Security Rules versus Security Properties

  • Mathieu Jaume
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6503)


There exist many approaches to specify and to define security policies. We present here a framework in which the basic components of security policies can be expressed, and we identify their role in the description of a policy, of a system and of a secure system. In this setting, we formally describe two approaches to define policies, and we relate them: the rule-based approach consists of specifying the conditions under which an action is granted and, the property-based approach consists of specifying the security properties the policy aims to enforce. We also show how a policy can be applied to constrain an existing system, and how a secure system can be defined from a security policy.


Security policies security properties security rules systems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. In: SACMAT, pp. 41–52 (2001)Google Scholar
  2. 2.
    Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: A modular approach to composing access control policies. In: ACM Conf. on Computer and Communications Security, pp. 163–173 (2000)Google Scholar
  3. 3.
    Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Trans. on Inf. and Syst. Security 5(1), 1–35 (2002)CrossRefGoogle Scholar
  4. 4.
    Bourdier, T., Cirstea, H., Jaume, M., Kirchner, H.: Rule-based Specification and Analysis of Security Policies. In: 5th International Workshop on Security and Rewriting Techniques, SECRET 2010 (2010)Google Scholar
  5. 5.
    Bruns, G., Huth, M.: Access-control policies via Belnap logic: Effective and efficient composition and analysis. In: Proc. of the 21st IEEE Computer Security Foundations Symposium, CSF 2008, pp. 163–176. IEEE Computer Society, Los Alamitos (2008)CrossRefGoogle Scholar
  6. 6.
    Bryce, C.: Security engineering of lattice-based policies. In: Proc. of The 10th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (1997)Google Scholar
  7. 7.
    Chander, A., Mitchell, J.C., Dean, D.: A state-transition model of trust management and access control. In: Proceedings of the 14th IEEE Computer Security Foundation Workshop CSFW, pp. 27–43. IEEE Comp. Society Press, Los Alamitos (2001)Google Scholar
  8. 8.
    Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and reasoning about dynamic access-control policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Dougherty, D.J., Kirchner, C., Kirchner, H., Santana de Oliveira, A.: Modular access control via strategic rewriting. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 578–593. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Gürgens, S., Ochsenschläger, P., Rudolph, C.: Abstractions preserving parameter confidentiality. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 418–437. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Gürgens, S., Ochsenschläger, P., Rudolph, C.: On a formal framework for security properties. Computer Standards & Interfaces 27(5), 457–466 (2005)CrossRefGoogle Scholar
  12. 12.
    Habib, L., Jaume, M., Morisset, C.: Formal definition and comparison of access control models. J. of Information Assurance and Security 4(4), 372–381 (2009)Google Scholar
  13. 13.
    Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. ACM Trans. Inf. Syst. Secur. 11(4) (2008)Google Scholar
  14. 14.
    Harrison, M., Ruzzo, W., Ullman, J.: Protection in operating systems. Communications of the ACM 19, 461–471 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Jajodia, S., Samarati, P., Subrahmanian, V.S., Bertino, E.: A unified framework for enforcing multiple access control policies. SIGMOD Record (ACM Special Interest Group on Management of Data) 26(2), 474–485 (1997)Google Scholar
  16. 16.
    LaPadula, L.J., Bell, D.E.: Secure Computer Systems: A Mathematical Model. Journal of Computer Security 4, 239–263 (1996)CrossRefGoogle Scholar
  17. 17.
    Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. 12(3) (2009)Google Scholar
  18. 18.
    Tripunitara, M.V., Li, N.: Comparing the expressive power of access control models. In: 11th ACM Conf. on Computer and Communications Security (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Mathieu Jaume
    • 1
  1. 1.SPI – LIP6 – University Pierre & Marie CurieParis Cedex 05France

Personalised recommendations