Article

Security policy compliance with violation management

Authors:

Frédéric Cuppens,

Jean-Paul BodeveixAuthors Info & Claims

FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineering

Pages 31 - 40

https://doi.org/10.1145/1314436.1314441

Published: 02 November 2007 Publication History

Abstract

A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the information system enforces its associated security policy if and only if actions executed in this system are permitted by the policy (if the policy is closed) or not prohibited (if the policy is open) and every obligatory actions are actually executed in the system (no violation of obligations). In this paper, we investigate a more sophisticated approach in which an information system specification is compliant with its security policy even though some security requirements may be violated. Our proposal is to consider that this is acceptable when the security policy specifies additional requirements that apply in case of violation of other security requirements. In this case, we formally define conditions to be satisfied by an information system to comply with its security policy. We then present a proof-based approach to check if these conditions are enforced.

References

[1]

E. Bertino, B. Catania, E. Ferrari, and P. Perlasca. A Logical Framework for Reasoning about Access Control Models. ACM Transactions on Information and System Security, 6(1), February 2003.

Digital Library

[2]

E. Bertino, S. Jajodia, and P. Samarati. Supporting Multiple Access Control Policies in Database Systems. In IEEE Symposium on Security and Privacy, Oakland, USA, 1996.

Digital Library

[3]

C. Bettini, S. Jajodia, X. S. Wang, and D. Wijesekera. Obligation Monitoring in Policy Management. In International Workshop, Policies for Distributed Systems and Neworks (Policy 2002), Monterey CA, June 5-7 2002.

Digital Library

[4]

J. Brunel, J.-P. Bodeveix, and M. Filali. A State/Event Temporal Deontic Logic. In L. Goble and J.-J. C. Meyer, editors, 8th International Workshop on Deontic Logic in Computer Science (DEON'06), pages 85--100, Utrecht, The Netherlands, 2006.

Digital Library

[5]

S. Chaki, E. M. Clarke, J. Ouaknine, N. Sharygina, and N. Sinha. State/event-based software model checking. In E. A. Boiten, J. Derrick, and G. Smith, editors, 4th International Conference on Integrated Formal Methods (IFM '04), volume 2999 of Lecture Notes in Computer Science, pages 128--147. Springer-Verlag, 2004.

[6]

R. M. Chisholm. Contrary-to-duty imperatives and deontic logic. Analysis, 24(2):33--36, December 1963.

[7]

L. Cholvy and F. Cuppens. Reasoning about norms provided by conflicting regulations. In P. McNamara and H. Prakken, editors, Fourth International Workshop on Deontic Logic in Computer Science (DEON), Bologna, Italy, 1998.

[8]

E. Clarke, O. Grumberg, and P. D. A. Model Checking. MIT Press, 1999.

Digital Library

[9]

F. Cuppens, N. Cuppens-Boulahia, and T. Ramard. Availability enforcement by obligations and aspects identification. In The First International Conference on Availability, Reliability and Securit (ARES), pages 229--239, Vienna, Austria, 2006.

Digital Library

[10]

F. Cuppens, N. Cuppens-Boulahia, and T. Sans. Nomad: A Security Model with Non Atomic Actions and Deadlines. In The computer security foundations workshop (CSFW), Aix en Provence, France, 2005.

Digital Library

[11]

F. Cuppens and A. Miège. Modelling Contexts in the Or-BAC Model. In 19th Annual Computer Security Applications Conference (ACSAC '03), 2003.

Digital Library

[12]

M. Harrison, W. Ruzzo, and J. Ullman. Protection in operating systems. CACM, 19(8):461--471, August 1976.

Digital Library

[13]

S. Jajodia, S. Samarati, and V. S. Subrahmanian. A logical Language for Expressing Authorizations. In IEEE Symposium on Security and Privacy, Oakland, CA, May 1997.

Digital Library

[14]

A. A. E. Kalam, R. E. Baida, P. Balbiani, S. Benferhat, F. Cuppens, Y. Deswarte, A. Miège, C. Saurel, and G. Trouessin. Organization Based Access Control. In Proceedings of IEEE 4th International Workshop on Policies for Distributed Systems and Networks (POLICY 2003),Lake Come, Italy, June 2003.

Digital Library

[15]

A. Lomuscio and M. Sergot. A formalisation of violation, error recovery, and enforcement in the bit transmission problem. Journal of Applied Logic, 2:93--116, 2004.

[16]

F. Martinelli and I. Matteucci. An approach for the specification, verification and synthesis of secure systems. Electr. Notes Theor. Comput. Sci., 168:29--43, 2007.

Digital Library

[17]

P. McDaniel. On Context in Authorization Policy. In Proceedings of the 8th ACM Symposium On Access Control Models and Technologies (SACMAT 2003), Como, Italy, June 2003.

Digital Library

[18]

J. Park and R. Sandhu. The UCON-ABC Usage Control Model. ACM Transactions on Information and System Security, 7(1):128--174, 2004.

Digital Library

[19]

H. Prakken and M. Sergot. Contrary-to-Duty Imperatives, Defeasibility and Violability. In A. J. I. Jones and M. Sergot, editors, Second International Workshop on Deontic Logic in Computer Science, Oslo, Norway, 1994.

[20]

R. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996.

Digital Library

[21]

F. B. Schneider. Enforceable security policies. Information and System Security, 3(1):30--50, 2000.

Digital Library

[22]

M. Strembeck and G. Neumann. An Integrated Approach to Engineer and Enforce Context Constraints in RBAC Environements. ACM Transactions on Information and System Security, 7(3):392--427, 2004.

Digital Library

[23]

B. D. Win, B. Vanhaute, and B. Decker. Security Through Aspect-Oriented Programming. In Advances in Network and Distributed Systems Security. IFIP TC11 WG11.4 First Working Conference on Network Security, Leuven, Belgium, 2001. Kluwer Academic Publishers.

Digital Library

[24]

G. H. V. Wright. Deontic logic. Mind, 1951.

Cited By

Mandal DMazumdar C(2018)Automating Information Security Policy Compliance Checking2018 Fifth International Conference on Emerging Applications of Information Technology (EAIT)10.1109/EAIT.2018.8470420(1-4)Online publication date: Jan-2018
https://doi.org/10.1109/EAIT.2018.8470420
Collazos NHanvey SCalderón C(2015)On the Use of Formal Methods to Enforce Privacy-Aware Social NetworkingStandards and Standardization10.4018/978-1-4666-8111-8.ch016(307-332)Online publication date: 2015
https://doi.org/10.4018/978-1-4666-8111-8.ch016
Mace JMorisset CMoorsel A(2015)Resiliency Variance in Workflows with ChoiceProceedings of the 7th International Workshop on Software Engineering for Resilient Systems - Volume 927410.1007/978-3-319-23129-7_10(128-143)Online publication date: 7-Sep-2015
https://dl.acm.org/doi/10.1007/978-3-319-23129-7_10
Show More Cited By

Index Terms

Security policy compliance with violation management

Recommendations

Management Policy Service for Distributed Systems
SDNE '96: Proceedings of the 3rd Workshop on Services in Distributed and Networked Environments (SDNE '96)

Interpreting policy in automated managers facilitates the dynamic change of behavior of a distributed management system by simply changing policies. This paper describes a management policy notation which can be used to define both authorization ...
A first step towards security policy compliance of connectors
FSEN'09: Proceedings of the Third IPM international conference on Fundamentals of Software Engineering

Connectors have emerged as a powerful concept for composition and coordination of concurrent activities encapsulated as components and services. The widespread use of connectors in service-oriented applications is hindered by the lack of adequate ...
XACBench: a XACML policy benchmark
Abstract
XACML standard defines a declarative language to determine access control policies which are critical for deploying security solutions. It is important to evaluate the performance of policies defined by XACML, for applications such as policy ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineering

November 2007

88 pages

ISBN:9781595938879

DOI:10.1145/1314436

General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Vijay Atluri
Rutgers University, USA
,
Virgil D. Gligor
University of Maryland, USA
,
Heiko Mantel
TU Darmstadt, Germany

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS07

Sponsor:

CCS07: 14th ACM Conference on Computer and Communications Security 2007

November 2, 2007

Virginia, Fairfax, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
567
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)1

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mandal DMazumdar C(2018)Automating Information Security Policy Compliance Checking2018 Fifth International Conference on Emerging Applications of Information Technology (EAIT)10.1109/EAIT.2018.8470420(1-4)Online publication date: Jan-2018
https://doi.org/10.1109/EAIT.2018.8470420
Collazos NHanvey SCalderón C(2015)On the Use of Formal Methods to Enforce Privacy-Aware Social NetworkingStandards and Standardization10.4018/978-1-4666-8111-8.ch016(307-332)Online publication date: 2015
https://doi.org/10.4018/978-1-4666-8111-8.ch016
Mace JMorisset CMoorsel A(2015)Resiliency Variance in Workflows with ChoiceProceedings of the 7th International Workshop on Software Engineering for Resilient Systems - Volume 927410.1007/978-3-319-23129-7_10(128-143)Online publication date: 7-Sep-2015
https://dl.acm.org/doi/10.1007/978-3-319-23129-7_10
Kokash N(2014)Integrating Compliance Management in Service-Driven ComputingHandbook of Research on Architectural Trends in Service-Driven Computing10.4018/978-1-4666-6178-3.ch018(439-480)Online publication date: 2014
https://doi.org/10.4018/978-1-4666-6178-3.ch018
Francia GHutchinson F(2014)Regulatory and Policy Compliance with Regard to Identity Theft Prevention, Detection, and ResponseCrisis Management10.4018/978-1-4666-4707-7.ch012(280-310)Online publication date: 2014
https://doi.org/10.4018/978-1-4666-4707-7.ch012
Collazos NHanvey SCalderón C(2013)On the Use of Formal Methods to Enforce Privacy-Aware Social NetworkingSocial Network Engineering for Secure Web Data and Services10.4018/978-1-4666-3926-3.ch011(222-247)Online publication date: 2013
https://doi.org/10.4018/978-1-4666-3926-3.ch011
Francia GHutchinson F(2012)Regulatory and Policy Compliance with Regard to Identity Theft Prevention, Detection, and ResponseInformation Assurance and Security Technologies for Risk Assessment and Threat Management10.4018/978-1-61350-507-6.ch012(292-322)Online publication date: 2012
https://doi.org/10.4018/978-1-61350-507-6.ch012
Silveira PRodríguez CBirukou ACasati FDaniel FD’Andrea VWorledge CTaheri Z(2012)Aiding Compliance Governance in Service-Based Business ProcessesHandbook of Research on Service-Oriented Systems and Non-Functional Properties10.4018/978-1-61350-432-1.ch022(524-548)Online publication date: 2012
https://doi.org/10.4018/978-1-61350-432-1.ch022
Nyre Å(2011)Usage control enforcement - a surveyProceedings of the IFIP WG 8.4/8.9 international cross domain conference on Availability, reliability and security for business, enterprise and health information systems10.5555/2033973.2033978(38-49)Online publication date: 22-Aug-2011
https://dl.acm.org/doi/10.5555/2033973.2033978
Ouchenne BKoné OChbeir RAl Bouna B(2011)Specifying and analysing run-time security policies for time dependant servicesProceedings of the First International Workshop on Security and Privacy Preserving in e-Societies10.1145/2107581.2107586(26-33)Online publication date: 9-Jun-2011
https://dl.acm.org/doi/10.1145/2107581.2107586
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten