Policy Compliance Checking Slides from the PhD defense of Dr. Vaibhav Gowadia

Research Problems How can we model both high-level and low- level security policies in one framework? How can we determine whether the low-level policy and current system configuration is compliant to the high-level policy?

Example High-level policy Alice must provide read access to users in group Gamecocks to access files on server Hercules. Alice must protect the files on Hercules from unauthorized access

Example Low-level Policy Give read access on all files hosted on Hercules to users in group Gamecocks Deny access to all other users Add firewall rules to block access from untrusted IP addresses

Compliance Checking Framework High-level policy KB – Ontology and Refinement Patterns (Concept-level): 1.Common to all 2.Domain-specific Report Domain-data (Instance): Role-assignment, Organization structure Domain-data (Instance): System configuration, Low-level security policies Detect Conflicts and Violations Refinement 3

State The state of a data system is described by collection of properties of objects in the data system. A state space is a set of states.

Action  A Initial State SpaceFinal State Space Action Type, A:  ! 

Action Composition Sequence Operator: a 1 ;a 2 And Operator: a 1 ^ a 2 Choice Operator: a 1 _ a 2

Composition Types Basic Composition a 1 _ a 2 : Either of them is sufficient otherwise, both a 1 and a 2 must be performed Advanced Composition Obligation to perform one of the subactions is conditional Strict Composition It must be feasible to perform both a 1 and a 2 in the initial state and both must be performed Flexible Composition It is feasible to perform either a 1 and a 2 in the initial state and both must be performed

Action Refinement a 1 © a 2 is a refinement of a, i.e., a v a 1 © a 2, 8  2  where a(  ) ! , such that  2  (a 1 © a 2 )(  ) !  ', such that  v  '. ’’  a a 1 © a 2

Policy Refinement Derivation via subject-hierarchy Derivation via action refinement