Abstract
Declarative policies are a common means to manage the security of complex IT environments and they belong to different, heterogeneous classes (access control, filtering, data protection, etc.). Their enforcement requires the selection and configuration of appropriate enforcement mechanisms whose dependencies in a given environment may result in conflicts typically not foreseeable at policy design time. Such conflicts may cause security vulnerabilities and non compliance; their identification and correction is costly. Detecting transversal policy conflicts, i.e., conflicts happening across different policy classes, constitutes a challenging problem, and this work makes a step forward towards its formalization.
This work was supported by the European Union’s 7th Framework Program through project PoSecCo, grant agreement no. 257129.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. IEEE JSAC 23(10), 2069–2084 (2005)
Baker, W.: The 2009 data breach investigations report. Verizon Security Blog (2009), http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/
Bandara, A.K., Lupu, E.C., Russo, A.: Using event calculus to formalize policy specification and analysis. In: POLICY. IEEE (2003)
Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. 5, 1–35 (2002)
Cisco: Cisco ACE Web Application Firewall User Guide. Tech. Rep. OL-16661-01, Cisco Systems, Inc., San Jose, USA (2009)
Davy, S., Jennings, B., Strassner, J.: Using an information model and associated ontology for selection of policies for conflict analysis. In: POLICY (2008)
Garbani, J.P., Mendel, T.: Change and configuration management. Tech. rep., Forrester Research, Inc. (2004)
Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: WWW, pp. 677–686. ACM (2007)
Plodík, P.: IBM cloud computing (2010), http://www.itforpeople.cz/wp-content/uploads/2010/09/IBM-Plodik-Cloud.pdf
Risso, F., Baldini, A., Bonomi, F.: Extending the netpdl language to support traffic classification. In: GLOBECOM. IEEE (2007)
Satoh, F., Tokuda, T.: Security policy composition for composite services. In: ICWE, pp. 86–97. IEEE (2008)
Simon Godik, T.: OASIS eXtensible Access Control Markup Language (XACML) Version1.0. Tech. rep., OASIS (February 2003)
Trabelsi, S., Njeh, A., Bussard, L., Neven, G.: The PPL Engine: A Symmetric Architecture for Privacy Policy Handling. In: W3C Workshop on Privacy and Data Usage Control (2010)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Casalino, M.M., Plate, H., Trabelsi, S. (2012). Transversal Policy Conflict Detection. In: Barthe, G., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2012. Lecture Notes in Computer Science, vol 7159. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28166-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-28166-2_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28165-5
Online ISBN: 978-3-642-28166-2
eBook Packages: Computer ScienceComputer Science (R0)