MyABDAC: compiling XACML policies for attribute-based database access control

CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy Pub Date : 2011-02-21 DOI:10.1145/1943513.1943528

Sonia Jahid, Carl A. Gunter, Imranul Hoque, Hamed Okhravi

{"title":"MyABDAC: compiling XACML policies for attribute-based database access control","authors":"Sonia Jahid, Carl A. Gunter, Imranul Hoque, Hamed Okhravi","doi":"10.1145/1943513.1943528","DOIUrl":null,"url":null,"abstract":"Attribute-based Access Control (ABAC) based on XACML can substantially improve the security and management of access rights on databases. However, existing implementations rely on high-level policy interpretation and are not as efficient as mechanisms natively supported by commodity databases. In this paper we explore advantages and challenges arising from compiling XACML policies for database access into Access Control Lists (ACLs) natively supported by the database. The main contributions are an architecture and algorithms for efficiently addressing incremental changes in attributes that could trigger changes to the ACLs. We consider this in a context of reflective database access control where attributes used in access decisions are stored in the database itself. Our implementation and experiments demonstrate a significant improvement in access decision times compared to the best available optimizations for general XACML access engines.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"12 1","pages":"97-108"},"PeriodicalIF":0.0000,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"21","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1943513.1943528","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 21

Abstract

Attribute-based Access Control (ABAC) based on XACML can substantially improve the security and management of access rights on databases. However, existing implementations rely on high-level policy interpretation and are not as efficient as mechanisms natively supported by commodity databases. In this paper we explore advantages and challenges arising from compiling XACML policies for database access into Access Control Lists (ACLs) natively supported by the database. The main contributions are an architecture and algorithms for efficiently addressing incremental changes in attributes that could trigger changes to the ACLs. We consider this in a context of reflective database access control where attributes used in access decisions are stored in the database itself. Our implementation and experiments demonstrate a significant improvement in access decision times compared to the best available optimizations for general XACML access engines.

查看原文本刊更多论文

MyABDAC:为基于属性的数据库访问控制编译XACML策略

基于XACML的基于属性的访问控制(ABAC)可以大大提高数据库访问权限的安全性和管理性。然而，现有的实现依赖于高层次的策略解释，并不像商品数据库本地支持的机制那样有效。在本文中，我们探讨了将用于数据库访问的XACML策略编译成数据库本地支持的访问控制列表(acl)所带来的优势和挑战。主要贡献是一个架构和算法，用于有效地处理可能触发acl更改的属性增量更改。我们在反射数据库访问控制上下文中考虑这一点，其中访问决策中使用的属性存储在数据库本身中。与一般XACML访问引擎的最佳优化相比，我们的实现和实验证明了访问决策时间的显著改进。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy

自引率

0.00%

发文量