Constraining Pictures with Pictures

This paper presents a visual language called Miro for specifying and restricting operating system security configurations. A Miro picture specifies exactly what rights users have on files. A Miro constraint, also stated visually, restricts the set of Miro pictures which are considered legal. Such constraints on pictures give an exact specification of security policies and a practical method for alerting users to potential security holes. The language is easy to use and succinct. This research was sponsored by IBM and the Maryland Procurement Office under Contract No. MDA904-88-C-6005. Additional support for J. Wing was provided in part by the National Science Foundation under grant CCR-8620027 and for J. D. Tygar under a Presidential Young Investigator Award, Contract No, CCR-8858087. M. Maimone (under contract N00014-88-K-0641) and A. Moormann are also supported by fellowships from the Office of Naval Research. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the US Government.