Transversal Policy Conflict Detection

  • Matteo Maria Casalino
  • Henrik Plate
  • Slim Trabelsi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7159)

Abstract

Declarative policies are a common means to manage the security of complex IT environments and they belong to different, heterogeneous classes (access control, filtering, data protection, etc.). Their enforcement requires the selection and configuration of appropriate enforcement mechanisms whose dependencies in a given environment may result in conflicts typically not foreseeable at policy design time. Such conflicts may cause security vulnerabilities and non compliance; their identification and correction is costly. Detecting transversal policy conflicts, i.e., conflicts happening across different policy classes, constitutes a challenging problem, and this work makes a step forward towards its formalization.

Keywords

Access Control Policy Language Security Policy Access Control Policy Event Calculus 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. IEEE JSAC 23(10), 2069–2084 (2005)Google Scholar
  2. 2.
    Baker, W.: The 2009 data breach investigations report. Verizon Security Blog (2009), http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/
  3. 3.
    Bandara, A.K., Lupu, E.C., Russo, A.: Using event calculus to formalize policy specification and analysis. In: POLICY. IEEE (2003)Google Scholar
  4. 4.
    Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. 5, 1–35 (2002)CrossRefGoogle Scholar
  5. 5.
    Cisco: Cisco ACE Web Application Firewall User Guide. Tech. Rep. OL-16661-01, Cisco Systems, Inc., San Jose, USA (2009)Google Scholar
  6. 6.
    Davy, S., Jennings, B., Strassner, J.: Using an information model and associated ontology for selection of policies for conflict analysis. In: POLICY (2008)Google Scholar
  7. 7.
    Garbani, J.P., Mendel, T.: Change and configuration management. Tech. rep., Forrester Research, Inc. (2004)Google Scholar
  8. 8.
    Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: WWW, pp. 677–686. ACM (2007)Google Scholar
  9. 9.
  10. 10.
    Risso, F., Baldini, A., Bonomi, F.: Extending the netpdl language to support traffic classification. In: GLOBECOM. IEEE (2007)Google Scholar
  11. 11.
    Satoh, F., Tokuda, T.: Security policy composition for composite services. In: ICWE, pp. 86–97. IEEE (2008)Google Scholar
  12. 12.
    Simon Godik, T.: OASIS eXtensible Access Control Markup Language (XACML) Version1.0. Tech. rep., OASIS (February 2003)Google Scholar
  13. 13.
    Trabelsi, S., Njeh, A., Bussard, L., Neven, G.: The PPL Engine: A Symmetric Architecture for Privacy Policy Handling. In: W3C Workshop on Privacy and Data Usage Control (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Matteo Maria Casalino
    • 1
  • Henrik Plate
    • 1
  • Slim Trabelsi
    • 1
  1. 1.SAP Labs FranceMouginsFrance

Personalised recommendations