Policy enforcement is an integral part of many applications. Policies are often used to control access to sensitive information. Current policy specification languages give users fine-grained control over when and how information can be accessed, and are flexible enough to be used in a variety of applications. Evaluation of these policies, however, is not optimized for performance. Emerging applications, such as real-time enforcement of privacy policies in a sensor network or location-aware computing environment, require high throughput. Our experiments indicate that current policy enforcement solutions are unable to deliver the level of performance needed for such systems, and limit their overall scalability. To deal with the need for high-throughput evaluation, we propose CPOL, a flexible C++ framework for policy evaluation. CPOL is designed to evaluate policies as efficiently as possible, and still maintain a level of expressiveness comparable to current policy languages. CPOL achieves its performance goals by efficiently evaluating policies and caching query results (while still preserving correctness). To evaluate CPOL, we ran a simulated workload of users making privacy queries in a location-sensing infrastructure. CPOL was able to handle policy evaluation requests two to six orders of magnitude faster than a MySql implementation and an existing policy evaluation system. We present the design and implementation of CPOL, a high-performance policy evaluation engine, along with our testing methodology and experimental results.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	M. Blaze, J. Feigenbaum, J. Ioannidis, and A. D. Keromytis. The KeyNote Trust Management System Version 2. Internet RFC 2704, September 1999.
	2	Matt Blaze , Joan Feigenbaum , Martin Strauss, Compliance Checking in the PolicyMaker Trust Management System, Proceedings of the Second International Conference on Financial Cryptography, p.254-274, February 23-25, 1998
	3	Thomas Brinkhoff, A Framework for Generating Network-Based Moving Objects, Geoinformatica, v.6 n.2, p.153-180, June 2002  [doi>10.1023/A:1015231126594 ]
	4	Nicodemos Damianou , Naranker Dulay , Emil Lupu , Morris Sloman, The Ponder Policy Specification Language, Proceedings of the International Workshop on Policies for Distributed Systems and Networks, p.18-38, January 29-31, 2001
	5	D. Ferraiolo and R. Kuhn. Role-based access control. In Proceedings of 15th NIST-NCSC National Computer Security Conference. Baltimore, MD. pp. 554--563, October 1992.
	6	B. Gedik and L. Liu. Mobieyes: Distributed processing of continuously moving queries on moving objects in a mobile system. In Proceedings of the 9th Conference on Extended Database Technology (EDBT 2004), Heraklion-Crete, Greece, March 2004.
	7	Jason I. Hong , James A. Landay, An architecture for privacy-sensitive ubiquitous computing, Proceedings of the 2nd international conference on Mobile systems, applications, and services, June 06-09, 2004, Boston, MA, USA  [doi>10.1145/990064.990087]
	8	S. Lederer, C. Beckmann, A. Dey, and J. Mankoff. Managing Personal Information Disclosure in Ubiquitous Computing Environments. University of California, Berkeley, Computer Science Division, Technical Report UCB-CSD-03-1257, July 2003.
	9	Mohamed F. Mokbel , Xiaopeing Xiong , Walid G. Aref, SINA: scalable incremental processing of continuous queries in spatio-temporal databases, Proceedings of the 2004 ACM SIGMOD international conference on Management of data, June 13-18, 2004, Paris, France  [doi>10.1145/1007568.1007638]
	10	MySQL, Inc. The mysql database manager. http://www.mysql.org, 2004.
	11	L. Opyrchal, A. Prakash, A. Agrawal, "Designing a Publish-Subscribe Substrate for Privacy/Security in Pervasive Environments." In First Workshop on Pervasive Security, Privacy and Trust (PSPT), Boston, MA, August 2004.
	12	Jean-Marc Saglio , José Moreira, Oporto: A Realistic Scenario Generator for Moving Objects, Geoinformatica, v.5 n.1, p.71-93, March 2001  [doi>10.1023/A:1011412005623 ]
	13	Mike Spreitzer , Marvin Theimer, Providing location information in a ubiquitous computing environment (panel session), Proceedings of the fourteenth ACM symposium on Operating systems principles, p.270-283, December 05-08, 1993, Asheville, North Carolina, United States
	14	Yufei Tao , Dimitris Papadias, Spatial queries in dynamic environments, ACM Transactions on Database Systems (TODS), v.28 n.2, p.101-139, June 2003  [doi>10.1145/777943.777944]
	15	Yannis Theodoridis , Jefferson R. O. Silva , Mario A. Nascimento, On the Generation of Spatiotemporal Datasets, Proceedings of the 6th International Symposium on Advances in Spatial Databases, p.147-164, July 20-23, 1999