International Journal of Information Security https://doi.org/10.1007/s10207-018-0421-5 REGULAR CONTRIBUTION Analyzing XACML policies using answer set programming Mohsen Rezvani 1 · David Rajaratnam 2 · Aleksandar Ignjatovic 2 · Maurice Pagnucco 2 · Sanjay Jha 2 © Springer-Verlag GmbH Germany, part of Springer Nature 2018 Abstract With the tremendous growth of Web applications and services, eXtensible Access Control Markup Language (XACML) has been broadly adopted to specify Web access control policies. However, when the policies are large or defined by multiple authorities, it has proved difficult to analyze errors and vulnerabilities in a manual fashion. Recent advances in the answer set programming (ASP) paradigm have provided a powerful problem-solving formalism that is capable of dealing with policy verification. In this paper, we employ ASP to analyze various properties of XACML policies. To this end, we first propose a structured mechanism to translate a XACML policy into an ASP program. Then, we leverage the features of off-the-shelf ASP solvers to specify and verify a wide range of properties of a XACML policy, including redundancy, conflicts, refinement, completeness, reachability, and usefulness. We present an empirical evaluation of the effectiveness and efficiency of a policy analysis tool implemented on top of the Clingo ASP solver. The evaluation results show that our approach is computationally more efficient compared with existing approaches. Keywords XACML · Policy analysis · Anomaly detection · Answer set programming 1 Introduction Due to the impressive growth of Web applications, access control policy languages for these applications have received considerable attention, which provides adequate security and privacy support for such applications. The eXtensible Access Control Markup Language (XACML) is an XML-based lan- guage standardized by the Organization for the Advancement of Structured Information Standards (OASIS) to express security policies, request context, and response context state- ments (all written in XML) [1]. XACML has become a widely B Mohsen Rezvani mrezvani@shahroodut.ac.ir David Rajaratnam david.rajaratnam@unsw.edu.au Aleksandar Ignjatovic a.ignjatovic@unsw.edu.au Maurice Pagnucco m.pagnucco@unsw.edu.au Sanjay Jha sanjay.jha@unsw.edu.au 1 Faculty of Computer Engineering, Shahrood University of Technology, Shahrood, Iran 2 School of Computer Science and Engineering, University of New South Wales, Sydney, Australia accepted solution for modeling access control policies for various Web applications as it provides a rich data model for the specification of complex conditions. XACML (particu- larly version 3.0) enables the use of arbitrary attribute types, hierarchical role-based access control (RBAC), and several rule (policy) combination algorithms to resolve conflicts. Although XACML is an expressive specification lan- guage, it lacks an effective and comprehensive policy 1 analysis framework [6]. The problem becomes more preva- lent when the policy is specified by different authorities, making it harder for policy administrators to perceive the overall effect and consequences of the policy execution. For example, it is complicated to manually check essen- tial properties, such as query analysis which determines the accessibility of a resource by a principal [21]. Furthermore, when an administrator updates the policy, understanding the impact of such changes becomes a daunting task. More- over, policy anomalies, including redundancies and conflicts, remain significant issues that may lead to security leak- ages through unauthorized access. However, resolving the anomalies through manually changing the XACML policies 1 In this paper, the term policy refers to a security policy specified by XACML. Also terms “policy,” “security policy,” and “XACML policy” are used interchangeably. 123