Checking Security Policy Compliance
Vaibhav Gowadia, Csilla Farkas, Michiharu Kudo
TL;DR
This paper introduces a framework for verifying that low-level security policies comply with high-level organizational security policies using refinement calculus and metadata.
Contribution
It presents a novel compliance checking framework that models security policies and their refinement, enabling detection of violations and conflicts.
Findings
Framework effectively detects policy violations
Supports refinement from high-level to low-level policies
Capable of identifying conflicts and obligations
Abstract
Ensuring compliance of organizations to federal regulations is a growing concern. This paper presents a framework and methods to verify whether an implemented low-level security policy is compliant to a high-level security policy. Our compliance checking framework is based on organizational and security metadata to support refinement of high-level concepts to implementation specific instances. Our work uses the results of refinement calculus to express valid refinement patterns and their properties. Intuitively, a low-level security policy is compliant to a high-level security policy if there is a valid refinement path from the high-level security policy to the low-level security policy. Our model is capable of detecting violations of security policies, failures to meet obligations, and capability and modal conflicts.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAccess Control and Trust · Information and Cyber Security · Security and Verification in Computing