Patrick McDaniel
Skip Abstract Section
Abstract
A security policy specifies session participant requirements. However, existing frameworks provide limited facilities for the automated reconciliation of participant policies. This paper considers the limits and methods of reconciliation in a general-purpose policy model. We identify an algorithm for efficient two-policy reconciliation and show that, in the worst-case, reconciliation of three or more policies is intractable. Further, we suggest efficient heuristics for the detection and resolution of intractable reconciliation. Based upon the policy model, we describe the design and implementation of the Ismene policy language. The expressiveness of Ismene, and indirectly of our model, is demonstrated through the representation and exposition of policies supported by existing policy languages. We conclude with brief notes on the integration and enforcement of Ismene policy within the Antigone communication system.
- Balenson, D., Branstad, D., Dinsmore, P., Heyman, M., and Scace, C. 1999. Cryptographic Context Negotiation Template. Tech. Rep. TISR #07452-2, TIS Labs at Network Associates, Inc. February.]]Google Scholar
- Bartal, Y., Mayer, A. J., Nissim, K., and Wool, A. 1999. Firmato: A novel firewall management toolkit. In IEEE Symposium on Security and Privacy. 17--31.]]Google Scholar
- Bellovin, S. November 1999. Distributed Firewalls. USENIX ;login:, 39--47.]]Google Scholar
- Bhatti, N. T., Hiltunen, M. A., Schlichting, R. D., and Chiu, W. 1998. Coyote: A system for constructing fine-grain configurable communication services. ACM Transactions on Computer Systems 16, 4 (Nov.), 321--366.]] Google Scholar
- Blaze, M., Feigenbaum, J., and Lacy, J. 1996. Decentralized trust management. In Proceedings of the 1996 IEEE Symposium on Security and Privacy. Los Alamitos. 164--173.]] Google Scholar
- Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. 1999a. The role of trust management in distributed systems security. In Secure Internet Programming: Issues in Distributed and Mobile Object Systems. Lecture Notes in Computer Science, vol. 1603. State-of-the-Art series, Springer-Verlag, New York, NY. 184--210.]] Google Scholar
- Blaze, M., Feignbaum, J., Ioannidis, J., and Keromytis, A. 1999b. The keyNote trust management system---Version 2. Internet Engineering Task Force. RFC 2704.]] Google Scholar
- Blight, D. C. and Hamada, T. 1999. Policy-based networking architecture for QoS interworking in IP management. In Proceedings of Integrated network management VI, Distributed Management for the Networked Millennium. IEEE. 811--826.]]Google Scholar
- Branstad, D. and Balenson, D. 2000. Policy-based cryptographic key management: Experience with the KRP project. In Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX '00). DARPA, Hilton Head, SC. 103--114]]Google Scholar
- Cholvy, L. and Cuppens, F. 1997. Analyzing consistancy of security policies. In 1997 IEEE Symposium on Security and Privacy. IEEE, Oakland, CA. 103--112.]] Google Scholar
- Chu, Y., Feigenbaum, J., LaMacchia, B., Resnick, P., and Strauss, M. 1998. REFEREE: trust management for web applications. In Proceedings of Financial Cryptography '98. vol. 1465. Anguilla, British West Indies. 254--274.]]Google Scholar
- Cook, S. 1971. The complexity of theorem-proving procedures. In Proceedings of 3th Annual ACM Symposium on Theorey of Computing. ACM, New York. 151--158.]] Google Scholar
- Diffie, W. and Hellman, M. 1976. New directions in cryptography. IEEE Transactions on Information Theory IT-22, 6 (Nov.), 644--654.]]Google Scholar
- Dinsmore, P., Balenson, D., Heyman, M., Kruus, P., Scace, C., and Sherman, A. 2000. Policy-based security management for large dynamic groups: A overview of the DCCM project. In Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX '00). DARPA, Hilton Head, SC. 64--73.]]Google Scholar
- Durham, D., Boyle, J., Cohen, R., Herzog, S., Rajan, R., and Sastry, A. 2000. RFC 2748, The COPS (Common Open Policy Service) Protocol. Internet Engineering Task Force.]] Google Scholar
- Garey, M. R. and Johnson, D. S. 1979. Computers and intractibility, A guide to the theory of NP-completeness, 1st ed. Freeman, San Francisco, CA.]] Google Scholar
- Gong, L. and Qian, X. 1994. The complexity and composability of secure interoperation. In Proceedings of the IEEE Symposium on Research in Security and Privacy. IEEE, Oakland, CA. 190--200.]] Google Scholar
- Harkins, D. and Carrel, D. 1998. The internet key exchange. Internet Engineering Task Force. RFC 2409.]] Google Scholar
- Hiltunen, M. 1998. Configuration management for highly-customizable software. IEE Proceedings: Software 145, 5, 180--188.]]Google Scholar
- Hiltunen, M., Jaiprakash, S., Schlichting, R., and Ugarte, C. 2000. Fine-grain configurability for secure communication. Tech. Rep. TR00-05, Department of Computer Science, University of Arizona. June.]]Google Scholar
- Housley, R., Ford, W., Polk, W., and Solo, D. 1999. Internet X.509 public key infrastructure certificate and CRL profile. Internet Engineering Task Force. RFC 1949.]]Google Scholar
- Hutchinson, N. and Peterson, L. 1994. The x-kernel: An architecture for implementing network protocols. IEEE Transactions on Software Engineering 17, 1 (Jan.), 64--76.]] Google Scholar
- Jajodia, S., Samarati, P., and Subrahmanian, V. 1997. A logical language for expressing authorizations. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE, Oakland, CA. 31--42.]] Google Scholar
- Karpinski, M. and Wagner, K. W. 1988. The computational complexity of graph algorithms with succinct representations. Z. Operations Res. 3, 32, 201--211.]]Google Scholar
- Kent, S. and Atkinson, R. 1998. Security architecture for the internet protocol. Internet Engineering Task Force. RFC 2401.]] Google Scholar
- Leighton, T. and Micali, S. 1994. Secret-key agreement without public-key cryptography. In Proceedings of Crypto 93, 456--479.]] Google Scholar
- Li, N., Mitchell, J. C. and Winsborough, W. H. 2005. Beyond proof-of-compliance: Security analysis in trust management. Journal of the ACM 52, 3, 474--514.]] Google Scholar
- Liu, X., Kreitz, C., van Renesse, R., Hickey, J., Hayden, M., Birman, K., and Constable, R. 1999. Building reliable high-performance communication systems from components. In Proceedings of 17th ACM Symposium on Operating Systems Principles (SOSP '99). vol. 33. ACM, New York. 80--92.]] Google Scholar
- McDaniel, P. 2001. Policy management in secure group communication. Ph.D. thesis, University of Michigan, Ann Arbor, MI.]] Google Scholar
- McDaniel, P. 2003. On context in authorization policy. Tech. Rep. TD-5JCJCK, AT&T Labs - Research, Florham Park, NJ. January.]]Google Scholar
- McDaniel, P. and Prakash, A. 2002. An architecture for security policy enforcement. Tech. Rep. TD-5C6JFV, AT&T Labs---Research, Florham Park, NJ. July.]]Google Scholar
- McDaniel, P. and Prakash, A. 2005. Security policy enforcement in the antigone system. Journal of Computer Security. Accepted for publication.]]Google Scholar
- McDaniel, P., Prakash, A., and Honeyman, P. 1999. Antigone: A flexible framework for secure group communication. In Proceedings of the 8th USENIX Security Symposium. Washington, DC. 99--114.]] Google Scholar
- McDaniel, P., Prakash, A., Irrer, J., Mittal, S., and Thuang, T.-C. 2001. Flexibly constructing secure groups in Antigone 2.0. In Proceedings of DARPA Information Survivability Conference and Exposition II. IEEE Computer Society Press, Los Angeles, CA. 55--67.]]Google Scholar
- Mendelson, E. 1997. Introduction to Mathematical Logic. Chapman & Hall, London.]] Google Scholar
- Moriconi, M., Qian, X., Riemenschneider, R. A., and Gong, L. 1997. Secure software architectures. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. 84--93.]] Google Scholar
- Neuman, B. C. and Ts'o, T. 1994. Kerberos: An authentication service for computer networks. IEEE Communications 32, 9 (Sept.), 33--38.]]Google Scholar
- Nikander, P. and Karila, A. 1998. A java beans component architecture for cryptographic protocols. In Proceedings of 7th USENIX UNIX Security Symposium. USENIX Association, San Antonio, Texas. 107--121.]] Google Scholar
- Orman, H., O'Malley, S., Schroeppel, R., and Schwartz, D. 1994. Paving the road to network security or the value of small cobblestones. In Proceedings of the 1994 Internet Society Symposium on Network and Distributed System Security.]]Google Scholar
- Ryutov, T. and Neuman, C. 2000. Representation and evaluation of security policies for distributed system services. In Proceedings of DARPA Information Survivability Conference and Exposition. DARPA, Hilton Head, SC. 172--183.]]Google Scholar
- Schaefer, T. J. 1978. The complexity of satisfiability problems. In Proceedings of 10th Annual ACM Symposium on Theorey of Computers. ACM, New York. 216--226.]] Google Scholar
- Schmidt, D., Fox, D., and Sudya, T. 1993. Adaptive: A dynmaically assembled protocol transformation, integration, and evaluation environment. Journal of Concurrency: Practice and Experience 5, 4 (June), 269--286.]]Google Scholar
- Wallner, D. M., Harder, E. J., and Agee, R. C. 1999. Key management for multicast: Issues and architectures. Internet Engineering Task Force. RFC 2627.]] Google Scholar
- Wang, H., Jha, S., McDaniel, P., and Livny, M. 2004. Security policy reconciliation in distributed computing environments. In Proceedings of 5th International Workshop on Policies for Distributed Systems and Networks (Policy 2004). IEEE Computer Society Press, New York 137--146.]] Google Scholar
- Woo, T. and Lam, S. 1993. Authorization in distributed systems; A new approach. Journal of Computer Security 2, 2--3, 107--136.]] Google Scholar
- Woo, T. and Lam, S. 1998. Designing a distributed authorization service. In Proceedings of INFOCOM '98. IEEE, San Francisco, CA.]]Google Scholar
- Zao, J., Sanchez, L., Condell, M., Lynn, C., Fredette, M., Helinek, P., Krishnan, P., Jackson, A., Mankins, D., Shepard, M., and Kent, S. 2000. Domain based internet security policy management. In Proceedings of DARPA Information Survuvability Conference and Exposition. DARPA, Hilton Head, SC. 41--53.]]Google Scholar
Index Terms
- Methods and limitations of security policy reconciliation
Recommendations
Security policy compliance with violation management
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineeringA security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the ...
Methods and Limitations of Security Policy Reconciliation
SP '02: Proceedings of the 2002 IEEE Symposium on Security and PrivacyA security policy is a means by which participant session requirements are specified. However, existing frameworks provide limited facilities for the automatereconciliation of participant policies. This paper considers the limits and methods of ...
XACBench: a XACML policy benchmark
AbstractXACML standard defines a declarative language to determine access control policies which are critical for deploying security solutions. It is important to evaluate the performance of policies defined by XACML, for applications such as policy ...
Comments