HERAS-AF Logo Holistic Enterprise-Ready Application Security Architecture Framework

Research

Conflict Detection

Lead: Florian Huonder

We are doing research in the area of Conflict Detection of XACML policies. A part of Florian Huonder's Master Thesis was this topic. The achieved results up to now are:

Two algorithms for detecting conflicts of XACML policies were evloved. The Plane Sweep Algorithm should be used in a more static policy deployment where the policies do not change very often. The AABB - AABB Intersection Algorithm can be used in a more dynamic policy deployment where the policies may change often.

A further algorithm for detecting conflicts of XACML policies is the Regex Intersection Algorithm for detecting intersections of regular expressions.

With these three algorithm we are able to detect any conflict that might occur among a set of XACML policies.

The algorithms are very generic and due to this fact it is possible to detect any conflict that is imaginable. E.g. decision conflicts (two policies have different decisions for the same request) or obligation conflicts (different obligations are returned for the same request).

For further information have a look at the Master Thesis or contact us.

Conflict Resolution

Lead: Florian Huonder

We are doing research in the area of Conflict Resolution of XACML policies. A part of Florian Huonder's Master Thesis was this topic. The achieved results up to now are:

Two algorithms for resolving conflicts of XACML policies were evloved. The Cutting Planes Algorithm changes the Targets of conflicting policies in such a way that the conflicting part is cut from the overruled policy. The resulting policy set does only return (guaranteed) one decision per request because only one policy is applicable at the same time.

The Precedence Stringing Algorithm orders the policies in the order of their precedence. These policies are then combined under the first-applicable combining algorithm. The first applicable policy is always the most preceding policy.

Both algorithms rely on a set of resolved conflicts. These resolution of conflicts must be made by an administrator or another responsible personnel.

For further information have a look at the Master Thesis or contact us.