Abstract
We propose a formal framework for the specification and validation of security policies. To model a secured system, the evolution of security information in the system is described by transitions triggered by authorization requests and the policy is given by a set of rules describing the way the corresponding decisions are taken. Policy rules are constrained rewrite rules whose constraints are first-order formulas on finite domains, which provides enhanced expressive power compared to classical security policy specification approaches like the ones using Datalog, for example. Our specifications have an operational semantics based on transition and rewriting systems and are thus executable. This framework also provides a common formalism to define, compare and compose security systems and policies. We define transformations over secured systems in order to perform validation of classical security properties.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alferes, J.J., Pereira, L.M., Przymusinska, H., Przymusinski, T.C.: LUPS - A Language for Updating Logic Programs. In: Gelfond, M., Leone, N., Pfeifer, G. (eds.) LPNMR 1999. LNCS (LNAI), vol. 1730, pp. 162–176. Springer, Heidelberg (1999)
Baader, F., Nipkow, T.: Term Rewriting and All That. Cambridge University Press (1998)
Balland, E., Brauner, P., Kopetz, R., Moreau, P.E., Reilles, A.: Tom: Piggybacking Rewriting on Java. In: Baader, F. (ed.) RTA 2007. LNCS, vol. 4533, pp. 36–47. Springer, Heidelberg (2007)
Barker, S.: Access Control for Deductive Databases by Logic Programming. In: Stuckey, P.J. (ed.) ICLP 2002. LNCS, vol. 2401, pp. 54–69. Springer, Heidelberg (2002)
Barker, S., Stuckey, P.J.: Flexible access control policy specification with constraint logic programming. ACM Transactions on Information and System Security 6(4), 501–546 (2003)
Becker, M.Y., Nanz, S.: A Logic for State-Modifying Authorization Policies. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 203–218. Springer, Heidelberg (2007)
Bell, D., LaPadula, L.: Secure Computer Systems: a Mathematical Model. Tech. Rep. MTR-2547 (Vol. II), MITRE Corp., Bedford, MA (May 1973)
Bertino, E., et al.: A logical framework for reasoning about access control model. ACM Transactions on Information and System Security 6, 71–127 (2003)
Bourdier, T.: Specification, analysis and transformation of security policies via rewriting techniques. Journal of Information Assurance and Security 6(5), 357–368 (2011)
Bourdier, T., Cirstea, H.: Constrained rewriting in recognizable theories. Tech. rep., INRIA (2010), http://hal.archives-ouvertes.fr/inria-00456848/en/
Chander, A., Mitchell, J., Dean, D.: A state-transition model of trust management and access control. In: Proceedings of the 14th IEEE Computer Security Foundation Workshop CSFW, pp. 27–43. IEEE Comp. Society Press (2001)
Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., Talcott, C.: All About Maude - A High-Performance Logical Framework. LNCS, vol. 4350. Springer, Heidelberg (2007)
Codd, E.F.: Relational completeness of data base sublanguages. In: Rustin, R. (ed.) Database Systems, pp. 65–98. Prentice Hall (1972)
Damianou, N., et al.: A survey of policy specification approaches. Tech. rep., Department of Computing, Imperial College of Science Technology and Medicine, London, UK (2002), http://www.doc.ic.ac.uk/~mss/Papers/PolicySurvey.pdf
Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and Reasoning About Dynamic Access-Control Policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006)
Gelfond, M., Lifschitz, V.: Action languages. Electron. Trans. Artif. Intell. 2, 193–210 (1998)
George, L., Tǒng, V.V.T., Mé, L.: Blare Tools: A Policy-Based Intrusion Detection System Automatically Set by the Security Policy. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 355–356. Springer, Heidelberg (2009)
Habib, L., Jaume, M., Morisset, C.: Formal definition and comparison of access control models. Journal of Information Assurance and Security 4(4), 372–381 (2009)
Hinman, P.: Fundamentals of mathematical logic. A.K. Peters, Ltd. (2005)
Jajodia, S., et al.: A unified framework for enforcing multiple access control policies. In: ACM SIGMOD International Conference on Management of Data, pp. 474–485. ACM (1997)
Jaume, M.: Security Rules Versus Security Properties. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 231–245. Springer, Heidelberg (2010)
Jaume, M., Tông, V.V.T, Mé, L.: Contrôle d’accès versus contrôle de flots. In: Approches Formelles dans l’Assistance au Développement de Logiciels, pp. 27–41 (2010)
Kirchner, C., Kirchner, H., Santana de Oliveira, A.: Analysis of rewrite-based access control policies. In: Proceedings of the Third International Workshop on Security and Rewriting Techniques (SecReT 2008). ENTCS, vol. 234, pp. 55–75. Elsevier (2009)
Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Transactions on Information and System Security (TISSEC) 9(4), 391–420 (2006)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29, 38–47 (1996)
Tripunitara, M.V., Li, N.: A theory for comparing the expressive power of access control models. Journal of Computer Security 15(2), 231–272 (2007)
Ullman, J.: Database and Knowledge - Base Systems. Classical Database Systems, vol. 1. Computer Science Press (1988)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bourdier, T., Cirstea, H., Jaume, M., Kirchner, H. (2012). Formal Specification and Validation of Security Policies. In: Garcia-Alfaro, J., Lafourcade, P. (eds) Foundations and Practice of Security. FPS 2011. Lecture Notes in Computer Science, vol 6888. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27901-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-27901-0_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27900-3
Online ISBN: 978-3-642-27901-0
eBook Packages: Computer ScienceComputer Science (R0)