML policies using a process algebra known
and RBAC constraint expressions into ASP. The generated as Communicating Sequential Processes. This utilizes a
ASP-based policy representations are then fed into an ASP model checker to formally verify properties of policies, and
reasoner to carry out analysis services. We evaluated the to compare access control policies with each other. Fisler
efficiency and effectiveness of our approach on several real- et al. [10] introduced an approach to represent XACML
world XACML policies. GRINGO was employed as the ASP policies with Multi-Terminal Binary Decision Diagrams
solver for our evaluation. Our experiments were performed (MTBDDs). A policy analysis tool called Margrave was
on Intel Core 2 Duo CPU 3.00 GHz with 3.25 GB RAM developed. Margrave can verify XACML policies against
running on Windows XP SP2. the given properties and perform change-impact analysis
In our evaluation, we utilized ten real-world XACML based on the semantic differences between the MTBDDs
policies collected from three different sources. Six of the representing the policies. Kolovski et al. [16] presented a for-
policies, CodeA, CodeB, CodeC, CodeD, Continue-a and malization of XACML using description logic (DL), which
Continue-b are XACML policies used by [10]; among is a family of languages that are decidable subsets of first-
them, Continue-a and Continue-b are designed for a real- order logic, and leveraged existing DL reasoners to conduct
world Web application supporting a conference manage- policy verification. Compared with other work in XACML,
ment. Three of the policies Weirdx, FreeCS and GradeSheet our approach provides a more straightforward formalization
are utilized by [5]. The Pluto policy is employed in AR- with ASP addressing XACML features such as all four
CHON6 system, which is a digital library that federates the combining algorithms and handling simple conditions.
collections of physics with multiple degrees of meta data Schaad and Moffett [25] specified the access control
richness. policies under the RBAC96 and ARBAC97 models and a set
of separation of duty constraints in Alloy. They attempted
Table I
E XPERIMENTAL RESULTS ON REAL - LIFE XACML POLICIES to check the constraint violations caused by administrative
operations. In [26], Sohr et al. demonstrated how the USE
Policy # of Rules Converting Time(s) Reasoning Time(s) tool, a validation tool for OCL constraints, can be utilized
CodeA 2 0.000 0.000
CodeB 3 0.000 0.000
to validate authorization constraints against RBAC config-
CodeC 4 0.000 0.002 urations. The policy designers can employ the USE-based
CodeD 5 0.000 0.004 approach to detect certain conflicts between authorization
Weirdx 6 0.005 0.006
FreeCS 7 0.005 0.006 constraints and to identify missing constraints. Assurance
GradeSheet 14 0.015 0.012 Management Framework (AMF) was proposed in [2], [12],
Pluto 21 0.016 0.031
Continue-a 298 0.120 0.405 where formal RBAC model and constraints can be analyzed.
Continue-b 306 0.125 0.427 Alloy was also utilized as an underlying formal verification
tool to analyze the formal specifications of an RBAC model
Table I shows the number of rules contained in each and corresponding constraints, which are then used for
policy, the conversion time from XACML to ASP, and the access control system development. In addition, the verified
reasoning time using GRINGO + CLASPD for each policy. specifications are used to automatically derive the test cases
Note that the reasoning time was measured by enabling for conformance testing. Even though there has been a great
GRINGO + CLASPD to generate answer sets representing amount of work on XACML and RBAC analysis, there is
all permitted requests for each policy. From Table I, we little work in providing reasoning in XACML-based RBAC
observe that the conversion time from XACML to ASP in policies.
XACML 2 ASP is fast enough to handle larger size of policies,
such as Continue-a and Continue-b. It also indicates that the
VII. C ONCLUSION AND F UTURE W ORK
reasoning process for policy analysis in ASP solver is also
efficient enough for a variety of policy analysis services. In this work, we have provided a formal foundation of
VI. R ELATED W ORK XACML in terms of ASP. Also, we further introduced a
policy analysis framework for identifying constraint viola-
In [13], a framework for automated verification of access
tions in XACML-based RBAC policies, explicitly demon-
control policies based on relational first-order logic was
strating existing XACML standard does not support the con-
proposed. The authors demonstrated how XACML policies
strained RBAC. In addition, we have described a tool called
can be translated to the Alloy language [14], and checked
XACML 2 ASP , which can seamlessly work with existing
their security properties using the Alloy Analyzer. How-
ASP solvers for XACML policy analysis. Our experiments
ever, using the first-order constructs of Alloy to model
showed that the performance of our analysis approach could
6 http://archon.cs.odu.edu/. efficiently support larger access control policies.