Analyzing XACML policies using answer set programming

With the tremendous growth of Web applications and services, eXtensible Access Control Markup Language (XACML) has been broadly adopted to specify Web access control policies. However, when the policies are large or defined by multiple authorities, it has proved difficult to analyze errors and vulnerabilities in a manual fashion. Recent advances in the answer set programming (ASP) paradigm have provided a powerful problem-solving formalism that is capable of dealing with policy verification. In this paper, we employ ASP to analyze various properties of XACML policies. To this end, we first propose a structured mechanism to translate a XACML policy into an ASP program. Then, we leverage the features of off-the-shelf ASP solvers to specify and verify a wide range of properties of a XACML policy, including redundancy, conflicts, refinement, completeness, reachability, and usefulness. We present an empirical evaluation of the effectiveness and efficiency of a policy analysis tool implemented on top of the Clingo ASP solver. The evaluation results show that our approach is computationally more efficient compared with existing approaches.