Abstract
We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specification and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development.
This work has been partially sponsored by the EU project ASCENS (257414).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Ferraiolo, D., Kuhn, R.: Role-based access control. In: NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)
NIST: A survey of access control models (2009), http://csrc.nist.gov/news_events/privilege-management-workshop/PvM-Model-Survey-Aug26-2009.pdf
OASIS XACML TC: eXtensible Access Control Markup Language (XACML) version 2.0 (2005), http://docs.oasis-open.org/xacml/2.0/XACML-2.0-OS-NORMATIVE.zip
The epSOS project: A european ehealth project, http://www.epsos.eu
The Nationwide Health Information Network (NHIN): an American eHealth Project (2009), http://healthit.hhs.gov/portal/server.pt
OASIS: Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare v1.0 (2009), http://www.oasis-open.org
OASIS Security Services TC: Assertions and protocols for the OASIS security assertion markup language (SAML) v2.02 (2005), http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Namli, T., Dogac, A.: Implementation Experiences On IHE XUA and BPPC. Technical report, Software Research and Development Center, Middle East Technical University Ankara (December 2006)
Universidad de Murcia: UMU-XACML-Editor (2008), http://sourceforge.net/projects/umu-xacmleditor/
Bradner, S.: Key words for use in rfcs to indicate requirement levels (1997)
Kolovski, V., Hendler, J.A., Parsia, B.: Analyzing web access control policies. In: WWW, pp. 677–686. ACM (2007)
Bryans, J.: Reasoning about XACML policies using CSP. In: SWS, pp. 28–35. ACM (2005)
Hoare, C.: Commmunicating Sequential Processes. Prentice-Hall (1985)
Bryans, J., Fitzgerald, J.S.: Formal Engineering of XACML Access Control Policies in VDM++. In: Butler, M., Hinchey, M.G., Larrondo-Petrie, M.M. (eds.) ICFEM 2007. LNCS, vol. 4789, pp. 37–56. Springer, Heidelberg (2007)
Fitzgerald, J., Larsen, P., Mukherjee, P., Plat, N., Verhoef, M.: Validated Designs for Object-oriented Systems. Springer, Heidelberg (2005)
Zhang, N., Ryan, M., Guelev, D.P.: Evaluating Access Control Policies through Model Checking. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 446–460. Springer, Heidelberg (2005)
Zhang, N., Ryan, M., Guelev, D.P.: Synthesising verified access control systems in XACML. In: FMSE, pp. 56–65. ACM (2004)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE, pp. 196–205. ACM (2005)
Tschantz, M.C., Krishnamurthi, S.: Towards reasonability properties for access-control policy languages. In: SACMAT, pp. 160–169. ACM (2006)
OASIS XACML TC: Available XACML Implementations (2011), http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#other (last visited September 21, 2011)
Proctor, S.: SUN XACML (2011), http://sunxacml.sf.net (last visited September 21, 2011)
The Herasaf consortium: HERASAF, http://www.herasaf.org
Liu, A.X., Chen, F., Hwang, J., Xie, T.: Xengine: a fast and scalable XACML policy evaluation engine. In: SIGMETRICS, pp. 265–276. ACM (2008)
ISSRG: The Modular PERMIS Project, http://sec.cs.kent.ac.uk/permis/
Foster, I.T.: Globus toolkit version 4: Software for service-oriented systems. J. Comput. Sci. Technol. 21(4), 513–520 (2006)
Barton, T., et al.: Identity federation and attribute-based authorization through the globus toolkit, shibboleth, gridshib, and myproxy. Technical report, National Center for Supercomputing Applications, University of Illinois (2006)
Chadwick, D.W., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: Permis: a modular authorization infrastructure. Concurrency and Computation: Practice and Experience 20(11), 1341–1357 (2008)
Masi, M., Pugliese, R., Tiezzi, F.: Formalisation and Implementation of the XACML Access Control Mechanism (full version). Technical report, Dipartimento di Sistemi e Informatica, Univ. Firenze (2011), http://rap.dsi.unifi.it/xacml_tools
Clark, J., DeRose, S.: XML Path Language (XPath) version 1.0 (1999), http://www.w3.org/TR/xpath
The IHE Initiative: IT Infrastructure Technical Framework (2009), http://www.ihe.net
Health Level Seven organization: Hl7 standards (2009), http://www.hl7.org
The Regenstrief Institute: Logical observation identifiers names and codes (LOINC), http://www.loinc.org
IEEE Computer Society: IEEE Standard for Binary Floating-Point Arithmetic IEEE Product No. SH10116-TBR (1985)
Parr, T.J., Quong, R.W.: ANTLR: A Predicated-LL(k) Parser Generator. Software Practice and Experience 25, 789–810 (1994)
Saltzer, J.H.: Protection and the Control of Information Sharing in Multics. Commun. ACM 17, 388–402 (1974)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Masi, M., Pugliese, R., Tiezzi, F. (2012). Formalisation and Implementation of the XACML Access Control Mechanism. In: Barthe, G., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2012. Lecture Notes in Computer Science, vol 7159. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28166-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-28166-2_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28165-5
Online ISBN: 978-3-642-28166-2
eBook Packages: Computer ScienceComputer Science (R0)