research-article

Security policy foundations in context UNITY

Authors:
M. Todd Gamble

University of Tulsa, Tulsa, OK, USA

University of Tulsa, Tulsa, OK, USA
View Profile

,
Rose F. Gamble

University of Tulsa, Tulsa, OK, USA

University of Tulsa, Tulsa, OK, USA
View Profile

,
Matthew L. Hale

University of Tulsa, Tulsa, OK, USA

University of Tulsa, Tulsa, OK, USA
View Profile

SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure SystemsMay 2011Pages 8–14https://doi.org/10.1145/1988630.1988633

Published:22 May 2011Publication History

SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure Systems

Pages 8–14

ABSTRACT

Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.

References

U. S. DoD, "DoD Information Assurance Certification and Accreditation Process (DIACAP)," 2007.Google Scholar
NIST, "SP 800-53 Rev 3: Recommended Security Controls for Federal Information Systems and Organizations," 2010. Google ScholarDigital Library
G.-C. Roman, C. Julien, and J. Payton, "Modeling Adaptive Behaviors in Context UNITY," Theoretical Computer Science, vol. 376, pp. 185--204, May 2007. Google ScholarDigital Library
"Common Criteria for Information Technology Security Evaluation," vol. Version 3.1, Part 2: Security Functional Components ed, 2007.Google Scholar
U. S. DoD, "Information Assurance (IA) Implementation," 2003.Google Scholar
J. Jurjens, J. Schreck, and P. Bartmann, "Model-based security analysis for mobile communications," in 30th International Conference on Software Engineering, pp. 683--692, 2008. Google ScholarDigital Library
B. Best, J. Jurjens, and B. Nuseibeh, "Model-based Security Engineering of Distributed Information Systems using UMLsec," in 29th International Conference on Software Engineering, 2007. Google ScholarDigital Library
D. Gelernter, "Generative communication in Linda," ACM Transactions on Programming Languages and Systems, vol. 7, pp. 80--112, 1985. Google ScholarDigital Library
M. Bravetti, N. Busi, R. Gorrieri, R. Lucchi, and G. Zavattaro, "Security issues in the tuple-space coordination model," Formal Aspects in Security and Trust, pp. 1--12, 2005.Google Scholar
R. Focardi, R. Lucchi, and G. Zavattaro, "Secure shared data-space coordination languages: A process algebraic survey," Science of Computer Programming, vol. 63, pp. 3--15, 2006. Google ScholarDigital Library
G.-C. Roman and P. J. McCann, "A notation and logic for mobile computing," Formal Methods in System Design vol. 20, pp. 47--68, 2002. Google ScholarDigital Library
K. M. Chandy and J. Misra, Parallel Program Design: A Foundation: Addison-Wesley, 1988. Google ScholarDigital Library
J. Hosey and R. Gamble, "Extracting Security Control Requirements," in Cyber Security and Information Intelligence Research Workshop, 2010. Google ScholarDigital Library

Index Terms

Security policy foundations in context UNITY
1. Security and privacy
  1. Security in hardware
  2. Security services
    1. Authentication
    2. Authorization
2. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems
      1. Information system economics

Recommendations

Security policy compliance with violation management
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineering

A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the ...
Read More
IPsec/VPN security policy correctness and assurance
Managing security policies: Modeling, verification and configuration

With IPsec/VPN policies being widely deployed, how to correctly specify and configure them is critical in enforcing security requirements, especially among different administrative domains across the Internet. Under current practice, IPsec/VPN policies ...
Read More
IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution
POLICY '01: Proceedings of the International Workshop on Policies for Distributed Systems and Networks

IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure Systems
May 2011
62 pages
ISBN:9781450305815
DOI:10.1145/1988630
Program Chairs:
Jan Jürjens
Technical University Dortmund, Germany
,
Seok-Won Lee
University of Nebraska-Lincoln, USA
,
Mattia Monga
Università degli Studi di Milano, Italy
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 May 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
security certification
security controls
unity
Qualifiers
- research-article
Conference

Acceptance Rates
SESS '11 Paper Acceptance Rate8of11submissions,73%Overall Acceptance Rate8of11submissions,73%
More

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 3
  Total Citations
  View Citations
- 149
  Total Downloads
- Downloads (Last 12 months)4
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Security policy foundations in context UNITY

SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Security policy compliance with violation management

IPsec/VPN security policy correctness and assurance

IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution