Abstract:
Access policies and administrative policies are mixed together in XACML administrative policy schema. It would worsen the performance of making decision. In XACML administrative policy, whether a policy is trusted is checked when making access request decision. It would cause denial-of-service (DoS) attack. In this paper, a scheme is presented to improve the on-line decision performance through dividing policy tree into an access policy tree and an administrative policy tree in policy decision point or in policy repository. According to logic implication of delegation, a method of constructing delegation graph is proposed. The invalid policies in which there doesn't exist a path to trusted policy are deleted. Deleting invalid policies makes the policies created by attackers applicable in making access request decision so that policy decision point can resist such DoS attack. In XACML administrative policy, the delegation element process is different with elements in XACML. It is recognized as a bug in XACML administrative policy. An improved policy schema definition is presented to correct the bugs, which makes the processing of delegations be in conformance with the elements of subject, resources, etc in XACML core, and defines administrative policies more efficiently. Through these improvements, the performance of making decision is accelerated. Policy decision point can resist DoS attack in some sense.