Multi-data-types interval decision diagrams for XACML evaluation engine
conference paper
XACML policy evaluation efficiency is an important factor influencing the overall system performance, especially when the number of policies grows. Some existing approaches on high performance XACML policy evaluation can support simple policies with equality comparisons and handle requests with well defined conditions. Such mechanisms do not provide the semantic correctness of combining algorithms in cases with indeterminate and not-applicable states. They ignore the critical attribute setting, a mandatory property in XACML, leading to potential missing attribute attacks. In this paper, we present a solution using data interval partition aggregation together with new decision diagram combinations, that not only optimizes the performance but also provides correctness and completeness of XACML 3.0 features, including complex logical expressions, correctness in indeterminate states processing, critical attribute setting, obligations and advices as well as complex comparison functions for multiple data types. © 2013 IEEE.
Topics
TNO Identifier
481442
Source title
11th Annual Conference on Privacy, Security and Trust, PST 2013, 10-12 July 2013, Tarragona, Catalonia, Spain
Place of publication
Piscataway,NJ
Pages
257-266
Files
To receive the publication files, please send an e-mail request to TNO Repository.