XEngine: A fast and scalable XACML policy evaluation engine

Alex X. Liu; Fei Chen; Jeehyun Hwang; Tao Xie

doi:10.1145/1375457.1375488

XEngine: A fast and scalable XACML policy evaluation engine

Alex X. Liu, Fei Chen, Jeehyun Hwang, Tao Xie

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

XACML has become the de facto standard for specif3dng access control policies for various applications, especially web services. With the explosive growth of web applications deployed on the Internet, XACML policies grow rapidly in size and complexity, which leads to longer request processing time. This paper concerns the performance of request processing, which is a critical issue and so far has been overlooked by the research community. In this paper, we propose XEngine, a scheme for efficient XACML policy evaluation. XEngine first converts a textual XACML policy to a numerical policy. Second, it converts a numerical policy with complex structures to a numerical policy with a normalized structure. Third, it converts the normalized numerical policy to tree data structures for efficient processing of requests. To evaluate the performance of XEngine, we conducted extensive experiments on both real-life and synthetic XACML policies. The experimental results show that XEngine is orders of magnitude more efficient than Sun PDP, and the performance difference between XEngine and Sun PDP grows almost linearly with the number of rules in XACML policies. For XACML policies of small sizes (with hundreds of rules), XEngine is one to two orders of magnitude faster than the widely deployed Sun PDP. For XACML policies of large sizes (with thousands of rules), XEngine is three to four orders of magnitude faster than Sun PDP.

Original language	English (US)
Title of host publication	SIGMETRICS'08
Subtitle of host publication	Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems
Pages	265-276
Number of pages	12
Edition	1 SPECIAL ISSUE
DOIs	https://doi.org/10.1145/1375457.1375488
State	Published - 2008
Externally published	Yes
Event	2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS'08 - Annapolis, MD, United States Duration: Jun 2 2008 → Jun 6 2008

Publication series

Name	SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems
Number	1 SPECIAL ISSUE
Volume	36

Other

Other	2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS'08
Country/Territory	United States
City	Annapolis, MD
Period	6/2/08 → 6/6/08

Keywords

Access control
Policy decision point (pdp)
Policy enforcement point (pep)
Policy evaluation
Web server
XACML

ASJC Scopus subject areas

Computational Theory and Mathematics
Software

Online availability

10.1145/1375457.1375488

Library availability

Discover UIUC Full Text

Cite this

Liu, A. X., Chen, F., Hwang, J., & Xie, T. (2008). XEngine: A fast and scalable XACML policy evaluation engine. In SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems (1 SPECIAL ISSUE ed., pp. 265-276). (SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems; Vol. 36, No. 1 SPECIAL ISSUE). https://doi.org/10.1145/1375457.1375488

XEngine: A fast and scalable XACML policy evaluation engine. / Liu, Alex X.; Chen, Fei; Hwang, Jeehyun et al.
SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems. 1 SPECIAL ISSUE. ed. 2008. p. 265-276 (SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems; Vol. 36, No. 1 SPECIAL ISSUE).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Liu, AX, Chen, F, Hwang, J & Xie, T 2008, XEngine: A fast and scalable XACML policy evaluation engine. in SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems. 1 SPECIAL ISSUE edn, SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, no. 1 SPECIAL ISSUE, vol. 36, pp. 265-276, 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS'08, Annapolis, MD, United States, 6/2/08. https://doi.org/10.1145/1375457.1375488

Liu AX, Chen F, Hwang J, Xie T. XEngine: A fast and scalable XACML policy evaluation engine. In SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems. 1 SPECIAL ISSUE ed. 2008. p. 265-276. (SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems; 1 SPECIAL ISSUE). doi: 10.1145/1375457.1375488

Liu, Alex X. ; Chen, Fei ; Hwang, Jeehyun et al. / XEngine : A fast and scalable XACML policy evaluation engine. SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems. 1 SPECIAL ISSUE. ed. 2008. pp. 265-276 (SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems; 1 SPECIAL ISSUE).

@inproceedings{c80238a5eaa24c0084ba3f0ca236d7e2,

title = "XEngine: A fast and scalable XACML policy evaluation engine",

abstract = "XACML has become the de facto standard for specif3dng access control policies for various applications, especially web services. With the explosive growth of web applications deployed on the Internet, XACML policies grow rapidly in size and complexity, which leads to longer request processing time. This paper concerns the performance of request processing, which is a critical issue and so far has been overlooked by the research community. In this paper, we propose XEngine, a scheme for efficient XACML policy evaluation. XEngine first converts a textual XACML policy to a numerical policy. Second, it converts a numerical policy with complex structures to a numerical policy with a normalized structure. Third, it converts the normalized numerical policy to tree data structures for efficient processing of requests. To evaluate the performance of XEngine, we conducted extensive experiments on both real-life and synthetic XACML policies. The experimental results show that XEngine is orders of magnitude more efficient than Sun PDP, and the performance difference between XEngine and Sun PDP grows almost linearly with the number of rules in XACML policies. For XACML policies of small sizes (with hundreds of rules), XEngine is one to two orders of magnitude faster than the widely deployed Sun PDP. For XACML policies of large sizes (with thousands of rules), XEngine is three to four orders of magnitude faster than Sun PDP.",

keywords = "Access control, Policy decision point (pdp), Policy enforcement point (pep), Policy evaluation, Web server, XACML",

author = "Liu, {Alex X.} and Fei Chen and Jeehyun Hwang and Tao Xie",

year = "2008",

doi = "10.1145/1375457.1375488",

language = "English (US)",

isbn = "9781605580050",

series = "SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems",

number = "1 SPECIAL ISSUE",

pages = "265--276",

booktitle = "SIGMETRICS'08",

edition = "1 SPECIAL ISSUE",

note = "2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS'08 ; Conference date: 02-06-2008 Through 06-06-2008",

}

TY - GEN

T1 - XEngine

T2 - 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS'08

AU - Liu, Alex X.

AU - Chen, Fei

AU - Hwang, Jeehyun

AU - Xie, Tao

PY - 2008

Y1 - 2008

N2 - XACML has become the de facto standard for specif3dng access control policies for various applications, especially web services. With the explosive growth of web applications deployed on the Internet, XACML policies grow rapidly in size and complexity, which leads to longer request processing time. This paper concerns the performance of request processing, which is a critical issue and so far has been overlooked by the research community. In this paper, we propose XEngine, a scheme for efficient XACML policy evaluation. XEngine first converts a textual XACML policy to a numerical policy. Second, it converts a numerical policy with complex structures to a numerical policy with a normalized structure. Third, it converts the normalized numerical policy to tree data structures for efficient processing of requests. To evaluate the performance of XEngine, we conducted extensive experiments on both real-life and synthetic XACML policies. The experimental results show that XEngine is orders of magnitude more efficient than Sun PDP, and the performance difference between XEngine and Sun PDP grows almost linearly with the number of rules in XACML policies. For XACML policies of small sizes (with hundreds of rules), XEngine is one to two orders of magnitude faster than the widely deployed Sun PDP. For XACML policies of large sizes (with thousands of rules), XEngine is three to four orders of magnitude faster than Sun PDP.

AB - XACML has become the de facto standard for specif3dng access control policies for various applications, especially web services. With the explosive growth of web applications deployed on the Internet, XACML policies grow rapidly in size and complexity, which leads to longer request processing time. This paper concerns the performance of request processing, which is a critical issue and so far has been overlooked by the research community. In this paper, we propose XEngine, a scheme for efficient XACML policy evaluation. XEngine first converts a textual XACML policy to a numerical policy. Second, it converts a numerical policy with complex structures to a numerical policy with a normalized structure. Third, it converts the normalized numerical policy to tree data structures for efficient processing of requests. To evaluate the performance of XEngine, we conducted extensive experiments on both real-life and synthetic XACML policies. The experimental results show that XEngine is orders of magnitude more efficient than Sun PDP, and the performance difference between XEngine and Sun PDP grows almost linearly with the number of rules in XACML policies. For XACML policies of small sizes (with hundreds of rules), XEngine is one to two orders of magnitude faster than the widely deployed Sun PDP. For XACML policies of large sizes (with thousands of rules), XEngine is three to four orders of magnitude faster than Sun PDP.

KW - Access control

KW - Policy decision point (pdp)

KW - Policy enforcement point (pep)

KW - Policy evaluation

KW - Web server

KW - XACML

UR - http://www.scopus.com/inward/record.url?scp=57349199277&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=57349199277&partnerID=8YFLogxK

U2 - 10.1145/1375457.1375488

DO - 10.1145/1375457.1375488

M3 - Conference contribution

AN - SCOPUS:57349199277

SN - 9781605580050

T3 - SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems

SP - 265

EP - 276

BT - SIGMETRICS'08

Y2 - 2 June 2008 through 6 June 2008

ER -

XEngine: A fast and scalable XACML policy evaluation engine

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this