HiPoLDS: A Hierarchical Security Policy Language for Distributed Systems

Expressing security policies to govern distributed systems is a complex and error-prone task. Policies are hard to understand, often expressed with unfriendly syntax, making it difficult for security administrators and for business analysts to create intelligible specifications. We introduce the Hierarchical Policy Language for Distributed Systems (HiPoLDS), which has been designed to enable the specification of security policies in distributed systems in a concise, readable, and extensible way. HiPoLDS design focuses on decentralized execution environments under the control of multiple stakeholders. It represents policy enforcement through the use of distributed reference monitors, which control the flow of information between services. HiPoLDS allows the definition of both abstract and concrete policies, expressing respectively high-level properties required and concrete implementation details to be ultimately introduced into the service implementation.

[1]  David Walker,et al.  Harmless advice , 2006, POPL '06.

[2]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[3]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[4]  André Zúquete,et al.  SPL: An Access Control Language for Security Policies and Complex Constraints , 2001, NDSS.

[5]  Andrew D. Gordon,et al.  SecPAL: Design and semantics of a decentralized authorization language , 2010, J. Comput. Secur..

[6]  Muhammad Sabir Idrees,et al.  Evolving Security Requirements in Multi-layered Service-Oriented-Architectures , 2011, DPM/SETOP.

[7]  Nora Cuppens-Boulahia,et al.  Availability enforcement by obligations and aspects identification , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[8]  Claude Kirchner,et al.  Weaving rewrite-based access control policies , 2007, FMSE '07.

[9]  Karen A. Scarfone,et al.  Guide to Secure Web Services , 2007 .

[10]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[11]  Bin Li,et al.  A Policy Language for Adaptive Web Services Security Framework , 2007, Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007).

[12]  Sebastian Mödersheim,et al.  ASLan++ - A Formal Security Specification Language for Distributed Systems , 2010, FMCO.

[13]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[14]  Naftaly H. Minsky,et al.  A decentralized mechanism for application level monitoring of distributed systems , 2009, 2009 5th International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[15]  Lujo Bauer,et al.  A Language and System for Composing Security Policies , 2004 .

[16]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[17]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[18]  Nils Gruschka,et al.  Protecting Web Services from DoS Attacks by SOAP Message Validation , 2006, SEC.

[19]  Barbara Endicott-Popovsky,et al.  An Operational Framework for Service Oriented Architecture Network Security , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[20]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[21]  Carlos Ribeiro,et al.  A Policy-Oriented Language for Expressing Security Specifications , 2007, Int. J. Netw. Secur..

[22]  Claude Kirchner,et al.  Modular Access Control Via Strategic Rewriting , 2007, ESORICS.

[23]  Indrakshi Ray,et al.  Verifiable composition of access control and application features , 2005, SACMAT '05.