Provisioning access control using SDDL on the basis of a XACML policy

US 8,966,576 B2
Filed: 02/26/2013
Issued: 02/24/2015
Est. Priority Date: 02/27/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), said method comprising:

providing, on a non-transitory computer readable media, a XACML policy (P) that, when implemented by a processor, is configured to control access to one or more resources in a computer network;

feeding the XACML policy (P) to a transformation engine, the transformation engine including software that, when executed by a processor, creates the at least one SDDL rule;

producing a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests;

translating, by the transformation engine based on the reverse query, the XACML policy (P) and the given decision (d) into a satisfiable logic proposition in Boolean variables (v_i, i=1, 2, . . . );

deriving, by the transformation engine, variable assignments (RC_j=[ARC_j1;

v₁=x_j1, ARC_j2;

v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition;

creating, by the transformation engine, the at least one SDDL rule based on said variable assignments (RC_j=[ARC_j1;

v₁=x_j1, ARC_j2;

v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition, wherein the at least one SDDL rule, when implemented by a processor, is configured to control access to the one or more resources in a computer network;

loading the at least one SDDL rule onto a non-transitory computer readable media of an SDDL system; and

controlling access to the one or more resources in the computer network using the at least one SDDL rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (v_i, i=1, 2, . . . ) From said ROBDD, variable assignments (RC_j=[ARC_j1: v₁=x_j1, ARC_j2: v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RC_j=[ARC_j1: v₁=x_j1, ARC_j2: v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.

35 Citations

View as Search Results

11 Claims

1. A computer-implemented method for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), said method comprising:
- providing, on a non-transitory computer readable media, a XACML policy (P) that, when implemented by a processor, is configured to control access to one or more resources in a computer network;
  
  feeding the XACML policy (P) to a transformation engine, the transformation engine including software that, when executed by a processor, creates the at least one SDDL rule;
  
  producing a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests;
  
  translating, by the transformation engine based on the reverse query, the XACML policy (P) and the given decision (d) into a satisfiable logic proposition in Boolean variables (v_i, i=1, 2, . . . );
  
  deriving, by the transformation engine, variable assignments (RC_j=[ARC_j1;
  
  v₁=x_j1, ARC_j2;
  
  v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition;
  
  creating, by the transformation engine, the at least one SDDL rule based on said variable assignments (RC_j=[ARC_j1;
  
  v₁=x_j1, ARC_j2;
  
  v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition, wherein the at least one SDDL rule, when implemented by a processor, is configured to control access to the one or more resources in a computer network;
  
  loading the at least one SDDL rule onto a non-transitory computer readable media of an SDDL system; and
  
  controlling access to the one or more resources in the computer network using the at least one SDDL rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising:
    - translating said logic proposition into an Binary Decision Diagram, BDD, or an Reduced-Order Binary Decision Diagram, ROBDD,wherein the deriving is based on said BDD or on said ROBDD.
  - 3. The method of claim 1, wherein the Boolean variables (v_i, i=1, 2, . . . ) each corresponds to an original fragment in the XACML policy which has been replaced by the Boolean variable in the translation into a logic proposition and wherein creating at least one SSDL rule comprises:
    - for each variable assignment of said variable assignments (RC_j=[ARC_j1;
      
      v₁=x_j1, ARC_j2;
      
      v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition;
      
      adding a translation of the original fragment, to said at least one SDDL rule.
  - 4. The method of claim 1, wherein the Boolean variables (v_i, i=1, 2, . . . ) each correspond to an original fragment in the XACML policy which has been replaced by the Boolean variable in the translation into a logic proposition, and wherein creating at least one SDDL rule comprises:
    - for each variable assignment of said variable assignments (RC_j=[ARC_j1;
      
      v₁=x_j1, ARC_j2;
      
      v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition;
      
      adding, to said at least one SDDL rule, the corresponding original fragment for each variable evaluating to true; and
      
      adding, to said at least one SDDL rule, the negation of the corresponding original fragment for each variable evaluating to false.
  - 5. The method of claim 1, wherein one SDDL rule is created by creating one line of said one SDDL rule for each variable assignment of said variable assignments (RC_j=[ARC_j1:
    - v₁=x_j1, ARC_j2;
      
      v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.
  - 6. The method of claim 1, wherein the set (R) of admissible access requests is equal to the set (R_tot) of all admissible access requests.
  - 7. The method of claim 1, wherein the set (R) of admissible access requests is a subset of the set (R_tot) of all admissible access requests, wherein each of the set (R) comprises one or more attributes appearing in the XACML policy (P) and explicit values assigned to these, wherein the translation comprises:
    - extracting attributes to which all access requests in the set (R) assign identical values;
      
      reducing the XACML policy (P) at least by substituting values for the extracted attributes;
      
      caching the policy as a simplified policy (P′
      
      ) after said reducing;
      
      translating the cached simplified policy (P′
      
      ) and the given decision (d) into a satisfiable logic proposition in Boolean variables (v_i, i=1, 2, . . . ).
  - 8. The method of claim 1, wherein the given decision (d) is permit access.
  - 9. The method of claim 1, wherein the given decision (d) is deny access.

10. A non-transitory storage medium storing computer executable instructions for performing a computer-implemented method for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network, said method comprising:
- producing a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests;
  
  translating, based on the reverse query, the XACML policy (P) and the given decision (d) into a satisfiable logic proposition in Boolean variables (v_i, i=1, 2, . . . );
  
  deriving variable assignments (RC_j=[ARC_j1;
  
  v₁=x_j1, ARC_j2;
  
  v₂=X_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition; and
  
  creating at least one SDDL rule based on said variable assignments (RC_j=[ARC_j1;
  
  v₁=x_j1, ARC_j2;
  
  v₂=X_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.

11. A system comprising:
- an XACML authority tool; and
  
  a hardware policy converter to implement a computer-implemented method for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network, said method comprising;
  
  producing a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests;
  
  translating, based on the reverse query, the XACML policy (P) and the given decision (d) into a satisfiable logic proposition in Boolean variables (v_i, i=1, 2, . . . );
  
  deriving variable assignments (RC_j=[ARC_j1;
  
  v₁=x_j1, ARC_j2;
  
  v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition; and
  
  creating at least one SDDL rule based on said variable assignments (RC_j=[ARC_j1;
  
  v₁=x_j1, ARC_j2;
  
  v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Axiomatics AB
Original Assignee
Axiomatics AB
Inventors
Giambiagi, Pablo, Rissanen, Erik, Spencer, Travis
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US13/777,789
Publication Number

US 20130227639A1
Time in Patent Office

728 Days
Field of Search

726 1- 4, 726 11- 14, 707/759, 707/769
US Class Current

726/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/6218   to a system of files or obj...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Provisioning access control using SDDL on the basis of a XACML policy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Provisioning access control using SDDL on the basis of a XACML policy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links