A Tool for Managing Security Policies in Organisations
Security policies are rules aimed at protecting the resources of an organisation from the risks associated with computer usage. Designing, implementing and maintaining security policies are all error prone and time consuming. We report on a tool that helps managing the security policies of an organisation. Security policies are formalised using first-order logic with equality and the unique names assumption, closely following the security policy language suggested in . The tool includes a link to an automated theorem prover, Otter , and to a model finder, Mace , used to formally verify a set of formal security policies. It also includes a GUI and a number of links to read information and security policies from organisation databases and access control lists.
KeywordsPolicy Language Security Policy Verification Task Basic Environment Automate Theorem Prover
Unable to display preview. Download preview PDF.
- 2.McCune, W.: Otter 2.0. In: Stickel, M.E. (ed.) CADE 1990. LNCS, vol. 449, pp. 663–664. Springer, Heidelberg (1990)Google Scholar
- 3.McCune, W.: Mace4 Reference Manual and Guide. The Computing Research Repository (CoRR) CS.SC/0310055 (2004)Google Scholar
- 4.Hoagland, J.A.: Specifying and enforcing policies using LaSCO, the language for security constraints on objects. The Computing Research Repository, CS.CR/0003066 (2000)Google Scholar
- 5.Iannella, R.: ODRL: The open digital rights language initiative. Technical reportGoogle Scholar
- 6.Kangasluoma, M.: Policy Specification Languages. Department of Computer Science, Helsinki University of Technology (1999)Google Scholar
- 7.Krsul, I., Spafford, E., Tuglular, T.: A New Approach to the Specification of General Computer Security Policies. COAST Techical Report 97–13, West Lafayette, IN 47907–1398 (1998)Google Scholar
- 8.Davies, E.: Representation of Commonsense Knowledge. Courant Institute for Mathematical Sciences (1990)Google Scholar
- 9.Ryutov, T., Neuman, C.: Representation and evaluation of security policies for distributed system services. In: Proceedings of DARPA Information Survivability Conference and Exposition 2000 (DISCEX 2000), vol. 2, pp. 172–183 (2000)Google Scholar
- 12.Ngamsuriyaroj, S., Keefe, T.F., Hurson, A.R.: Maintaining consistency of the security policy in distributed environment. In: Proceedings of the 21st IEEE International Performance, Computing, and Communications Conference, pp. 179–186. IEEE Computer Society, Los Alamitos (2002)Google Scholar
- 13.Zanin, G., Mancini, L.V.: Security analysis: Towards a formal model for security policies specification and validation in the selinux system. In: Proceedings of the ninth ACM symposium on Access control models and technologies, pp. 126–135. ACM Press, New York (2004)Google Scholar
- 14.García, K., Monroy, R., Vázquez, J.: An Artificial Manager for Security Policies in Organizations. Journal of Research in Computing Science 17, 97–106 (2005)Google Scholar