高级检索

    XACML Admin中的策略预处理研究

    Research on Preprocessing Policies in XACML Admin

    • 摘要: 根据XACML Admin中访问策略和管理策略混合的特点,提出了一个在PDP中将策略树分割为访问策略树和管理策略树来提高在线判定性能的匹配方案.在此基础上,根据委托的逻辑含义,通过构造委托图,去除管理策略树和访问策略树中的无效节点,从而使在线判定时不考虑引起拒绝服务攻击的无效策略.同时根据目前XACML Admin中模式定义的缺陷,提出了一种改进的模式定义,此模式定义使Delegates能够与XACML核心规范中Subjects,Resources等元素的处理规则保持一致,并能够更加有效地定义管理策略.以上这些方式能够有效地改善在线判定性能和阻止针对请求判定过程的拒绝服务攻击.

       

      Abstract: Access policies and administrative policies are mixed together in XACML administrative policy schema. It would worsen the performance of making decision. In XACML administrative policy, whether a policy is trusted is checked when making access request decision. It would cause denial-of-service (DoS) attack. In this paper, a scheme is presented to improve the on-line decision performance through dividing policy tree into an access policy tree and an administrative policy tree in policy decision point or in policy repository. According to logic implication of delegation, a method of constructing delegation graph is proposed. The invalid policies in which there doesn't exist a path to trusted policy are deleted. Deleting invalid policies makes the policies created by attackers applicable in making access request decision so that policy decision point can resist such DoS attack. In XACML administrative policy, the delegation element process is different with elements in XACML. It is recognized as a bug in XACML administrative policy. An improved policy schema definition is presented to correct the bugs, which makes the processing of delegations be in conformance with the elements of subject, resources, etc in XACML core, and defines administrative policies more efficiently. Through these improvements, the performance of making decision is accelerated. Policy decision point can resist DoS attack in some sense.

       

    /

    返回文章
    返回