Policy Algebras for Hybrid Firewalls

Firewalls are a effective means of protecting a local system or network of systems from network-based security threats. In this paper, we propose a policy algebra framework for security policy enforcement in hybrid firewalls, ones that exist both in the network and on end systems. To preserve the security semantics, the policy algebras provide a formalism to compute addition, conjunction, subtraction, and summation on rule sets; it also defines the cost and risk functions associated with policy enforcement. Policy outsourcing triggers global cost minimization. We show that our framework can easily be extended to support packet filter firewall policies. Finally, we discuss special challenges and requirements for applying the policy algebra framework to MANETs

Adaptive Route Choice in Stochastic Time-Dependent Networks: Routing Algorithms and Choice Modeling

Transportation networks are inherently uncertain due to random disruptions; meanwhile, real-time information potentially helps travelers adapt to realized traffic conditions and make better route choices under such disruptions. Modeling adaptive route choice behavior is essential in evaluating Advanced Traveler Information Systems (ATIS) and related policies to better provide travelers with real-time information. This dissertation contributes to the state of the art by estimating the first latent-class routing policy choice model using revealed preference (RP) data and providing efficient computer algorithms for routing policy choice set generation. A routing policy is defined as a decision rule applied at each link that maps possible realized traffic conditions to decisions on the link to take next. It represents a traveler\u27s ability to look ahead in order to incorporate real-time information not yet available at the time of decision. A case study is conducted in Stockholm, Sweden and data for the stochastic time-dependent network are generated from hired taxi Global Positioning System (GPS) traces through the methods of map-matching and non-parametric link travel time estimation. A latent-class Policy Size Logit model is specified with two additional layers of latency in the measurement equation. The two latent classes of travelers are policy users who follow routing policies and path users who follow fixed paths. For the measurement equation of the policy user class, the choice of a routing policy is latent and only its realized path on a given day can be observed. Furthermore, when GPS traces have relatively long gaps between consecutive readings, the realized path cannot be uniquely identified. Routing policy choice set generation is based on the generalization of path choice set generation methods, and utilizes efficient implementation of an optimal routing policy (ORP) algorithm based on the two-queue data structure for label correcting. Systematic evaluation of the algorithm in random networks as well as in two large scale real-life networks is conducted. The generated choice sets are evaluated based on coverage and adaptiveness. Coverage is the percentage of observed trips included in the generated choice sets based on a certain threshold of overlapping between observed and generated routes, and adaptiveness represents the capability of a routing policy to be realized as different paths over different days. It is shown that using a combination of methods yields satisfactory coverage of 91.2%. Outlier analyses are then carried out for unmatching trips in choice set generation. The coverage achieves 95% for 100% threshold after correcting GPS errors and breaking up trips with intermediate stops, and further achieves 100% for 90% threshold. The latent-class routing policy choice model is estimated against observed GPS traces based on the three different sample sizes resulting from coverage improvement, and the estimates appear consistent across different sample sizes. Estimation results show the policy user class probability increases with trip length, and the latent-class routing policy choice model fits the data better than a single-class path choice model or routing policy choice model. This suggests that travelers are heterogeneous in terms of their ability and willingness to plan ahead and utilize real-time information. Therefore, a fixed path model as commonly used in the literature may lose explanatory power due to its simplified assumptions on network stochasticity and travelers\u27 utilization of real-time information

A Uniform Formal Approach to Business and Access Control Models, Policies and their Combinations

Access control represents an important part of security in software systems, since access control policies determine which users of a software system have access to what objects and operations and under what constraints. One can view access control models as providing the basis for access control rules. Further, an access control policy can be seen as a combination of one or more rules, and one or more policies can be combined into a set of access control policies that control access to an entire system. The rules and resulting policies can be combined in many different ways, and the combination of rules and policies are included in policy languages. Approaches to access control (AC) policy languages, such as XACML, do not provide a formal representation for specifying rule- and policy-combining algorithms or for classifying and verifying properties of AC policies. In addition, there is no connection between the rules that form a policy and the general access control and business models on which those rules are based. Some authors propose formal representations for rule- and policy-combining algorithms. However, the proposed models are not expressive enough to represent formally classes of algorithms related to history of policy outcomes including ordered-permit-overrides, ordered-deny-overrides, and only-one-applicable. In fact, they are not able to express formally any algorithm that involves history including the class related to consensus such as weak-consensus, weak-majority, strong-consensus, strong-majority, and super-majoritypermit. In addition, some other authors propose a formal representation but do not present an approach and automated support for the formal verification of any classes of combining algorithms. The work presented in this thesis provides a uniform formal approach to business and access control models, policies and their combinations. The research involves a new formal representation for access control rules, policies, and their combination and supports formal verification. In addition, the approach explicitly connects the rules to the underlying access control model. Specically, the approach • provides a common representation for systematically describing and integrating business processes, access control models, their rules and policies, • expresses access control rules using an underlying access control model based on an existing augmented business modeling notation, • can express and verify formally all known policy- and rule-combining algorithms, a result not seen in the literature, • supports a classification of relevant access control properties that can be verified against policies and their combinations, and • supports automated formal verification of single policies and combined policy sets based on model checking. Finally, the approach is applied to an augmented version of the conference management system, a well-known example from the literature. Several properties, whose verification was not possible by prior approaches, such as ones involving history of policy outcomes, are verified in this thesis

On Properties of Policy-Based Specifications

The advent of large-scale, complex computing systems has dramatically increased the difficulties of securing accesses to systems' resources. To ensure confidentiality and integrity, the exploitation of access control mechanisms has thus become a crucial issue in the design of modern computing systems. Among the different access control approaches proposed in the last decades, the policy-based one permits to capture, by resorting to the concept of attribute, all systems' security-relevant information and to be, at the same time, sufficiently flexible and expressive to represent the other approaches. In this paper, we move a step further to understand the effectiveness of policy-based specifications by studying how they permit to enforce traditional security properties. To support system designers in developing and maintaining policy-based specifications, we formalise also some relevant properties regarding the structure of policies. By means of a case study from the banking domain, we present real instances of such properties and outline an approach towards their automatised verification.Comment: In Proceedings WWV 2015, arXiv:1508.0338

Refinement for Administrative Policies

Flexibility of management is an important requisite for access control systems as it allows users to adapt the access control system in accordance with practical requirements. This paper builds on earlier work where we defined administrative policies for a general class of RBAC models. We present a formal definition of administrative refinnement and we show that there is an ordering for administrative privileges which yields administrative refinements of policies. We argue (by giving an example) that this privilege ordering can be very useful in practice, and we prove that the privilege ordering is tractable

Formalisation and Implementation of the XACML Access Control Mechanism

We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specifica- tion and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development