ABSTRACT
Access Control Policies (ACPs) evolve. Understanding the trends and evolution patterns of ACPs could provide guidance about the reliability and maintenance of ACPs. Our research goal is to help policy authors improve the quality of ACP evolution based on the understanding of trends and evolution patterns in ACPs We performed an empirical study by analyzing the ACP changes over time for two systems: Security Enhanced Linux (SELinux), and an open-source virtual computing platform (VCL). We measured trends in terms of the number of policy lines and lines of code (LOC), respectively. We observed evolution patterns. For example, an evolution pattern st1 → st2 says that st1 (e.g., "read") evolves into st2 (e.g., "read" and "write"). This pattern indicates that policy authors add "write" permission in addition to existing "read" permission. We found that some of evolution patterns appear to occur more frequently.
- Hu, Vincent C., David Ferraiolo, and D. Richard Kuhn. Assessment of access control systems. US Department of Commerce, NIST, 2006.Google Scholar
- Koji, http://arm.koji.fedoraproject.org/koji/Google Scholar
- Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-53, 2013Google Scholar
- SELinux Reference Policy Repository, https://git.fedorahosted.org/git/selinux-policy.git, 2013Google Scholar
- Virtual Computing Lab, http://vcl.apache.org/, 2013Google Scholar
- T. Erl, SOA Design Patterns, 1st ed. Upper Saddle River, NJ, USA: Prentice Hall PTR, 2009 Google ScholarDigital Library
Index Terms
- Access control policy evolution: an empirical study
Recommendations
Access Control Policy Evolution: An Empirical Study
ISSRE '14: Proceedings of the 2014 IEEE 25th International Symposium on Software Reliability EngineeringAccess control policies (ACPs) are necessary mechanisms for protection of critical resources and applications. As operational and security requirements of a system evolve, so do access control policies. It is important to help policy authors in ...
Flexible support for multiple access control policies
Although several access control policies can be devised for controlling access to information, all existing authorization models, and the corresponding enforcement mechanisms, are based on a specific policy (usually the closed policy). As a consequence, ...
Computer access control policy choices
This paper provides a guide-a road map-for refining a high-level information dissemination/control policy into an implementable access control policy. This process involves determining the appropriate set of policy-oriented limitations and can take ...
Comments