Ninth IEEE Computer Security Foundations Workshop Specifying a security policy: a case study Dromquinna Manor, Kenmare, County Kerry, Ireland March 10-March 12 ISBN: 0-8186-7522-5
The objective of this paper is to assist the security administrators, in their attempt to specify, define and formalize security policies suited to a given high risk environment. It is then possible for the administrators to automatically derive consequences of these policies. In particular we want to provide users with the following functionalities: query a given security policy; verify that properties such as consistency and completeness are enforced by a given policy; verify that a given situation does not violate the security policy; investigate interoperability problems between several security policies. In this paper we more precisely focus on the problem of security policies formulization. We want to get a generic approach, being as much domain-independent as possible. In order to achieve the above goals, we have chosen a logic-based approach. It combines a deontic logic to model the concept of permission, obligation and prohibition with a modal logic of action. It also includes the possibility to deal with additional concepts such as role, responsibility and delegation. We illustrate this approach through a case study: a regulation whose purpose is to define means to protect secret data related to the National Defense.
Index Terms:
formal logic; security of data; formal specification; security policy specification; high risk environment; consistency; completeness; interoperability problems; deontic logic; logic-based approach
Citation:
F. Cuppens, C. Saurel, "Specifying a security policy: a case study," csfw, pp.123, Ninth IEEE Computer Security Foundations Workshop, 1996 Usage of this product signifies your acceptance of the Terms of Use. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb