Abstract
For the formal verification of a network security policy, it is crucial to express the verification goals. These formal goals, called security invariants, should be easy to express for the end user. Focusing on access control and information flow security strategies, this work discovers and proves universal insights about security invariants. This enables secure and convenient auto-completion of host attribute configurations. We demonstrate our results in a civil aviation scenario. All results are machine-verified with the Isabelle/HOL theorem prover.
Chapter PDF
Similar content being viewed by others
References
Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. In: IEEE Symposium on Security and Privacy, pp. 17–31. IEEE (1999)
Bell, D.: Looking back at the Bell-La Padula model. In: Proceedings of the 21st Annual Computer Security Applications Conference, pp. 337–351 (December 2005)
Bell, D., LaPadula, L.: Secure computer systems: A mathematical model. MTR-2547, vol. II. The MITRE Corporation, Bedford (1973)
Bera, P., Ghosh, S., Dasgupta, P.: Policy based security analysis in enterprise networks: A formal approach. IEEE Transactions on Network and Service Management 7(4), 231–243 (2010)
Bishop, M.: What is computer security? IEEE Security & Privacy 1 (February 2003)
Casado, M., Freedman, M.J., Pettit, J., Luo, J., McKeown, N., Shenker, S.: Ethane: taking control of the enterprise. In: Proceedings of the 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM 2007, pp. 1–12. ACM, New York (2007)
Common Criteria: Security assurance components. Common Criteria for Information Technology Security Evaluation CCMB-2012-09-003 (September 2012), http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R4.pdf
Craven, R., Lobo, J., Ma, J., Russo, A., Lupu, E., Bandara, A.: Expressive policy analysis with enhanced system dynamicity. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 239–250. ACM, New York (2009)
Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)
Denning, D.E.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–243 (1976)
Diekmann, C., Hanka, O., Posselt, S.-A., Schlatt, M.: Imaginary aircraft cabin data network (toy example) (July 2013), http://www.net.in.tum.de/pub/diekmann/cabin_data_network.pdf
Eckert, C.: IT-Sicherheit: Konzepte-Verfahren-Protokolle, 8th edn. Oldenbourg Verlag (2013) ISBN 3486721380
Gong, L., Qian, X.: The complexity and composability of secure interoperation. In: Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 190–200 (1994)
Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., Shenker, S.: NOX: towards an operating system for networks. SIGCOMM Comput. Commun. Rev. 38(3), 105–110 (2008)
Guttman, J.D., Herzog, A.L.: Rigorous automated network security management. International Journal of Information Security 4, 29–48 (2005)
Haftmann, F., Nipkow, T.: Code generation via higher-order rewrite systems. In: Blume, M., Kobayashi, N., Vidal, G. (eds.) FLOPS 2010. LNCS, vol. 6009, pp. 103–117. Springer, Heidelberg (2010)
Hamed, H., Al-Shaer, E.: Taxonomy of conflicts in network security policies. IEEE Communications Magazine 44(3), 134–141 (2006)
Kazemian, P., Varghese, G., McKeown, N.: Header space analysis: static checking for networks. In: Networked Systems Design and Implementation, NSDI 2012. USENIX Association, Berkeley (2012)
McCullough, D.: A hookup theorem for multilevel security. IEEE Transactions on Software Engineering 16(6), 563–568 (1990)
Nipkow, T., Paulson, L.C., Wenzel, M.T.: Isabelle/HOL. LNCS, vol. 2283. Springer, Heidelberg (2002) (last updated 2013)
Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: IEEE International Conference on Web Services (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Diekmann, C., Posselt, SA., Niedermayer, H., Kinkelin, H., Hanka, O., Carle, G. (2014). Verifying Security Policies Using Host Attributes. In: Ábrahám, E., Palamidessi, C. (eds) Formal Techniques for Distributed Objects, Components, and Systems. FORTE 2014. Lecture Notes in Computer Science, vol 8461. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43613-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-662-43613-4_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43612-7
Online ISBN: 978-3-662-43613-4
eBook Packages: Computer ScienceComputer Science (R0)