Policy Compliance Checking

Slides from the PhD defense of Dr. Vaibhav Gowadia

Research Problems How can we model both high-level and

low-level security policies in one framework?

How can we determine whether the low-level policy and current system configuration is compliant to the high-level policy?

Example

High-level policy Alice must provide read access to

users in group Gamecocks to access files on server Hercules.

Alice must protect the files on Hercules from unauthorized access

Example

Low-level Policy Give read access on all files hosted on

Hercules to users in group Gamecocks

Deny access to all other users Add firewall rules to block access

from untrusted IP addresses

Compliance Checking Framework

High-level policy

High-level policy

KB – Ontology and Refinement Patterns

(Concept-level):1. Common to all2. Domain-specific

ReportReport

Domain-data (Instance):Role-assignment, Organization structure

Domain-data (Instance):System configuration,Low-level security policies

1

4

5

6

2

5

Detect Conflicts and Violations

Refinement

3

State The state of a data system is described by

collection of properties of objects in the data system.

A state space is a set of states.

Action

A

Initial State Space Final State Space

Action Type, A: !

Action Composition

Sequence Operator: a1;a2

And Operator: a1 ^ a2

Choice Operator: a1 _ a2

Composition Types Basic Composition

a1 _ a2 : Either of them is sufficient otherwise, both a1 and a2 must be performed

Advanced Composition Obligation to perform one of the subactions is

conditional Strict Composition

It must be feasible to perform both a1 and a2 in the initial state and both must be performed

Flexible Composition It is feasible to perform either a1 and a2 in the initial

state and both must be performed

Action Refinementa1 © a2 is a refinement of a, i.e., a v a1 © a2,

8 2 where a() ! , such that 2 (a1 © a2)() ! ', such that v '.

’

a

a1 © a2

Policy Refinement Derivation via subject-hierarchy Derivation via action refinement