Deriving Enforcement Mechanisms from Policies

Policies provide a flexible and scalable approach to the management of distributed systems by separating the specification of security requirements and their enforcement Over the years the expressiveness of policy languages increased considerably making it possible to capture a variety of complex requirements that for example depend on the history of the system execution. The most important criteria for the successful operation of policy-managed systems is whether the deployed enforcement mechanisms can guarantee the compliance with the policies. With the expressiveness of policy languages this assurance is increasingly difficult to achieve. In this paper we therefore address the development of enforcement mechanisms from a theoretical perspective and show how enforcement code can be formally derived for compositional, history-dependent policies that can change dynamically over time or on the occurrence of events.

[1]  Emil C. Lupu,et al.  Policy based management , 2008 .

[2]  Karsten Sohr,et al.  A temporal-logic extension of role-based access control covering dynamic separation of duties , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[3]  Jennifer Widom,et al.  Database Systems: The Complete Book , 2001 .

[4]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[5]  Ben C. Moszkowski,et al.  Compositional reasoning about projected and infinite time , 1995, Proceedings of First IEEE International Conference on Engineering of Complex Computer Systems. ICECCS'95.

[6]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[7]  Carlos Ribeiro,et al.  A scalable history-based policy engine , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[8]  E. F. Michiels,et al.  ISO/IEC 10181-4:1995 Information technology Open Systems Interconnection Security frameworks for open systems: Non-repudiation framework , 1996 .

[9]  SandhuRavi,et al.  The UCONABC usage control model , 2004 .

[10]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[11]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[12]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[13]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[14]  Jan Chomicki,et al.  Efficient checking of temporal integrity constraints using bounded history encoding , 1995, TODS.

[15]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[16]  Hussein Zedan,et al.  A Compositional Event & Time-Based Policy Model , 2006, POLICY.

[17]  Martín Abadi,et al.  Logic in access control , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[18]  André Zúquete,et al.  SPL: An Access Control Language for Security Policies and Complex Constraints , 2001, NDSS.

[19]  Jaehong Park,et al.  Formal model and policy specification of usage control , 2005, TSEC.

[20]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[21]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[22]  Jorge Lobo,et al.  A basis for comparing characteristics of policy systems , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[23]  Jaehong Park,et al.  Attribute Mutability in Usage Control , 2004, DBSec.

[24]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[25]  Morris Sloman,et al.  Policy driven management for distributed systems , 1994, Journal of Network and Systems Management.

[26]  François Siewe,et al.  A compositional framework for the development of secure access control systems , 2005 .

[27]  Helge Janicke The development of secure multi-agent systems , 2007 .