SE1051394A1 - A system and method for evaluating a reverse query - Google Patents

A system and method for evaluating a reverse query Download PDF

Info

Publication number
SE1051394A1
SE1051394A1 SE1051394A SE1051394A SE1051394A1 SE 1051394 A1 SE1051394 A1 SE 1051394A1 SE 1051394 A SE1051394 A SE 1051394A SE 1051394 A SE1051394 A SE 1051394A SE 1051394 A1 SE1051394 A1 SE 1051394A1
Authority
SE
Sweden
Prior art keywords
policy
operable
subset
requests
attributes
Prior art date
Application number
SE1051394A
Other languages
English (en)
Inventor
Erik Rissanen
Pablo Eduardo Giambiagi
Original Assignee
Axiomatics Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Axiomatics Ab filed Critical Axiomatics Ab
Priority to SE1051394A priority Critical patent/SE1051394A1/sv
Priority to US13/695,880 priority patent/US9223992B2/en
Priority to PCT/SE2011/050955 priority patent/WO2012091653A1/en
Priority to EP11853144.1A priority patent/EP2548141B1/en
Priority to EP15164634.6A priority patent/EP2921986B1/en
Publication of SE1051394A1 publication Critical patent/SE1051394A1/sv
Priority to US14/748,903 priority patent/US9646164B2/en
Priority to US15/589,296 priority patent/US10158641B2/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/9032Query formulation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • G06F17/30967
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Description

15 20 25 30 2 Policy Enforcement Point (PEP) within a target application/system captures access requests in real-time and sends them to a Policy Decision Point (PDP) for evaluation against XACML policies.
The semantics of an XACML policy P is given as a function fp mapping a request to a decision: fp: Request -> Decision A Policy Decision Point is the component in charge of evaluating this function and thus is optimized for that purpose. ln many situations, however, it is necessary to evaluate the inverse of the policy function, (fp)'1: Decision _» Set(Request) Given a decision d, (f,,)'1(d) is the set of all requests that evaluate to d. For example, (f,)'1(PERM|T) is the set of all requests that are permitted by the policy P. ln general, there is a priori a set R of interesting requests. For instance, to determine all the users that may "read" a certain file only requests that identify the action as "read" and the resource as "file F” are of interest. ln other words, what needs to be computed is actually the intersection of (fp)'1(d) with R, (fpfld) fi R- These concepts and procedure are summarized by the following definitions.
Definition (Reverse Query): A reverse query is a triple < P, d, R> where P is a policy, d 6 Decision and R is a subset of Request.
Definition (Reverse Query Eva|uation): A reverse query < P, d, R > is evaluated by computing (fp)"1(d) Fl R, where fp is the semantic function associated to policy P.
The evaluation of a reverse query is in general much more demanding, in terms of computing resources, in particular, time, than evaluating a request against a policy. lf the set of requests of interest, R = {r1, r,,}, contains a relatively small number of requests then the reverse query < P, d, R > may be effectively evaluated by computing 20 25 30 3 fp(r1), fp(r,,) and picking only those requests which evaluate to d.
That is, a reverse query can be evaluated by sending each request of interest to the PDP (loaded with the policy P) and then comparing the returned decision with the expected decision d.
If the set R is large, however, the method described above becomes impractical, particularly in situations where the reverse query needs to be evaluated in real-time, e. g., in the context of an interactive system where a user would be waiting for the result of such evaluation.
Summary of the invention The above mentioned problems are solved by a system operable to evaluate a reverse query, definíng an expected decision, and a subset of a set of possible requests, over a policy in real-time according to Claim 1. The system comprises a first storing means operable to store policies. The system also comprises a partial request generation means operable to construct a partial request from the subset of the set of possible requests. Furthermore, the system also comprises a policy decision means connected to the partial request generation means, and to the first storing means and operable to partially evaluate the policy over the partial request. resulting in a simplified policy. The system also comprises a translation means connected to the policy decision means and operable to translate the simplified policy, the subset of the set of possible requests, and the expected decision into a propositional logic formula.
Furthermore, the system also com prises an analyzing means connected to the translation means and operable to analyze the propositional logic formula in order to determine a sequence of conditions over requests. The system also comprises a conversion means connected to the analyzing means, and operable to convert the sequence of conditions to a set of valid requests contained in the subset, and evaluate to the expected decision.
The main advantage with this system is that it can evaluate a reverse query in real-time. A further advantage with this system is that it can make the evaluation of a reverse query in real-time even if the subset of requests contains a large number of requests. 20 25 30 4 A further advantage in this context is achieved if the system also comprises a policy information means connected to the policy decision means, and the conversion means and operable to handle a set of attributes.
Furthermore, it is an advantage in this context if the partial request generation means also is operable to examine the subset of possible requests in order to determine (l) the set (D) of attributes that are associated with exactly the same set of values in all requests of the subset( R ); (ll) the set (A) of attributes that are absent in all requests of the subset( R ); and (lll) the set (U) of all other attributes not included in any of the sets (D or A) of attributes.
A further advantage in this context is achieved if the partial request generation means also is operable to, by using the sets (D, A and U) of attributes, define the partial request which (IV) associates to each attribute in the set (D) of attributes, the exact set of values associated to it by any request in the subset( R ); (V) marks all attributes in the set (A) as not present; and (VI) leaves all attributes in the set (U) Undefined.
Furthermore, it is an advantage in this context if the translation means also is operable to represent the simplified policy with a tree structure, and to, whenever a sub-tree represents a Boolean expression that compares an attribute with a fixed value, replace the whole sub-tree by a variable.
A further advantage in this context is achieved if the translation means also is operable to, from each condition node and downwards, whenever a sub- tree represents a Boolean expression, but at least one of its children evaluates to a non-Boolean value, replace the whole sub-tree by a variable.
Furthermore, it is an advantage in this context if the system also comprises a second storing means connected to the translation means, and to the conversion means, and operable to store the correlation between each Variable and the sub-tree it has replaced.
A further advantage in this context is achieved if the variables can hold a value from the set, representing the values true, false and indeterminate.
Furthermore, it is an advantage in this context if the conversion means also is operable to, given a request r 6 R, determine if it fulfills any condition, and if it does, then r is added to the set of valid requests.
The above mentioned problems are also solved with a method for evaluating a reverse query, defining an expected decision, and a subset ( R ) of a 15 20 25 30 5 set of possible requests, over a policy (P) in real-time according to Claim 10. The method is performed with the aid of a system. The method comprises the steps: - with the aid of a first storing means, comprised in the system, to store policies; - with the aid of a partial request generation means, comprised in the system, to construct a partial request from the subset( R ) of the set of possible requests; - with the aid of a policy decision means connected to the partial request generation means, and to the first storing means, to partially evaluate the policy over the partial request resulting in a simplified policy; - with the aid of a translation means, connected to the policy decision means, to translate the simplified policy, the subset of the set of possible requests, and the expected decision into a propositional logic formula; - with the aid of an analyzing means connected to the translation means, to analyze the propositional logic formula in order to determine a sequence of conditions over requests; and - with the aid of a conversion means, connected to the analyzing means, to convert the sequence of conditions to a set of valid requests contained in the subset( R ), and evaluate to the expected decision.
The main advantage with this method is that it can evaluate a reverse query in real-time. A further advantage with this method is that it can make the evaluation of a reverse query in real-time even if the subset of requests contains a large number of requests.
A further advantage in this context is achieved if the method also comprises the step: - with the aid of a policy information means, comprised in the system, and connected to the policy decision means, and the conversion means, to handle a set of attributes.
Furthermore, it is an advantage in this context if the method also comprises the steps: - with the aid of the partial request generation means, to examine the subset ( R ) of possible request in order to determine - (I) the set (D) of attributes that are associated with exactly the same set of values in all requests of the subset( R ); - (ll) the set (A) of attributes that are absent in all requests of the subset ( R ); and 10 20 25 30 6 - (III) the set (U) of all other attributes not included in any of the sets (D or A) of attributes.
A further advantage in this context is achieved if the method also com prises the steps: - with the aid of the partiai request generation means. by using the sets (D, A and U) of attributes, to define the partial request, which - (IV) associates to each attribute in the set (D) of attributes, the exact set of values associated to it by any request in the subset ( R ); - (V) marks all attributes in the set (A) as not present; and - (VI) leaves all attributes in the set (U) undefined.
Furthermore, it is an advantage in this context if the method also comprises the steps: - with the aid of the translation means, to represent the simplified policy with a tree structure; - whenever a sub-tree represents a Boolean expression that compares an attribute with a fixed value; and -to replace the whole sub-tree by a Variable..
A further advantage in this context is achieved if the method also comprises the step: - with the aid of the translation means, from each condition node and downwards, whenever a sub-tree represents a Boolean expression, but at least one of its children evaluates to a non-Boolean value, to replace the whole sub-tree by a variable.
Furthermore, it is an advantage in this context if the method also comprises the step: - with the aid of a second storing means, comprised in the system, and connected to the translation means, to store a correlation between each Variable and the sub- tree it has replaced.
A further advantage in this context is achieved if the variables can hold a value from the set, representing the values true, false and indeterminate.
Furthermore, it is an advantage in this context if the method also comprises the steps: - with the aid of the conversion means, given a request r 6 R, to determine if it fulfills any condition; and 20 25 30 7 - if it does, to add r to the set of valid requests.
The above mentioned problems are also solved with at least one computer program product according to Claim 19. The at least one computer program product is/are directly loadable into the internal memory of at least one digital computer, and comprises software code portions for performing the steps of the method according to the present invention when the at least one product is/are run on the at least one computer.
The main advantage with this computer program product is that it can evaluate a reverse query in real-time. A further advantage with this product is that it can make the evaluation of a reverse query in real-time even if the subset of requests contains a large number of requests. lt will be noted that the term "comprises/comprising" as used in this description is intended to denote the presence of a given characteristic, step or component, without excluding the presence of one or more other Characteristics, features, integers, steps, components or groups thereof.
Embodiments of the invention will now be described with a reference to the accompanying drawíngs, in which: Brief description of the drawings Fig. 1 is a block diagram of a system operable to evaluate a reverse query, defining an expected decision, and a subset of a set of possible requests, over a policy in real-time according to the present invention; Fig. 2 is a flow chart of a method for evaluating a reverse query, defining an expected decision, and a subset of a set of possible requests, over a policy in real-time according to the present invention; and Fig. 3 schematically shows a number of computer program products according to the present invention.
Detailed description of the preferred embodiments In fig. 1 there is disclosed a block diagram of a system 10 operable to evaluate a reverse query, defining an expected decision (d), and a subset ( R ) of a set of possible requests, over a policy (P) in real-time according to the present invention. The system 10 comprises a first storing means 12 operable to store policies. Furthermore, the system 10 also comprises a partial request generation 20 25 30 8 means 14 operable to construct a partial request (rpanim) from the subset( R ) of the set of possible requests. As is apparent in fig. 1, the system 10 also comprises a policy decision means 16 connected to the partial request generation means 14, and to the first storing means 12, and operable to partially evaluate the policy (P) over the partial request (rpamêfl) resulting in a simplified policy (P'). Furthermore, the system 10 also comprises a translation means 20 connected to the policy decision means 16, and operable to translate the simplified policy (P'), the subset( R) of the set of possible requests, and the expected decision (d) into a propositional logic formula (F). The system 10 also comprises an analyzing means 18 connected to the translation means 20, and operable to analyze the propositional logic formula (F) in order to determine a sequence [c1, ] of conditions over requests. As also is apparent in fig. 1, the system 10 also comprises a conversíon means 22 connected to the analyzing means 18, and operable to convert the sequence [c1, ..., ck] of conditions to a set of valid requests contained in the subset ( R ), and evaluate to the expected decision (d).
According to one alternative, the system 10 can also comprise a policy information means 30 operable to handle a set of attributes 32. The policy information means 30 is connected to the policy decision means 16, and to the conversíon means 22. These connections are disclosed in fig. 1 with broken lines, because these elements are not mandatory in the system 10.
According to another alternative, the partial request generation means 14 is also operable to examine the subset( R ) of the set of possible requests in order to determine (I) the set (D) of attributes that are associated with exactly the same set of values in all requests of the subset ( R ); (ll) the set (A) of attributes that are absent in all requests of the subset( R ); and (lll) the set (U) of all other attributes not included in any of the sets (D or A) of attributes.
According to a further alternative, the partial request generation means 14 is also operable to, by using the sets (D, A and U) of attributes, define the partial request (rpawm), which (IV) associates to each attribute in the set (D) of attributes, the exact set of values associated to it by any request in the subset ( R ); (V) marks all attributes in the set (A) as not present; and (VI) leaves all attributes in the set (U) Undefined.
According to yet another alternative, the translation means 20 is also operable to represent the simplified policy (P') with a tree structure, and to, 15 20 25 30 9 whenever a sub-tree represents a Boolean expression that compares an attribute with a fixed value, replace the whole sub-tree by a variable (vi).
According to another alternative, the translation means 20 is also operable to, from each condition node and downwards, whenever a su b-tree represents a Boolean expression, but at least one of its children evaluates to a ncn-Boolean value, replace the whole sub-tree by a variable (vi).
As also is apparent in fig. 1, the system 10 can also comprise a second storing means 24 operable to store the correlation between each Variable (vi) and the sub-tree it has replaced. The second storing means 24 is connected to the translation means 20, and to the conversion means 22. These connections are disclosed in fig. 1 with a broken line, because these elements are not mandatory in the system 10.
Furthermore, according to another alternative, the variables (vi) can hold a value from the set { T, F, -1- }, representing the values true, false and indeterminate.
According to yet another alternative, the conversion means 22 is also operable to, given a request r 6 R, determine if it fulfills any condition c,-, and if it does, then r is added to the set of valid requests. ln fig. 2 there is disclosed a flow chart of a method for evaluating a reverse query, defining an expected decision (d), and a subset( R ) of a set of possible requests, over a policy (P) in real-time according to the present invention. The method is performed with the aid of a system 10 (see fig. 1). The method begins at block 50. The method continues, at block 52, with the step: with the aid of a first storing means 12, comprised in the system 10, to store policies. Thereafter, the method continues, at block 54, with the step: with the aid of a partial request generation means 14, comprised in the system 10, to construct a partial request (rparüai) from the subset ( R ) of the set of possible requests. The method continues, at block 56, with the step: with the aid of a policy decision means 16 connected to the partial request generation means 14, to partíally evaluate the policy (P) over the partial request (rpamai) resulting in a simplified policy (P'). Thereafter, the method continues, at block 58, with the step: with the aid of a translation means 20, connected to the policy decision means 16, to translate the simplified policy (P'), the subset ( R ) of the set of possible requests, and the expected decision (d) into a propositional logic formula (F). The method continues, at block 60, with the 20 25 30 10 step: with the aid of an analyzing means 18 connected to the translation means 20, to analyze the propositional logic formula (F) in order to determine a sequence [c1, ck] of conditions over requests. Thereafter, the method continues, at block 62, with the step: with the aid of a conversion means 22, connected to analyzing means 18, to convert the sequence [c1, ck] of conditions to a set of valid requests contained in the subset( R ), and evaluate to the expected decision (d).
The method is completed at block 64.
According to one alternative, the method also comprises the step: with the aid of a policy information means 30, comprised in the system 10, and connected to the policy decision means 16, and to the conversion means 22, to handle a set of attributes 32.
According to another alternative, the method also comprises the steps: with the aid of the partial request generation means 14, to examine the subset ( R ) of possible requests in order to determine - (I) the set (D) of attributes that are associated with exactly the same set of values in all requests of the subset( R ); - (ll) the set (A) of attributes that are absent in all requests of the subset( R ); and - (lll) the set (U) of all other attributes not included in any of the sets (D or A) of attributes.
According to yet another alternative, the method also comprises the steps: with the aid of the partial request generation means 14, by using the sets (D, A and U) of attributes, to define the partial request (rparfig), which - (IV) associates to each attribute in the set (D) of attributes, the exact set of values associated to it by any request in the subset( R ); - (V) marks all attributes in the set (A) as not present; and - (Vl) leaves all attributes in the set (U) undefined.
Furthermore, according to another alternative, the method also comprises the steps: - with the aid of the translation means 20, to represent the simplified policy (P') with a tree structure; - whenever a sub-tree represents a Boolean expression that compares an attribute with a fixed value; and -to replace the whole sub-tree by a Variable (vi).
According to a further alternative, the method also comprises the step: 20 25 30 11 - with the aid of the translation means 20, from each condition node and downwards, whenever a sub-tree represents a Boolean expression, but at least one of its children evaluates to a non-Boolean value, to replace the whole sub-tree by a Variable (vi).
According to another alternative, the method also comprises the step: - with the aid of a second storing means 24, comprised in the system 10, and connected to the translation means 20, and to the conversion means 22 to store a correlation between each Variable (V1) and the sub-tree it has replaced.
According to yet another alternative, the variables (V1) can hold a value from the set { T, F, J- }, representing the values true, false and indeterminate.
Furthermore, according to another alternative, the method also comprises the steps: - with the aid of the Conversion means 22, given a request r CR, to determine if it fulfills any condition c,; and - if it does, to add r to the set of valid requests.
In fig. 3, some computer program products 1021, ..., 102,, according to the present invention are schematically shown. ln fig. 3, n different digital computers 1001, .., 100,1 are shown, where n is an integer. In fig. 3, n different computer program products 1021, 102,1 are shown, here shown in the form of CD discs. _, 102,1 are directly loadable into the internal memory of the n different computers 1001, The different computer program products 1021, .. _ 100,1. Each computer program product 1021; 102,1 comprises software code portions for performing all the steps according to fig. 2, when the product/products 1021, 102,1 is/are run on the computers 1001, ..., 100,1. The computer program products 1021, 102,1 may, for instance, be in the form of diskettes, RAM discs. magnetic tapes, magneto-optical discs or some other suitable products.
The invention is not limited to the described embodiments. It will be evident for those skilled in the art that many different modifications are feasible within the scope of the following Claims.

Claims (19)

15 20 25 30 12 CLAIMS
1. A system (10) operable to evaluate a reverse query, defining an expected decision (d), and a subset( R ) of a set of possible requests, over a policy (P) in real-time, said system (10) comprisíng a first storing means (12) operable to store policies, characterized in that said system (10) also comprises a partial request generation means (14) operable to construct a partial request (rpanizfl) from said subset( R ) of said set of possible requests, a policy decision means (16) connected to said partial request generation means (14), and to the first storing means (12), and operable to partially evaluate said policy (P) over said partial request (rparüai) resulting in a simplified policy (P'), a translation means (20) connected to said policy decision means (16), and operable to translate said simplified policy (P'), said subset( R ) of said set of possible requests, and said expected decision (d) into a propositional logic formula (F), an analyzing means (18) connected to said translation means (20), and operable to analyze said propositional logic formula (F) in order to determine a sequence [c1, ck] of conditions over requests, and a conversion means (22) connected to said analyzing means (18), and operable to convert said sequence [c1, ck] of conditions to a set of valid requests contained in said subset( R ), and evaluate to said expected decision (d).
2. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 1, characterized in that said system (10) also comprises a policy information means (30) connected to said policy decision means (16), and said conversion means (22), and operable to handle a set of attributes (32).
3. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 1or 2, characterized in that said partial request generation means (14) also is operable to examine said subset( R ) of possible requests in order to determine (I) the set (D) of attributes that are associated with exactly the same set of values in all requests of said subset ( R ); (ll) the set (A) of attributes that are absent in all requests of said subset( R ); and (lll) the set (U) of all other attributes not included in any of the sets (D or A) of attributes. 15 20 25 30 13
4. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 3, characterized in that said partial request generation means (14) also is operable to, by using said sets (D, A and U) of attributes, define said partial request (rpamafl), which (IV) associates to each attribute in said set (D) of attributes, the exact set of values associated to it by any request in said subset( R ); (V) marks all attributes in said set (A) as not present; and (VI) leaves all attributes in said set (U) Undefined.
5. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to any one of Ciaims 1-4, characterized in that said translation means (20) also is operable to represent said simplified policy (P') with a tree structure, and to, whenever a sub-tree represents a Boolean expression that compares an attribute with a fixed value, replace said whole sub-tree by a variable (Vi)-
6. A system ( 10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 5, characterized in that said translation means (20) also is operable to, from each condition node and downwards, whenever a sub- tree represents a Boolean expression, but at least one of its children evaluates to a non-Boolean value, replace said whole sub-tree by a variable (v|).
7. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 5, or 6, characterized in that said system (10) also comprises a second storing means (24) connected to said translation means (20), and to said conversion means (22), and operable to store the correlation between each variable (vi) and said sub-tree it has replaced.
8. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 7, characterized in that said variables (vi) can hold a value from the set {T, F, J-}, representing the values true, false and indeterminate.
9. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to any one of Ciaims 5-8, when dependent on Claim 5, 20 25 30 14 characterized in that said Conversion means (22) also is operable to, given a request r 6 R, determine if it fulfiils any condition c|, and if it does, then r is added to said set of valid requests.
10. defining an expected decision (d), and a subset ( R ) of a set of possible requests, A method for evaluating, with the aid of a system (10), a reverse query, over a policy (P) in real-time, said method comprises the steps: - with the aid of a first storing means (12), comprised in said system (10), to store policies; - with the aid of a partial request generation means (14), comprised in said system (10), to construct a partial request (rpaflm) from said subset( R ) of said set of possible requests; - with the aid of a policy decision means (16) connected to said partial request generation means (14), and to said first storing means (12), to partially evaluate said policy (P) over said partial request (rpamag resulting in a simplified policy (P'); - with the aid of a translation means (20), connected to said policy decision means (16), to translate said simplified policy (P'), said subset( R )of said set of possible requests, and said expected decision (d) into a propositional Iogic formula (F); - with the aid of an analyzing means (18) connected to said translation means (20), to analyze said propositional logic formula (F) in order to determine a sequence [c1, ck] of conditions over requests; and - with the aid of a conversion means (22), connected to said analyzing means (18), to convert said sequence [c1, ck] of conditions to a set of valid requests contained in said subset( R ), and evaluate to said expected decision (d).
11. A method for evaluating a reverse query over a policy (P) in real-time according to Claim 10, characterized in that said method also comprises the step: - with the aid of a policy information means (30), comprised in said system (10), and connected to said policy decision means (16), and said conversion means (22), to handle a set of attributes (32).
12. A method for evaluating a reverse query over a policy (P) in real-time according to Claim 10 or 11, characterized in that said method also comprises the steps. 20 30 15 - with the aid of said partial request generation means (14), to examine said subset( R ) of possible requests in order to determine - (l) the set (D) of attributes that are associated with exactly the same set of values in all requests of said subset ( R ); - (ll) the set (A) of attributes that are absent in all requests of said subset( R ); and - (lll) the set (U) of all other attributes not included in any of the sets (D or A) of attributes.
13. A method for evaluating a reverse query over a policy (P) in real-time according to Claim 12, characterized in that said method also comprises the steps: - with the aid of said partial request generation means (14), by using said sets (D, A and U) of attributes, to define said partial request (rpanig), which - (IV) associates to each attribute in said set (D) of attributes, the exact set of values associated to it by any request in said subset( R ); - (V) marks all attributes in said set (A) as not present; and - (VI) leaves all attributes in said set (U) Undefined.
14. A method for evaluating a reverse query over a policy (P) in real-time according to any one of Claims 10-13, characterized in that said method also comprises the steps: - with the aid of said translation means (20), to represent said simplified policy (P') with a tree structure; -whenever a sub-tree represents a Boolean expression that compares an attribute with a fixed value; and -to replace said whole sub-tree by a Variable (vi). 15. according to Claim 14, characterized in that said method also comprises the step: A method for evaluating a reverse query over a policy (P) in real-time - with the aid of said translation means (20), from each condition node and downwards, whenever a sub-tree represents a Boolean expression, but at least one of its children evaluates to a non-Boolean value, to replace said whole sub- tree by a variable (vi).
15 20 25 16
16. A method for evaluating a reverse query over a policy (P) in real-time according to Claim 14, or 15, characterized in that said method also comprises the step: - with the aid of a second storing means (24), comprised in said system (10), and connected to said translation means (20), and to said conversion means (22), to store a correlation between each Variable (V1) and said sub-tree it has replaced.
17. according to Claim 16, characterized in that said variables (V1) can hold a value A method for evaluating a reverse query over a policy (P) in real-time from the set (T, F, -1-}, representing the values true, false and indeterminate.
18. A method for evaluating a reverse query over a policy (P) in real-time according to any one of Claims 14-17, when dependent on Claim 14, characterized in that said method also comprises the steps: - with the aid of said conversion means (22), given a request r 6 R, to determine if it fulfills any condition 01-; and - if it does, to add r to said set of valid requests. ., 102,1) directly loadable _, 100,,), comprising software code portions for performing the steps of Claim 10 when said
19. At least one computer program product (1021, .. into the internal memory of at least one digital computer (1001, .. at least one product (1021, .. (1001. 1001.). _, 102,1) is/are run on said at least one computer
SE1051394A 2010-12-30 2010-12-30 A system and method for evaluating a reverse query SE1051394A1 (sv)

Priority Applications (7)

Application Number Priority Date Filing Date Title
SE1051394A SE1051394A1 (sv) 2010-12-30 2010-12-30 A system and method for evaluating a reverse query
US13/695,880 US9223992B2 (en) 2010-12-30 2011-07-19 System and method for evaluating a reverse query
PCT/SE2011/050955 WO2012091653A1 (en) 2010-12-30 2011-07-19 A system and method for evaluating a reverse query
EP11853144.1A EP2548141B1 (en) 2010-12-30 2011-07-19 A system and method for evaluating a reverse query
EP15164634.6A EP2921986B1 (en) 2010-12-30 2011-07-19 A system and method for evaluating a reverse query
US14/748,903 US9646164B2 (en) 2010-12-30 2015-06-24 System and method for evaluating a reverse query
US15/589,296 US10158641B2 (en) 2010-12-30 2017-05-08 System and method for evaluating a reverse query

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
SE1051394A SE1051394A1 (sv) 2010-12-30 2010-12-30 A system and method for evaluating a reverse query

Publications (1)

Publication Number Publication Date
SE1051394A1 true SE1051394A1 (sv) 2011-10-13

Family

ID=44900240

Family Applications (1)

Application Number Title Priority Date Filing Date
SE1051394A SE1051394A1 (sv) 2010-12-30 2010-12-30 A system and method for evaluating a reverse query

Country Status (4)

Country Link
US (1) US9223992B2 (sv)
EP (2) EP2548141B1 (sv)
SE (1) SE1051394A1 (sv)
WO (1) WO2012091653A1 (sv)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3572963A1 (en) 2011-05-05 2019-11-27 Axiomatics AB Database access-control policy enforcement using reverse queries

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8489685B2 (en) 2009-07-17 2013-07-16 Aryaka Networks, Inc. Application acceleration as a service system and method
US8966576B2 (en) * 2012-02-27 2015-02-24 Axiomatics Ab Provisioning access control using SDDL on the basis of a XACML policy
US9455923B2 (en) * 2014-06-06 2016-09-27 Verizon Patent And Licensing Inc. Network policy and network device control
EP2993606A1 (en) 2014-09-05 2016-03-09 Axiomatics AB Provisioning system-level permissions using attribute-based access control policies
US10922423B1 (en) * 2018-06-21 2021-02-16 Amazon Technologies, Inc. Request context generator for security policy validation service

Family Cites Families (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE60131900T2 (de) * 2000-10-26 2008-12-04 Flood, James C. jun., Portland Verfahren und system zur verwaltung von verteilten inhalten und verwandten metadaten
US7437362B1 (en) * 2003-11-26 2008-10-14 Guardium, Inc. System and methods for nonintrusive database security
US7333981B2 (en) 2004-12-17 2008-02-19 International Business Machines Corporation Transformation of a physical query into an abstract query
US7533088B2 (en) 2005-05-04 2009-05-12 Microsoft Corporation Database reverse query matching
US7921452B2 (en) * 2005-08-23 2011-04-05 The Boeing Company Defining consistent access control policies
US7941336B1 (en) * 2005-09-14 2011-05-10 D2C Solutions, LLC Segregation-of-duties analysis apparatus and method
US20070078840A1 (en) 2005-10-05 2007-04-05 Microsoft Corporation Custom function library for inverse query evaluation of messages
US7472130B2 (en) * 2005-10-05 2008-12-30 Microsoft Corporation Select indexing in merged inverse query evaluations
US20070143851A1 (en) * 2005-12-21 2007-06-21 Fiberlink Method and systems for controlling access to computing resources based on known security vulnerabilities
US7747647B2 (en) * 2005-12-30 2010-06-29 Microsoft Corporation Distributing permission information via a metadirectory
US7849507B1 (en) * 2006-04-29 2010-12-07 Ironport Systems, Inc. Apparatus for filtering server responses
US7702689B2 (en) 2006-07-13 2010-04-20 Sap Ag Systems and methods for querying metamodel data
US8010991B2 (en) * 2007-01-29 2011-08-30 Cisco Technology, Inc. Policy resolution in an entitlement management system
US8024771B2 (en) * 2007-09-19 2011-09-20 International Business Machines Corporation Policy-based method for configuring an access control service
US20090205018A1 (en) * 2008-02-07 2009-08-13 Ferraiolo David F Method and system for the specification and enforcement of arbitrary attribute-based access control policies
US20090265780A1 (en) 2008-04-21 2009-10-22 Varonis Systems Inc. Access event collection
US8250526B2 (en) * 2008-08-12 2012-08-21 Oracle America, Inc. Method for analyzing an XACML policy
US20100153695A1 (en) * 2008-12-16 2010-06-17 Microsoft Corporation Data handling preferences and policies within security policy assertion language
SE534334C2 (sv) * 2009-05-07 2011-07-12 Axiomatics Ab Ett system och förfarande för att styra policydistribuering med partiell evaluering
US8959157B2 (en) 2009-06-26 2015-02-17 Microsoft Corporation Real-time spam look-up system
US8826366B2 (en) * 2010-07-15 2014-09-02 Tt Government Solutions, Inc. Verifying access-control policies with arithmetic quantifier-free form constraints
US8805881B2 (en) * 2010-05-06 2014-08-12 International Business Machines Corporation Reputation based access control
US8601549B2 (en) * 2010-06-29 2013-12-03 Mckesson Financial Holdings Controlling access to a resource using an attribute based access control list

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3572963A1 (en) 2011-05-05 2019-11-27 Axiomatics AB Database access-control policy enforcement using reverse queries

Also Published As

Publication number Publication date
US20130055344A1 (en) 2013-02-28
EP2548141A1 (en) 2013-01-23
EP2921986A1 (en) 2015-09-23
EP2548141B1 (en) 2015-06-03
WO2012091653A1 (en) 2012-07-05
EP2921986B1 (en) 2019-09-25
EP2548141A4 (en) 2013-05-29
US9223992B2 (en) 2015-12-29

Similar Documents

Publication Publication Date Title
Nelson et al. Security and privacy for big data: A systematic literature review
WO2017076263A1 (zh) 融合知识库处理方法和装置及知识库管理系统、存储介质
Hu et al. Anomaly discovery and resolution in web access control policies
US7882110B2 (en) Method and system for migrating documents
SE1051394A1 (sv) A system and method for evaluating a reverse query
US20180144132A1 (en) Kind of android malicious code detection method on the base of community structure analysis
US10158641B2 (en) System and method for evaluating a reverse query
Elhadi et al. Structure and attributes community detection: comparative analysis of composite, ensemble and selection methods
US8250536B2 (en) Analysis of a legacy source code application
CN106228068A (zh) 基于混合特征的Android恶意代码检测方法
Zhang et al. MRMondrian: Scalable multidimensional anonymisation for big data privacy preservation
CN112968917B (zh) 一种用于网络设备的渗透测试方法和系统
US20110219000A1 (en) Search apparatus, search method, and recording medium storing program
CN103036697B (zh) 一种多维度数据去重方法及系统
Carbone et al. Fast&&Serious: a UML based metric for effort estimation
KR101416586B1 (ko) 해쉬를 이용한 전문 기반 논리 연산 수행 방법
WO2008005637A2 (en) Hybrid assessment tool, and systems and methods of quantifying risk
Afonin Ontology models for access control systems
Ramli Detecting incompleteness, conflicting and unreachability XACML policies using answer set programming
Dutta et al. Aggregation of heterogeneously related information with extended geometric Bonferroni mean and its application in group decision making
Ergenç Bostanoǧlu et al. Minimizing information loss in shared data: Hiding frequent patterns with multiple sensitive support thresholds
WO2021012211A1 (zh) 一种为数据建立索引的方法以及装置
CN110995747A (zh) 一种分布式存储安全性分析方法
KR101259911B1 (ko) 관계형 데이터베이스를 온톨로지로 변환하는 규칙기반 온톨로지 변환 장치 및 방법
Al-Saraireh et al. A New Attribute-Based Access Control Model for RDBMS

Legal Events

Date Code Title Description
NAV Patent application has lapsed