Abstract
If there are lots of redundancies in the policies loaded on the policy decision point (PDP) in the authorization access control model, the system will occupy more resources in operation and consumes plenty of evaluation time and storage space. In order to detect and eliminate policy redundancies and then improve evaluation performance of the PDP, a redundancy related to combining algorithms detecting and eliminating engine is proposed in this paper. This engine cannot only detect and eliminate the redundancy related to combining algorithms, but also evaluate access requests. A Resource Brick Wall is constructed by the engine according to the resource attribute of a policy’s target attributes. By the Resource Brick Wall and the policy/rule combining algorithms, three theorems for detecting redundancies related to combining algorithms are proposed. A comparison of the evaluation performance of the redundancy related to combining algorithms detecting and eliminating engine with that of Sun PDP is made. Experimental results show that the evaluation performance of the PDP can be prominently improved by eliminating the redundancy related to combining algorithms.
1. Introduction
Currently, access control is an important protection mechanism in the network and information security [1]. And using the security policy to describe security requirements in information systems has been the main method for authorization access control [2]. A policy can be defined as a group of descriptive principles implemented on the basis of practical requirements. These principles are the constraints for authorizing the system to make a decision. The XACML (eXtensible Access Control Markup Language) [3] is widely used in a distributed application system [4] in the SOA (ServiceOriented Architecture) [5] environment so that the security policy can be better expressed. The XACML is an openstandard language based on the XML and is used to standardize access control implemented in the XML (eXtensible Markup Language). It provides a uniform policy description language and improves the efficiency of collaboration among different organizations in the SOA environment. The XACML’s characteristics are as follows:(i)Great adaptability: the XACML can be normally applied in multiple application environment.(ii)Preferable compatibility: the XACML supports multiple data types and policy/rule combining algorithms.(iii)Outstanding expression ability: the XACML can accurately express access control requirements with different complexities and fine grains.
The XACML is a policy describing language with strong adaptability, universality, and extensibility and it supports distributed applications [6]. However, it does not have a standard agreement on factors such as granularity size, resource level, and condition interval [7]. Some rules in a policy may lose their effect because of policy/rule combining algorithms [8]. And a policy set may be formulated and edited by multiple administrators, each of whom has a different understanding of the policy and a different opinion on policy setting, which could lead to redundancies in a policy set’s rules [9]. Thus, detecting and eliminating the redundancy related to combining algorithms is the core and key point of our research.
On the other hand, the XACML assumes that all the rules can be trusted, so a request might be responded to repeatedly [10]. In the authorization access control model, if the policy loaded on the PDP contains lots of redundancies related to policy/rule combining algorithms, it not only consumes and wastes lots of system resources, but also greatly increases the time the PDP spends in evaluating access requests. And then the evaluation performance of the PDP is affected. In policy management [11] based on the XACML, as many redundancies related to policy/rule combining algorithms must be eliminated as possible to accelerate the speed of policy matching so that the PDP in the authorization center can effectively make authorization decisions and feed authorization results back [12].
To sum up, the important and critical problem to be solved is how to find an effective way to detect and eliminate the redundancy related to combining algorithms accurately and then improve the evaluation performance of the PDP.
This paper makes the following contributions.(1)A redundancy related to combining algorithms detecting and eliminating engine is presented, which not only can detect and eliminate the redundancy related to combining algorithms in a policy and between policies, but also has the same ability as the PDP. This engine can evaluate the access control by loading policies whose redundancies related to combining algorithms have been eliminated.(2)A Resource Brick Wall is constructed by the redundancy related to combining algorithms detecting and eliminating engine according to the resource attribute in a policy’s target attributes. The Resource Brick Wall can effectively express the dependent relationship between resource attributes and detecting and eliminating the redundancy related to combining algorithms by the additional subject attribute, condition attribute, and effect information.(3)By the Resource Brick Wall and policy/rule combining algorithms, the corresponding detecting and eliminating algorithm is proposed aiming at different types of redundancies related to combining algorithms. This algorithm only compares a rule with those which are likely to generate redundancies and this could avoid a large number of unnecessary comparisons with irrelative rules. And it optimizes the traditional traversal redundancy detection and greatly improves the efficiency of detecting and eliminating redundancies.
The remainder of this paper is organized as follows. Section 2 reviews the related work on policy analysis, management, and high performance evaluation. Section 3 introduces definitions used in the research on the redundancy related to combining algorithms detection and elimination. In Section 4, a redundancy related to combining algorithms detecting and eliminating engine is introduced which can detect and eliminate the redundancy related to combining algorithms in a policy and between policies and evaluate access requests. In Section 5, a Resource Brick Wall is proposed when we discuss the redundancy related to combining algorithms detecting and eliminating algorithm. Section 6 focuses on the theorems for detecting redundancies related to combining algorithms. A relevant detection and elimination algorithm for the redundancy related to combining algorithms is given in Section 7. Section 8 makes a comparison in evaluation performance between the redundancy related to combining algorithms detecting and eliminating engine and Sun PDP. Finally, Section 9 presents some conclusions and directions for our future work.
2. Related Work
There are numerous prior works on access control policies that mainly focus on policy evaluation, analysis, and testing to detect and eliminate redundancy. Masi et al. [13] formalized the XACML 2.0 semantics and proposed an alternative syntax supporting policy composition. They implemented a tool to compile policies into Java classes following the proposed semantic rules, where these classes are executed to compute policy decisions. Liu et al. [14] proposed XEngine, which can convert a textual XACML policy to a numerical policy and can convert a numerical policy with complex structures to a numerical policy with a normalized structure. Also, XEngine can convert the normalized numerical policy to tree data structures for efficient processing of requests. Marouf et al. [15] applied a clustering technique to policy sets based on the means algorithm. The proposed clustering technique categorizes policies and rules within a policy set and policy, respectively, in respect to target subjects. When a request is received, it is redirected to applicable policies and rules that correspond to its subjects, hence, avoiding unnecessary evaluations from occurring. Mourad and Jebbaoui [16] proposed (1) a mathematical intermediate representation of policies based on set theory that maintains the same XACML structure and accounts for all its elements and their subelements including rule conditions, obligations, policy request, and policy response and (2) a formal semantics that takes advantage of the mathematical operations to provide efficient evaluation of policy elements and constructs through deductive logic and inference rules. Jebbaoui et al. [17] resolve the complexity of policies by elaborating an intermediate setbased representation to which the elements of XACML are automatically converted. Moreover, it allows detecting flaws, conflicts, and redundancies between rules by offering new mechanisms to analyze the meaning of policy rules through semantics verification by inference rule structure and deductive logic.
Recently, people focus more and more on studying the methods for detecting and eliminating policy redundancies. And researches on the policy redundancies can be categorized into two groups.(1)The first group detect and eliminate redundancies by optimizing the XACML or improving the policy itself. Chen and Xu [18] analyzed the reason why policy redundancies exist first. Then they proposed formal methods based on the descriptive logic so that the machine can understand a policy’s semantics and context. On the basis of this, policy expansion and reasoning were carried on, which made the XACML gain better reasoning ability and semantics expressing ability. The method based on the descriptive logic can detect policy redundancies and eliminate these redundancies according to policy/rule combining algorithms. But every attribute in a policy’s target elements may cause redundancies and this problem was not fully considered in this paper. Lei et al. [19] indicated that although the XACML provides a convenient way to describe the security policy, this method still has its weakness. This paper analyzed the fact that using the XACML to express the inheritance relationship of rules will lead to policy redundancies and introduced atomic privilege to eliminate policy redundancies. Martin [20] indicated that if a rule is unreachable because of a group of constraints that this rule cannot meet, then it becomes a redundancy rule. A policy redundancy detection method based on ChangImpact analysis was presented in this paper; however, no corresponding detection model was proposed and the support and application of this detection technique were absent. Besides the above researches, policy redundancies can be detected by classifying the subject based on the security level and role [21, 22], and then all policy redundancies can be eliminated by revising policies.(2)The second group put forward policy redundancy detecting methods by establishing research models and relevant mechanisms. Aiming at this problem, Hu et al. [23] indicated that the Internet provides users with more convenient services, and at the same time the information system suffers from security attacks caused by unauthorized operations in business service. Besides, the design and management of the Web access control policy are always prone to errors for lack of efficient analysis mechanisms and tools. A policy analyzing method based on the Web access control was proposed in this paper. Also, a splitting technique based on the XACML policy was introduced to identify policy redundancies accurately and then policy redundancies could be eliminated. Dinu et al. [24] indicated that the XACML itself does not support policy redundancy analysis, though it has the great expression ability. The thought of state coverage was utilized to analyze the cause of policy redundancy, and a judging theorem that can be applied for redundancies within a policy or between policies under multiple policy/rule combining algorithms was put forward. The target element of a policy was considered when detecting redundancies in this paper while the condition factor’s effect on policy redundancies was ignored, which lead to the imperfection of redundancy detection. Zhang et al. [25] focused on security policy integration and redundancy elimination among different medical institutions. They emphasized that eliminating policy redundancies before healthcare institutions collaborate with each other is vitally important and pointed out that the present research does not consider how to eliminate redundancies in the dynamically loaded policy set according to the type of redundancy in the healthcare collaborative procedure. On the premise of taking both the constraint condition and metadata information, they also proposed a method based on the rolebased access control policy model to eliminate redundancies in the XACML policy. Finally, they proposed a method of filtering and collecting the policies the user needs among different organizations and institutions. Guarnieri et al. [26] proposed three methods of eliminating redundancies in the access control policy and these methods reduced the authorization operation frequency in a policy step by step. They also indicated that problems relevant to redundancy belong to an NPhard problem. Aiming at the Minimum Policy Problem and Minimum Irreducible Policy Problem in these problems, they proposed solutions for eliminating redundancies in the security policy.
Mainly on the basis of optimizing the XACML or improving the policy itself, the above researches pointed out the great flexibility of the XACML policy structure and the difficulty in detecting policy redundancies. Detection was only applied to part of a policy while how to detect and eliminate the redundancy related to policy/rule combining algorithms was not considered. And their research did not go in depth and rarely considered the complex situation. Then, although the above researches can detect redundancies in a policy and between policies, they traverse rules in a policy many times in the process of detecting policy redundancies, which unavoidably increases the detection time. The Resource Brick Wall proposed in our paper carries out the reasonable partition and hierarchical process on resources. These processes can effectively avoid unnecessary comparisons among resources in different levels. Thus, they can optimize comparisons among rules and reduce the frequency of traversing each rule in a policy set when detecting redundancies and then improve the efficiency of detecting policy redundancies and lay a foundation for an efficient evaluation of the PDP.
3. Related Definitions
Since redundancy exists in rules within a policy or between different policies, the formal description of the relative definition of rules will be given first and the rules needed in detecting redundancies are also presented.
Definition 1 (rule). , , , , , and represent the elements of attributes like subject, resource, action, environment, condition, and effect, respectively, and these six attributes belong to the rule . , , , , and represent the union of elements of each attribute, respectively. And and are the number of each attribute’s elements. The definition of can be represented by Formula (1) as follows:
There are three aspects needed to be made clear.(1)Each resource discussed in this paper has a unique resource path. Resources on different resource paths are identified as different resources. In other words, we think that two identical resources can only appear on an identical resource path and cannot appear on different resource paths.(2)We just focus on the clock time when studying the condition attribute.(3)The environment attribute will be ignored in the following analysis and discussion, because it does not cause the redundancy related to combining algorithms, which is studied in this paper.
Definition 2 (state satisfaction). If a subject attribute in can access the resource attribute with action in the condition of and its effect is (Deny or Permit), then one has the definition that satisfies , as shown in Formula (2) as follows:
Definition 3 (atomic attribute). If an attribute in a rule has no more than one element which may be absent, then one calls this attribute the atomic attribute.
Definition 4 (composite attribute). If an attribute in a rule has more than one element, then one calls it the composite attribute.
Since rules containing the atomic attribute are easier to store and process than those containing the composite attribute, so we need to apply attribute atomization to rules containing composite rules.
Rule 1 (rule attribute atomization). If there are composite attributes in a rule, one can divide a composite attribute into several atomic attributes and then composite it with other attributes’ elements. Finally, one can get several rules which only contain atomic attribute.
By Rule 1, we can carry out attribute atomization on all rules in a policy and transfer them into rules containing only the atomic attribute. Thus, we lay the foundation for building and theoretical analysis of the redundancy related to combining algorithms detecting and eliminating engine.
Definition 5 (dependent relationship of resources). For resource attributes and , if is in the upper level compared to , then one says that resource attributes and satisfy the dependent relationship of resources. ’s dependency on is denoted as .
Definition 6 (overlapping relationship of conditions). For condition attributes and , if , one says that condition attributes and satisfy the overlapping relationship of conditions. The intersection between and is denoted as .
Definition 7 (redundancy). For a rule in a policy, if its function cannot work, namely, this rule will not affect the result of evaluating access requests, then one calls this rule a redundancy rule:
Definition 8 (common resource redundancy). For two rules and as shown in Formula (3), they belong to the same policy or two different policies. If and have the same subject attribute, resource attribute, action attribute, and environment attribute (the environment attribute will be ignored), and without loss of generality, their condition attributes have an overlapping relationship () and their effects are the same (i.e., to say these two rules’ should be Deny or Permit at the same time); then the common resource redundancy happens between and . These conditions could be expressed by Formula (4) as follows:
Definition 9 (dependent resource redundancy). For two rules and as shown in Formula (3), they belong to the same policy or two different policies. If and have the same subject attribute, action attribute, and environment attribute (the environment attribute will be ignored), and without loss of generality, there exists the dependent relationship of resources between and (), their condition attributes have an overlapping relationship (), and their effects are both Deny; then the dependent resource redundancy happens between and . These conditions could be expressed by Formula (5) as follows:
Definition 10 (redundancy related to combining algorithms). For a redundancy identified as the redundancy related to combining algorithms, the prerequisite is that the detection is on the basis of the policy/rule combining algorithms.
This paper aims at statically detecting and eliminating the redundancy related to combining algorithms in the policies loaded on the PDP, so that the evaluation performance of the PDP can be improved. The research in this paper focuses on the redundancy related to combining algorithms and its detecting and eliminating algorithm is proposed to solve this kind of problem.
4. Redundancy Related to Combining Algorithms Detecting and Eliminating Engine XDPRE
Our proposed redundancy related to combining algorithms detecting and eliminating engine termed the XDPRE (XiDian Policy Redundancy Engine) is shown in Figure 1. The XDPRE is able to detect and eliminate the redundancy related to combining algorithms within a policy or between policies. The XDPRE receives all the policies in the policy set PolicySet as the input and its responsibilities are shown in the following three aspects.(1)Detect and eliminate the redundancy related to combining algorithms within a policy.(2)Detect and eliminate the redundancy related to combining algorithms between policies.(3)The XDPRE itself has the function of the PDP. By loading policies whose redundancies related to combining algorithms have been eliminated, the XDPRE can evaluate access requests and return the authorization result to context processors and the PDP.
The output of the XDPRE is a new policy set termed . And there is no redundancy related to combining algorithms in the policy of the policy set .
We adopt the XDPRE to detect and eliminate the redundancy related to combining algorithms within a policy and between policies successively.
5. Resource Brick Wall
In order to detect and eliminate the redundancy related to combining algorithms contained in the policies loaded on the PDP, so as to achieve the purpose of efficient evaluation of the PDP, in this section, we construct the Resource Brick Wall (RBW) in the XDPRE, an engine for detecting and eliminating the redundancy related to combining algorithms, based on the resources existing in the target attribute of policies, as shown in Figure 2.
(a) Relation between Resource Brick Wall and threedimensional coordinate axes
(b) Resource Brick Wall and its SCEL
Definition 11 (Resource Brick Wall). For each resource in the rules, one builds a resource brick, and then according to the dependent relationship between resources, one can build a Resource Brick Wall of all the bricks representing resources from top to bottom, as shown in Figure 2(a). The axis Con represents the condition attribute in the rules corresponding to each resource and the height of a resource brick is equal to the size of time distinct of its condition attribute. The axis Lev represents the level corresponding to each resource. The axis Res represents resources; the length of a resource brick in the th layer equals the sum of all the resources which have the dependency with it in the ()th layer. Each resource brick has correlation with a SubjectConditionEffect List (SCEL). The SCEL stores all the subject attributes’ information corresponding to the resources the resource brick represents, as well as the condition attribute information and effect information of these subjects, as shown in Figure 2(b). As for the resource brick , its SCEL is denoted as the in which any subject attribute is denoted as . In Figure 2(a), is the first layer resource, and , (), and () are all the lower resources of , that is, the second layer resource. and are the same resource attribute of two different rules, whose condition attributes have an overlapping relationship. and are also the same resource attribute of two different rules whose condition attributes do not have an overlapping relationship.
It is worth noting that if two resource bricks are the same, we should view them as one and merge their corresponding SCELs to ensure that each of the resource bricks in the RBW is the only one. The RBW can efficiently represent the dependent relationship of resources.
There is a hierarchical relationship between resource attributes. For example, the hierarchical relationship of the system resource directory is represented by the dependent relationship between resource attributes. According to the definition specification of the target attribute in the XACML (Version 3.0) OASIS [27], together with the definition of state satisfaction, we give the transmission rules of access authority, as shown in Rule 2.
Rule 2 (transmission rules of access authority). As for the two resource attributes and in the two rules and , when and satisfy , consider the following:
① If a subject of the subject set of the resource attribute denies accessing resource attribute , then it also denies accessing its dependent resource , as shown in Formula (6) as follows:② If a subject of the subject set of the resource attribute permits accessing resource attribute , then we cannot deduce what operation of access authority it has to the dependent resource attribute ( is Deny or Permit), as shown in Formula (7) as follows:
The transmission rules of access authority can be summarized as the form of Figure 3. In Figure 3, between and exists the dependent relationship . If a subject denies accessing the upper layer resource attribute, we can deduce that it also denies accessing the lower layer resource attribute . The solid line marked Y in the figure indicates that Deny access authority can be transmitted from the upper resource attribute to the lower resource attribute. If a subject permits accessing the upper resource attribute, we cannot deduce what operation of access authority it has to the lower resource attribute , and the dotted line marked N in the figure indicates that Permit access authority cannot be transmitted from the upper resource attribute to the lower resource attribute. For example, if the subject denies the writing operation to the resource E:∖File, then we can deduce that it denies the writing operation to the resource E:∖File∖ProductFile. However, if the subject permits the writing operation to the E:∖File, then we cannot deduce what operation of access authority it has to the resource E:∖File∖ProductFile.
6. Detection and Elimination of Redundancy Related to Combining Algorithms
The eventual evaluation result of a rule in a policy depends on the evaluation of the condition attribute. If the return value of the condition is Indeterminate, the rule will return Indeterminate. If the return value of the condition is False, the rule will return NotApplicable. If the return value of the condition is True, the rule will return Effect, which can be Permit or Deny.
For a redundancy identified as the redundancy related to combining algorithms, the prerequisite is that the detection is on the basis of the policy/rule combining algorithms. The definition and application of the policy/rule combining algorithms are related to the return value of evaluation result, which is Indeterminate, NotApplicable, Permit, or Deny. Because the return value Indeterminate occurs when faults appear in evaluation and NotApplicable occurs when the matched rule is not found, the two return values are meaningless for discussing and analyzing whether there exists redundancy in rules. Therefore, in this section we only discuss and analyze redundancy when the return value is Permit or Deny and ignore Indeterminate or NotApplicable.
This section proposes three theorems for detecting redundancies related to combining algorithms according to the “DenyOverrides”, “PermitOverrides”, and “FirstApplicable” policy/rule combining algorithms supported by the XACML standards and gives the methods for eliminating redundancies related to combining algorithms.
6.1. Redundancy Related to the DenyOverrides Combining Algorithm
The policy combining algorithms and rule combining algorithms supported by the XACML standards all contain “DenyOverrides”; that is, if the effect of either of the policies (or rules) is Deny, the final authorized result is Deny. Next, we give the theorem for detecting the redundancy related to “DenyOverrides” combing algorithm with the “DenyOverrides” policy/rule combining algorithm:
Theorem 12. In the condition of the “DenyOverrides” policy/rule combining algorithm, for any two rules and in a policy or between policies, as represented by Formula (8), if and have the same subject attribute “” and action attribute “”, and there is an overlapping relationship between the condition attributes of and (), and if, without losing the generality, between the resource attributes of and exists the equation relationship () or dependent relationship () and the effect of is “Deny”, that is, Formula (9) is satisfied, then is the redundancy rule:
Proof. State satisfaction of rules and is as shown in Formula (10) as follows:According to the relationship of resource attributes of rules and and the different effect values of , we give the proof in the following four situations:
① When and , then . We have the formal derivation process as shown in Formula (11) as follows:According to the known condition and Definition 8, we deduct that rules and have the common resource redundancy in the overlapping condition . What is more, since we use the “DenyOverrides” policy/rule combining algorithm, is the redundancy rule.
② When and , then . Because conditions and have an overlapping relationship (), according to the definition of “DenyOverrides” policy/rule combining algorithm, under the condition that there appear no faults, we finally should use the effect of as the authorization result. However, the rule does not have any effect on the process of evaluation, so the function of the rule cannot be realized. Therefore, according to Definition 7, we conclude that is the redundancy rule.
③ When and , then . We have the formal derivation process as shown in Formula (12) as follows:According to the assumptions and Definition 9, we deduct that rules and have the dependent resource redundancy in the overlapping condition . What is more, since we use the “DenyOverrides” policy/rule combining algorithm, is the redundancy rule.
④ When and , then . According to Rule 2 (the transmission rules of access authority), we can get Formula (13) as follows:From Formula (13), we can conclude that satisfies the fact that the subject of denies accessing to the resource in the condition , and from assumptions and Formula (10) we can conclude that satisfies the fact that the same subject of permits accessing to which is the same as in the condition . Because conditions and have an overlapping relationship (), according to the conclusion of proof ②, we can conclude that is the redundancy rule.
According to Theorem 12, we can obtain the form derivation of detecting the redundancy related to the “DenyOverrides” combining algorithm, as shown in Formula (14), where(i) indicates that satisfying the rule and satisfying the rule have the redundancy related to the “DenyOverrides” combining algorithm in the overlapping condition ;(ii) indicates that the rule corresponding to the and the rule corresponding to the have the redundancy related to the “DenyOverrides” combining algorithm in the overlapping condition :
When detecting the redundancy related to the “DenyOverrides” combining algorithm between the two rules and (as shown in Formula (8)) in a policy or between policies, the method for eliminating the redundancy is to reserve the rule firstly. If , we will delete the rule directly. If , we will update the condition attribute of the rule to , that is, update the rule to a new rule as shown in Formula (15) as follows:
6.2. Redundancy Related to the PermitOverrides Combining Algorithm
The policy combining algorithms and rule combining algorithms supported by the XACML standards all contain “PermitOverrides”; that is, if the return effect of either of the policies (or rules) is Permit, the final authorized result is Permit. Next, we give the theorem for detecting the redundancy related to “PermitOverrides” combing algorithm with the “PermitOverrides” policy/rule combining algorithm:
Theorem 13. In the condition of the “PermitOverrides” policy/rule combining algorithm, for any two rules and in a policy or between policies, as shown in Formula (16), if and have the same subject attribute “”, resource attribute “”, and action attributes “”, and there is an overlapping relationship between the condition attributes of and (), without losing the generality, one supposes that the effect of is Permit; that is, Formula (17) is satisfied, and then is the redundancy rule:
Proof. State satisfaction of rules and is as shown in Formula (18) as follows:In Formula (18), . According to the different effect values of , we give the proof in the following two situations:
① When , then . Because conditions and have an overlapping relationship (), according to the definition of “PermitOverrides” policy/rule combining algorithm, under the condition that there appear no faults, we should finally use the effect of as the authorization result. However, the rule does not have any effect on the process of evaluation, so the function of the rule cannot be realized. Therefore, according to Definition 7, we conclude that is the redundancy rule in the “PermitOverrides” policy/rule combining algorithm.
② When , then . We have the form deduction process as shown in Formula (19) as follows:According to the known condition and Definition 8, we deduct that rules and have the common resource redundancy in the overlapping condition . What is more, since we use the “PermitOverrides” policy/rule combining algorithm, is the redundancy rule.
According to Theorem 13, we can conclude that the form derivation of detecting the redundancy related to the “PermitOverrides” combining algorithm is as shown in Formula (20), where(i) indicates that satisfying the rule and satisfying the rule have the redundancy related to the “PermitOverrides” combining algorithm in the overlapping condition ;(ii) indicates that the rule corresponding to the and the rule corresponding to the have the redundancy related to the “PermitOverrides” combining algorithm in the overlapping condition :
When detecting the redundancy related to the “PermitOverrides” combining algorithm between the two rules and (as shown in Formula (16)) in a policy or between policies, the method for eliminating the redundancy is to reserve the rule firstly. If , we will delete the rule directly. If , we will update the condition attribute of the rule to , that is, update the rule to a new rule as shown in Formula (21) as follows:
6.3. Redundancy Related to the FirstApplicable Combining Algorithm
The policy combining algorithms and rule combining algorithms supported by the XACML standards all contain “FirstApplicable”; that is, the final authorized result of policy (or rule) is the judgment result of the first matched policy (or rule). Next, we give the theorem for detecting the redundancy related to “FirstApplicable” combing algorithm with the “FirstApplicable” policy/rule combining algorithm:
Theorem 14. In the condition of the “FirstApplicable” policy/rule combining algorithm, for any two rules and in a policy or between policies, as shown in Formula (22), if and have the same subject attribute “”, resource attribute “”, and action attribute “”, and there is an overlapping relationship between the condition attributes of and (), that is, Formula (23) is satisfied, without losing the generality, one supposes that is the first applicable rule, and then is the redundancy rule:
Proof. State satisfaction of rules and is as shown in Formula (24) as follows:In Formula (24), . According to the different effect values of , we give the proof in the following three situations:
① When and , then . We have the formal deduction process as shown in Formula (25) as follows: According to the known condition and Definition 8, we deduct that rules and have the common resource redundancy in the overlapping condition . What is more, since we use the “FirstApplicable” policy/rule combining algorithm and is the first applicable rule, is the redundancy rule.
② When and , then . We have the formal derivation process as shown in Formula (26) as follows:According to the known condition and Definition 8, we deduct that rules and have the common resource redundancy in the overlapping condition . What is more, since we use the “FirstApplicable” policy/rule combining algorithm and is the first applicable rule, is the redundancy rule.
③ (i.e., and , or and ) and is the first applicable rule. Because conditions and have an overlapping relationship (), according to the definition of “FirstApplicable” policy/rule combining algorithm, under the condition that there appear no faults, we finally should use the effect of as the authorization result. However, the rule does not have any effect on the process of evaluation; the function of the rule cannot be realized. Therefore, according to Definition 7, we conclude that is the redundancy rule in the “FirstApplicable” policy/rule combining algorithm.
According to Theorem 14, we can conclude the form derivation of detecting the redundancy related to the “FirstApplicable” combining algorithm, as shown in Formula (27), where(i) is the first applicable rule;(ii) indicates that satisfying the rule and satisfying the rule have the redundancy related to the “FirstApplicable” combining algorithm in the overlapping condition ;(iii) indicates that the rule corresponding to the and the rule corresponding to the have the redundancy related to the “FirstApplicable” combining algorithm in the overlapping condition :
When detecting the redundancy related to the “FirstApplicable” combining algorithm by Theorem 14 between the two rules and (as Formula (22) shows) in a policy or between policies, without losing the generality, we suppose that is the first applicable rule; the method for eliminating the redundancy is to reserve the rule firstly. If , we will delete the rule directly. If , we will update the condition attribute of the rule to , that is, update the rule to a new rule as shown in Formula (28) as follows:
7. Detection and Elimination Algorithms for Redundancy Related to Combining Algorithms
By the relevant definitions introduced in the paper and RBW, as well as detection and elimination methods for the redundancy related to combining algorithms, in this section we present the detection and elimination algorithms for the redundancy related to combining algorithms, as shown in Algorithm 1.

In Algorithm 1, rows (1)~(3) complete the detection and elimination of the redundancy related to combining algorithms in a policy, and row (4) completes the detection and elimination of the redundancy related to combining algorithms between policies. Algorithm 1 calls four subalgorithms in turn to finish the work. Here, row (1) is the initialization algorithm for the RBW, responsible for initializing the RBW. Row (2) is the algorithm for adding rules to the RBW, responsible for adding every rule to the RBW. Row (3) is the detection and elimination backtracking algorithm, used for detecting and eliminating redundancy related to combining algorithms by backtracking methods in the constructed RBW.
Next, we will introduce algorithms used in each step of Algorithm 1. We will give the time complexity of Algorithm 1 after discussing the four subalgorithms.
7.1. Initialization Algorithm for the Resource Brick Wall
Before detecting and eliminating redundancy related to combining algorithms, we first need to iterate through each rule of each policy of all the policy sets and then get the resource directory structure of each rule. Finally, we initialize the RBW by the resource directory structure. The initialization algorithm for the Resource Brick Wall is as shown in Algorithm 2.

The functions contained in Algorithm 2 are as follows:
① GetResPath( ): the parameter of the function is the rule , whose function is to parse the resource attribute information in the rule , eventually return the resource path related to the rule , and give the return value to ResPath variables.
② AddResPathToResDirectory( ): the parameter of the function is the resource path ResPath and resource directory ResDirectory, whose function is to store the resource path ResPath in the proper place of the resource directory ResDirectory.
③ CovertResDirectoryToResBrickWall( ): the parameter of the function is the resource directory ResDirectory, whose function is to construct the corresponding RBW through the analysis of the resource directory ResDirectory and return the constructed RBW to the ResBrickWall variable.
Supposing that the policy set has policies with each policy having rules, then the time complexity of Algorithm 2 is .
7.2. Detection Algorithm for Redundancy Related to Combining Algorithms
The detection algorithm for the redundancy related to combining algorithms is as shown in Algorithm 3. Algorithm 3 contains three situations as follows:(1)In the condition of the “DenyOverrides” policy/rule combining algorithm, for any two rules and in a policy or between policies, if and have the same subject attribute and action attribute, there is an overlapping relationship between the condition attributes of and , and have the same resource attribute, the effect of either of the two rules is Deny, or the resource attributes of and have a dependent relationship and the effect of is Deny, then and have the redundancy related to the “DenyOverrides” combining algorithm.(2)In the condition of the “PermitOverrides” policy/rule combining algorithm, for any two rules and in a policy or between policies, if and have the same subject attribute and action attribute, there is an overlapping relationship between the condition attributes of and , and have the same resource attribute, and the effect of either of the two rules is Permit, then and have the redundancy related to the “PermitOverrides” combining algorithm.(3)In the condition of the “FirstApplicable” policy/rule combining algorithm, for any two rules and in a policy or between policies, if and have the same subject attribute and action attribute, there is an overlapping relationship between the condition attributes of and , and have the same resource attribute, and the sequence of application is certain, then and have the redundancy related to the “FirstApplicable” combining algorithm.

7.3. Elimination Algorithm for Redundancy Related to Combining Algorithms
The elimination algorithm for the redundancy related to combining algorithms is as shown in Algorithm 4. Algorithm 4 adds the corresponding attribute information about rules and to the , and reserve the rule . If , we will delete the rule directly. If , then we update the condition attribute of to , so as to achieve the purpose of eliminating redundancies. This algorithm will update the , which will make administrators instantly track and search for the attribute information about the corresponding rules in the process of detecting and eliminating redundancies conveniently. The time complexity of Algorithm 4 is .

7.4. Algorithm for Adding Rules to the Resource Brick Wall
The algorithm for adding rules to the Resource Brick Wall is as shown in Algorithm 5. In Algorithm 5, rows (2)~(3) add the rules in the policy P one by one to the RBW. By calling the detection algorithm for the redundancy related to combining algorithms, row (4) accomplishes the detection and elimination of the redundancy related to combining algorithms between the new added rules and rules already in the RBW. The time complexity under the worst condition of Algorithm 5 is .

7.5. Algorithm for Backtracking Detection and Elimination of Redundancies
The algorithm for backtracking detection and elimination of redundancies is as shown in Algorithm 6. In Algorithm 6, rows (1)~(2) accomplish backtracking resource bricks from the lower layer to the upper layer through the postorder traversal. By calling the detection algorithm for the redundancy related to combining algorithms, rows (3)~(6) accomplish the detection and elimination of the redundancy related to combining algorithms between rule of the upper layer resource bricks and rule of the lower layer resource bricks. The time complexity under the worst condition of Algorithm 6 is .

7.6. Detection and Elimination Algorithm for Redundancy Related to Combining Algorithms between Policies
The detection and elimination algorithm for the redundancy related to combining algorithms between policies is as shown in Algorithm 7. Firstly, we add each rule in to the resource brick structure of , that is, combine the two input RBWs to one RBW. Then we detect and eliminate the redundancy related to combining algorithms in the combined RBW. Finally, by the algorithm for backtracking detection and elimination of redundancies, we detect and eliminate the redundancy related to combining algorithms.
