A Novel Model of Security Policies and Requirements

Preetam Mukherjee, Chandan Mazumdar

2015

Abstract

The responsibility of controlling, monitoring, analyzing or enforcing security of a system becomes complex due to the interplay among different security policies and requirements. Many of the security requirements have overlap among themselves and they are not exhaustive in nature. For that reason, maintaining security requirements and designing optimal security controls are difficult, and involve wastage of valuable resources. Finding out a set of mutually exclusive and exhaustive security requirements and canonical policies will indeed ease the security management job. From this motivation, in this paper we try to find out a set of mutually exclusive and exhaustive security requirements. To do this, a small set of low-level security policy descriptions are proposed using Process Algebraic notions, by which all kinds of high level security policies can be represented. Non-compliance to this new set of security policies gives rise to a set of security violations. These security violations are mutually exclusive and exhaustive, so all the other security violations can be described by this basic set of security violations. From these security violations, a set of security requirements is determined. To preserve the security for any system it is necessary and sufficient to maintain these requirements.

References

  1. Milner, R., 1989. Communication and Concurrency. Prentice-Hall International.
  2. Damianou, N., Dulay, N., Lupu, E., Sloman, M., 2001. the Ponder Policy Specification Language. in Proceedings of the International Workshop on Policies for Distributed Systems and Networks. Springer-Verlag.
  3. Cuppens, F., Cuppens-Boulahia, N., Sans, T., 2005. Nomad: A Security Model with Non Atomic Actions and Deadlines. in the Computer Security Foundations Workshop (CSFW).
  4. Jajodia, S., Samarati, P., Sapino, M. L., Subrahmanian, V. S., 2001. Flexible Support for Multiple Access Control Policies. in ACM Transactions on Database Systems (TODS), V.26 N.2, P.214-260.
  5. Mayfield, T., Roskos, J. E., Welke, S. R., Boone, J. M., Mcdonald, C. W., 1991. Integrity in Automated Information Systems. C Technical Report 79-91, Library No. S-237,254 (IDA PAPER P-2316).
  6. Biba, K. J., 1977. Integrity Considerations for Secure Computer Systems. Mitre TR-3153, Mitre Corporation, Bedford, MA.
  7. Alpern, B., Schneider, F. B., 1985. Defining Liveness. in Information Processing Letters, 21(4):181-185.
  8. Mclean, J., 1994. a Generai Theory of Composition for Trace Sets Closed under Selective Interleaving Functions. in Proceedings of the 1994 IEEE Symposium on Security and Privacy, Pages 79-93. IEEE Press.
  9. Zakinthinos, A., Lee, E. S., 1998. A General Theory of Security Properties and Secure Composition. in Proceedings of the 1997 IEEE Symposium on Research in Security and Privacy. IEEE Press.
  10. Mccullough, D., 1987. Specifications for Multi-Level Security and a Hook-up Property. in Proceedings of the 1987 IEEE Symposium on Research in Security and Privacy. IEEE Press.
  11. Clarkson, M. R., Schneider, F. B., 2010(a). Quantification of Integrity. in Proc. 23nd IEEE Computer Security Foundations Symposium (CSF 7810), Pp. 28-43.
  12. Clarkson, M. R., Schneider, F. B., 2010(B). Hyperproperties. Journal of Computer Security, 18(6):1157-1210.
  13. Schneider, F. B., 2000. Enforceable Security Policies. ACM Trans. on Information and System Security. 3, 1.
  14. Ligatti, J., Bauer, L., Walker, D., 2005. Edit Automata: Enforcement Mechanisms for Run-Time Security Policies. International Journal of Information Security 4(1-2), 2-16.
  15. Khoury, R., Tawbi, N., 2012. Which Security Policies Are Enforceable by Runtime Monitors? a Survey. Computer Science Review 6(1), 27-45.
  16. Basin, D., Jugé, V., Klaedtke, F., Z?alinescu, E., 2013. Enforceable Security Policies Revisited. ACM Trans. on Information and System Security. 16, 1.
  17. Essaouini, N.,Cuppens, F., Cuppens-Boulahia, N., Kalam, a.a.E., 2013. Conflict Management in Obligation with Deadline Policies. in Proceedings of the Eighth International Conference on Availability, Reliability and Security. (IEEE Computer Society).
Download


Paper Citation


in Harvard Style

Mukherjee P. and Mazumdar C. (2015). A Novel Model of Security Policies and Requirements . In Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-081-9, pages 73-82. DOI: 10.5220/0005239400730082


in Bibtex Style

@conference{icissp15,
author={Preetam Mukherjee and Chandan Mazumdar},
title={A Novel Model of Security Policies and Requirements},
booktitle={Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2015},
pages={73-82},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005239400730082},
isbn={978-989-758-081-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Novel Model of Security Policies and Requirements
SN - 978-989-758-081-9
AU - Mukherjee P.
AU - Mazumdar C.
PY - 2015
SP - 73
EP - 82
DO - 10.5220/0005239400730082