Establishment of attribute bitmaps for efficient XACML policy evaluation

One of the primary challenges to apply the access control policy language XACML is the performance problem of the policy decision point (PDP), particularly when the PDP experience a great number of policies. The research on improving the PDP evaluation performance is of great significance. By combining with automaton theory an efficient policy decision engine is constructed in this paper, and attribute bitmaps are established statically for each subject, resource and action attribute of policies loaded by the policy decision engine. In evaluating access requests, the policy decision engine dynamically analyzes the requests and extracts the required attribute bitmaps to enforce the AND operation. According to the result of the AND operation, the policy decision engine matches the policies rapidly and gives out an authorization decision. The time that the policy decision engine takes to complete the evaluation of one access request is within 0.5 microsecond. This method not only greatly saves the storage space of policies, but also significantly reduces the time that the PDP takes to match the policies and evaluate access requests. Comparisons of the evaluation time taken by the policy decision engine with that taken by the Sun PDP, as well as XEngine and SBA-XACML, are made under different numbers of access requests. Experimental results show that the evaluation performance of the policy decision engine has a great improvement over that of the Sun PDP, XEngine and SBA-XACML.