XEngine: A fast and scalable XACML policy evaluation engine

Alex X. Liu, Fei Chen, Jeehyun Hwang, Tao Xie

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

XACML has become the de facto standard for specif3dng access control policies for various applications, especially web services. With the explosive growth of web applications deployed on the Internet, XACML policies grow rapidly in size and complexity, which leads to longer request processing time. This paper concerns the performance of request processing, which is a critical issue and so far has been overlooked by the research community. In this paper, we propose XEngine, a scheme for efficient XACML policy evaluation. XEngine first converts a textual XACML policy to a numerical policy. Second, it converts a numerical policy with complex structures to a numerical policy with a normalized structure. Third, it converts the normalized numerical policy to tree data structures for efficient processing of requests. To evaluate the performance of XEngine, we conducted extensive experiments on both real-life and synthetic XACML policies. The experimental results show that XEngine is orders of magnitude more efficient than Sun PDP, and the performance difference between XEngine and Sun PDP grows almost linearly with the number of rules in XACML policies. For XACML policies of small sizes (with hundreds of rules), XEngine is one to two orders of magnitude faster than the widely deployed Sun PDP. For XACML policies of large sizes (with thousands of rules), XEngine is three to four orders of magnitude faster than Sun PDP.

Original languageEnglish (US)
Title of host publicationSIGMETRICS'08
Subtitle of host publicationProceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems
Pages265-276
Number of pages12
Edition1 SPECIAL ISSUE
DOIs
StatePublished - Dec 12 2008
Externally publishedYes
Event2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS'08 - Annapolis, MD, United States
Duration: Jun 2 2008Jun 6 2008

Publication series

NameSIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems
Number1 SPECIAL ISSUE
Volume36

Other

Other2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS'08
CountryUnited States
CityAnnapolis, MD
Period6/2/086/6/08

Keywords

  • Access control
  • Policy decision point (pdp)
  • Policy enforcement point (pep)
  • Policy evaluation
  • Web server
  • XACML

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Software

Fingerprint Dive into the research topics of 'XEngine: A fast and scalable XACML policy evaluation engine'. Together they form a unique fingerprint.

Cite this