EXAM - Environment for XACML Policy Analysis and Management

• Overview

Overview

The EXAM environment, an overview of which is shown in Figure 1, includes three levels. The first level is the user interface, which receives policies requests and queries from users, and returns request replies and query results. The second level is the request dispatcher, which handles various requests received from the user interface, dispatches them to proper analysis module and aggregates obtained results. The third level is the core level of EXAM and includes modules supporting different tasks in policy analysis, namely: policy annotation, policy filtering, policy similarity analysis and policy integration.

Figure 1 EXAM Architecture

The policy annotation module preprocesses each newly acquired policy by adding annotations to it. The annotations explicitly represent the behavior or semantics of each function referred in the policy. Such annotations help in automatically translating policies into Boolean formulae that can then be evaluated by the policy analysis modules. The annotated policies are stored in the policy repository together with the policy metadata.

The policy filter module acts as a filter phase for policy similarity analysis when there is a large amount of policies to compare. It is a lightweight approach which quickly evaluates similarity between each pair of policies and assigns them a similarity score. The main goal of the policy filter module is to reduce the number of policies that need to be analyzed more in details, when dealing with large size policy information retrieval and is extremely fast.

The use of filtering in the policy analysis process is however optional. The policy management module can directly send analysis queries to the policy similarity analyzer (PSA), to carry out a fine-grained policy analysis, without performing the filtering.

The PSA module enables precise characterization of the similarity between policies in terms of the relationship between the sets of permitted (denied) by the given policies. This module combines SAT solving and model checking techniques.

The policy integration module provides the capability of integrating policies using operators defined in the proposed fine grained integration algebra. It also generates a well-formed XACML version of the integrated policy.